redline | 936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7

General

Target

936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe
Size

522KB
MD5

69ec20ec7b6164a6bee53aa143a47d45
SHA1

e89346337ad1403eadadc5a746634fff8e785c68
SHA256

936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7
SHA512

953b42d685d00b89a473c9a398eb6e3c17b62aeeae65ab43a18812b18fad486a364ede2b8762d09b742fd7b14577dbbde087febd7e42c90cfe3388c63cce9e06
SSDEEP

12288:9Mrdy90gmeqC0HLu4q7rwM8hC3JopfPRXVrXNTvjc5:syseq1LDq7j8Y32fPVJNTw

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

jr940092.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr940092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr940092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr940092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr940092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr940092.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr940092.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3976-157-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-158-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-160-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-162-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-164-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-166-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-168-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-170-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-172-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-174-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-176-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-178-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-180-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-182-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-186-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-184-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-188-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-190-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-192-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-194-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-196-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-198-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-200-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-202-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-204-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-206-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-208-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-210-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-212-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-214-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-216-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-218-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline
behavioral1/memory/3976-220-0x00000000051E0000-0x000000000521F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

zibz6231.exejr940092.exeku696051.exelr498271.exe

pid process

4480 zibz6231.exe
4024 jr940092.exe
3976 ku696051.exe
3744 lr498271.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

jr940092.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr940092.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4480	zibz6231.exe
4024	jr940092.exe
3976	ku696051.exe
3744	lr498271.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr940092.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zibz6231.exe936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zibz6231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zibz6231.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4908 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4676 3976 WerFault.exe ku696051.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

jr940092.exeku696051.exelr498271.exe

pid process

4024 jr940092.exe
4024 jr940092.exe
3976 ku696051.exe
3976 ku696051.exe
3744 lr498271.exe
3744 lr498271.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

jr940092.exeku696051.exelr498271.exe

description pid process

Token: SeDebugPrivilege 4024 jr940092.exe
Token: SeDebugPrivilege 3976 ku696051.exe
Token: SeDebugPrivilege 3744 lr498271.exe

pid	process
4908	sc.exe

pid	pid_target	process	target process
4676	3976	WerFault.exe	ku696051.exe

pid	process
4024	jr940092.exe
4024	jr940092.exe
3976	ku696051.exe
3976	ku696051.exe
3744	lr498271.exe
3744	lr498271.exe

description	pid	process
Token: SeDebugPrivilege	4024	jr940092.exe
Token: SeDebugPrivilege	3976	ku696051.exe
Token: SeDebugPrivilege	3744	lr498271.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exezibz6231.exe

description	pid	process	target process
PID 2696 wrote to memory of 4480	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	zibz6231.exe
PID 2696 wrote to memory of 4480	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	zibz6231.exe
PID 2696 wrote to memory of 4480	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	zibz6231.exe
PID 4480 wrote to memory of 4024	4480	zibz6231.exe	jr940092.exe
PID 4480 wrote to memory of 4024	4480	zibz6231.exe	jr940092.exe
PID 4480 wrote to memory of 3976	4480	zibz6231.exe	ku696051.exe
PID 4480 wrote to memory of 3976	4480	zibz6231.exe	ku696051.exe
PID 4480 wrote to memory of 3976	4480	zibz6231.exe	ku696051.exe
PID 2696 wrote to memory of 3744	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	lr498271.exe
PID 2696 wrote to memory of 3744	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	lr498271.exe
PID 2696 wrote to memory of 3744	2696	936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe	lr498271.exe

C:\Users\Admin\AppData\Local\Temp\936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe
"C:\Users\Admin\AppData\Local\Temp\936e922ab82aaa3edbcff6321a8fb80622110385ef7c90676e6dbd3d367c1df7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibz6231.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibz6231.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr940092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr940092.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696051.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1468
4⤵
- Program crash
PID:4676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr498271.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr498271.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976
1⤵
PID:4100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr498271.exe
Filesize
175KB

MD5
f544949b9cb347f08dbe503798b913bc

SHA1
85cb0b36ca3d73a58b0224bf2795020103907a7d

SHA256
74657e60eb9964b1dea61b0f46cdf0a875ede9e052259f641c86e286452bf7e0

SHA512
62d05b8a50b43e2e9bd2631120fef442e4a1edcf6b5f1ec55b07f40cb5e992e391a09d1b139616b9209d1e7b0259b3780e6e6462688ba756e3d59ffe86870c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr498271.exe
Filesize
175KB

MD5
f544949b9cb347f08dbe503798b913bc

SHA1
85cb0b36ca3d73a58b0224bf2795020103907a7d

SHA256
74657e60eb9964b1dea61b0f46cdf0a875ede9e052259f641c86e286452bf7e0

SHA512
62d05b8a50b43e2e9bd2631120fef442e4a1edcf6b5f1ec55b07f40cb5e992e391a09d1b139616b9209d1e7b0259b3780e6e6462688ba756e3d59ffe86870c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibz6231.exe
Filesize
380KB

MD5
03d07c715df49b579cc68998060fb276

SHA1
f1eaad9f9371beb79a5f1ffdfe290785bf21a674

SHA256
6f48fd7e33de00b5e4aebd9c3b47f93a243f8dd9015a5e73b1f81c7105558969

SHA512
84de874f9b64abe897955d55133a80772e7d7f7f5edf9d42f8be987750774c18047211413b5f7d84c5fb0ad9a9a219f4b4e74fce51ea6f1dd23c47d096a0246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibz6231.exe
Filesize
380KB

MD5
03d07c715df49b579cc68998060fb276

SHA1
f1eaad9f9371beb79a5f1ffdfe290785bf21a674

SHA256
6f48fd7e33de00b5e4aebd9c3b47f93a243f8dd9015a5e73b1f81c7105558969

SHA512
84de874f9b64abe897955d55133a80772e7d7f7f5edf9d42f8be987750774c18047211413b5f7d84c5fb0ad9a9a219f4b4e74fce51ea6f1dd23c47d096a0246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr940092.exe
Filesize
15KB

MD5
00f9285fb878a2556e3470f0e8b66a93

SHA1
955af7d601f7305a40ec9192c86d88554811111e

SHA256
d4cdf2c20cfd3a009d88a55053d1e7e4a6631b1dacb3852d7a59f01e61af49f6

SHA512
8d19c1494e72e26a08e92da20b84a8b16d1e1f956789d973ca9754323fd10976ba95d26cfa9e73746586da8427fc0477c8890252b0bbfc57b43ff183bc7cdf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr940092.exe
Filesize
15KB

MD5
00f9285fb878a2556e3470f0e8b66a93

SHA1
955af7d601f7305a40ec9192c86d88554811111e

SHA256
d4cdf2c20cfd3a009d88a55053d1e7e4a6631b1dacb3852d7a59f01e61af49f6

SHA512
8d19c1494e72e26a08e92da20b84a8b16d1e1f956789d973ca9754323fd10976ba95d26cfa9e73746586da8427fc0477c8890252b0bbfc57b43ff183bc7cdf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696051.exe
Filesize
295KB

MD5
6ee6c29444fad26be4934039eda8e16f

SHA1
f5fd795b775baab673addc46212b0c5917c31d4b

SHA256
37b749dd3108c70df1a7626a34e6a5ec95d3f8a1227133de0064a71e9be02019

SHA512
a908338411e8a8c9d8084a1fcfb01f37383aced6b460ec380b1171856a9bf421ff93fb56dd5c21e9707d123fc412176fccfd0bbb31d9f277c3df53ac119bbf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696051.exe
Filesize
295KB

MD5
6ee6c29444fad26be4934039eda8e16f

SHA1
f5fd795b775baab673addc46212b0c5917c31d4b

SHA256
37b749dd3108c70df1a7626a34e6a5ec95d3f8a1227133de0064a71e9be02019

SHA512
a908338411e8a8c9d8084a1fcfb01f37383aced6b460ec380b1171856a9bf421ff93fb56dd5c21e9707d123fc412176fccfd0bbb31d9f277c3df53ac119bbf8e

Download Submit
memory/3744-1086-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/3744-1087-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/3976-194-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-204-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-156-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-157-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-158-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-160-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-162-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-164-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-166-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-168-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-170-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-172-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-174-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-176-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-178-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-180-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-182-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-186-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-184-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-188-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-190-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-192-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-154-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/3976-196-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-198-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-200-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-202-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-155-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-206-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-208-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-210-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-212-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-214-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-216-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-218-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-220-0x00000000051E0000-0x000000000521F000-memory.dmp

Filesize
252KB

Download
memory/3976-1063-0x0000000005220000-0x0000000005838000-memory.dmp

Filesize
6.1MB

Download
memory/3976-1064-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/3976-1065-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/3976-1066-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/3976-1067-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-1069-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/3976-1070-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-1071-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-1072-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-1073-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3976-1074-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3976-1075-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3976-1076-0x00000000066F0000-0x00000000068B2000-memory.dmp

Filesize
1.8MB

Download
memory/3976-153-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/3976-1077-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/3976-1079-0x0000000007290000-0x0000000007306000-memory.dmp

Filesize
472KB

Download
memory/3976-1080-0x0000000007310000-0x0000000007360000-memory.dmp

Filesize
320KB

Download
memory/4024-147-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads