redline | cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4

General

Target

cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe
Size

522KB
MD5

aca3922a93091e05d8c87ab6d3f19081
SHA1

f62b7582b6ee1df9e8c86a193c3f33a475f1d9c1
SHA256

cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4
SHA512

36f26fa3acd98e54affbe99023a34838e4498478099d36a54795849f4afb76b73f8796363f87a541c358444fb27438e5042b01d481d864502a7e9ca4ad25a034
SSDEEP

6144:KFy+bnr+Np0yN90QEGAW+TYtT3MlamFPrzTrABtDy320qhCWqNlzVjR2Rl4cR0Us:7MrFy900HuYRzE7rwthhCpJVRwOUhjW

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

jr583920.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr583920.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr583920.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr583920.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr583920.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr583920.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr583920.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3756-157-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-160-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-162-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-158-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-164-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-166-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-168-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-170-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-172-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-174-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-176-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-178-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-180-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-182-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-184-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-186-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-188-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-190-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-192-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-194-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-196-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-198-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-200-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-202-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-204-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-206-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-208-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-210-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-212-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-214-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-216-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-218-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline
behavioral1/memory/3756-220-0x0000000002710000-0x000000000274F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

zigA8082.exejr583920.exeku822521.exelr400736.exe

pid process

2452 zigA8082.exe
3700 jr583920.exe
3756 ku822521.exe
4016 lr400736.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

jr583920.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr583920.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2452	zigA8082.exe
3700	jr583920.exe
3756	ku822521.exe
4016	lr400736.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr583920.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exezigA8082.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zigA8082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zigA8082.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4992 3756 WerFault.exe ku822521.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

jr583920.exeku822521.exelr400736.exe

pid process

3700 jr583920.exe
3700 jr583920.exe
3756 ku822521.exe
3756 ku822521.exe
4016 lr400736.exe
4016 lr400736.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

jr583920.exeku822521.exelr400736.exe

description pid process

Token: SeDebugPrivilege 3700 jr583920.exe
Token: SeDebugPrivilege 3756 ku822521.exe
Token: SeDebugPrivilege 4016 lr400736.exe

pid	pid_target	process	target process
4992	3756	WerFault.exe	ku822521.exe

pid	process
3700	jr583920.exe
3700	jr583920.exe
3756	ku822521.exe
3756	ku822521.exe
4016	lr400736.exe
4016	lr400736.exe

description	pid	process
Token: SeDebugPrivilege	3700	jr583920.exe
Token: SeDebugPrivilege	3756	ku822521.exe
Token: SeDebugPrivilege	4016	lr400736.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exezigA8082.exe

description	pid	process	target process
PID 776 wrote to memory of 2452	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	zigA8082.exe
PID 776 wrote to memory of 2452	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	zigA8082.exe
PID 776 wrote to memory of 2452	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	zigA8082.exe
PID 2452 wrote to memory of 3700	2452	zigA8082.exe	jr583920.exe
PID 2452 wrote to memory of 3700	2452	zigA8082.exe	jr583920.exe
PID 2452 wrote to memory of 3756	2452	zigA8082.exe	ku822521.exe
PID 2452 wrote to memory of 3756	2452	zigA8082.exe	ku822521.exe
PID 2452 wrote to memory of 3756	2452	zigA8082.exe	ku822521.exe
PID 776 wrote to memory of 4016	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	lr400736.exe
PID 776 wrote to memory of 4016	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	lr400736.exe
PID 776 wrote to memory of 4016	776	cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe	lr400736.exe

C:\Users\Admin\AppData\Local\Temp\cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe
"C:\Users\Admin\AppData\Local\Temp\cc61dbca52e96a3cdf83a2c89c61b2cb1624099e5585d6bf55df9bd94dba0da4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigA8082.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigA8082.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr583920.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr583920.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku822521.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku822521.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1636
4⤵
- Program crash
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr400736.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr400736.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3756 -ip 3756
1⤵
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr400736.exe
Filesize
175KB

MD5
82ffb76064efb54d9aba44cbf7ec8f38

SHA1
9564d4aa07ecbd33b96f411a038c5fa78f95c39f

SHA256
db5c6f73d3f84d974c5ef6841d4550600cc2e24e1920b527a27e89012ee249a8

SHA512
069da7fda20383ec492ad36230b8fabe5a850e06279c25134b5ffe9b14f54f0070239c8786fb513519dda103db70b5977addf0bef14863ddd7f6bb195a8b88de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr400736.exe
Filesize
175KB

MD5
82ffb76064efb54d9aba44cbf7ec8f38

SHA1
9564d4aa07ecbd33b96f411a038c5fa78f95c39f

SHA256
db5c6f73d3f84d974c5ef6841d4550600cc2e24e1920b527a27e89012ee249a8

SHA512
069da7fda20383ec492ad36230b8fabe5a850e06279c25134b5ffe9b14f54f0070239c8786fb513519dda103db70b5977addf0bef14863ddd7f6bb195a8b88de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigA8082.exe
Filesize
380KB

MD5
dd63f6f66cea5e8638f926fd7750de28

SHA1
7d8421a907708ad240f7b11b580ecd3c69072752

SHA256
fd305e6037bf023070e7eed5200f41de9d6ffbbc34f6580a4446b980c51d0bc3

SHA512
593d9b8d5d33974cafa80b419448af7d284be5ad28f990fcde7917d0a7c7bf4e22a675ed333115032a405bc20b3d61a60e8c9ca9bcd73599a5bd81fc558891c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigA8082.exe
Filesize
380KB

MD5
dd63f6f66cea5e8638f926fd7750de28

SHA1
7d8421a907708ad240f7b11b580ecd3c69072752

SHA256
fd305e6037bf023070e7eed5200f41de9d6ffbbc34f6580a4446b980c51d0bc3

SHA512
593d9b8d5d33974cafa80b419448af7d284be5ad28f990fcde7917d0a7c7bf4e22a675ed333115032a405bc20b3d61a60e8c9ca9bcd73599a5bd81fc558891c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr583920.exe
Filesize
15KB

MD5
5850ee7a8918feaf8ac776f729a384be

SHA1
d42d27ed3af1f102eed2151b638efb7d861fb9f6

SHA256
012892ae893395649259ee494c25b4216c7a615118b107be9ef0d90315497a84

SHA512
279ca98fde4b1af31165b3a8fcb46f360ed4c03c964ee26a0d9fa3b3d21cfd24106327c9db0111c5c4d591107d710e641682c05764a9d60e0144cf5b64b248a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr583920.exe
Filesize
15KB

MD5
5850ee7a8918feaf8ac776f729a384be

SHA1
d42d27ed3af1f102eed2151b638efb7d861fb9f6

SHA256
012892ae893395649259ee494c25b4216c7a615118b107be9ef0d90315497a84

SHA512
279ca98fde4b1af31165b3a8fcb46f360ed4c03c964ee26a0d9fa3b3d21cfd24106327c9db0111c5c4d591107d710e641682c05764a9d60e0144cf5b64b248a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku822521.exe
Filesize
295KB

MD5
a88363ac536f677ae98f16b2ea6d10e1

SHA1
0ca5d6b0ceae1ed8cad4dfc7920e3aa604eade02

SHA256
479de1dd8b7097fb50e662a3607d834118f86659748e2de442a8d5deadb3972a

SHA512
f995442653ed2e92dae3bb427caea40b9fc809e763f424b65ab97acc70a7c89b366caed919c2993190f91cf0699653beda6091f92dbc480a86e5934ee943e56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku822521.exe
Filesize
295KB

MD5
a88363ac536f677ae98f16b2ea6d10e1

SHA1
0ca5d6b0ceae1ed8cad4dfc7920e3aa604eade02

SHA256
479de1dd8b7097fb50e662a3607d834118f86659748e2de442a8d5deadb3972a

SHA512
f995442653ed2e92dae3bb427caea40b9fc809e763f424b65ab97acc70a7c89b366caed919c2993190f91cf0699653beda6091f92dbc480a86e5934ee943e56a

Download Submit
memory/3700-147-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/3756-153-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/3756-154-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/3756-155-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-156-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-157-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-160-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-162-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-158-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-164-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-166-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-168-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-170-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-172-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-174-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-176-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-178-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-180-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-182-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-184-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-186-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-188-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-190-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-192-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-194-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-196-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-198-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-200-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-202-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-204-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-206-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-208-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-210-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-212-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-214-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-216-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-218-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-220-0x0000000002710000-0x000000000274F000-memory.dmp

Filesize
252KB

Download
memory/3756-1063-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/3756-1064-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/3756-1065-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3756-1066-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/3756-1067-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-1069-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-1070-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-1071-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-1072-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3756-1073-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3756-1074-0x00000000064B0000-0x0000000006672000-memory.dmp

Filesize
1.8MB

Download
memory/3756-1075-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3756-1076-0x0000000006680000-0x0000000006BAC000-memory.dmp

Filesize
5.2MB

Download
memory/3756-1077-0x0000000006DE0000-0x0000000006E56000-memory.dmp

Filesize
472KB

Download
memory/3756-1078-0x0000000006E70000-0x0000000006EC0000-memory.dmp

Filesize
320KB

Download
memory/4016-1086-0x0000000000EB0000-0x0000000000EE2000-memory.dmp

Filesize
200KB

Download
memory/4016-1087-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4016-1088-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads