healer | cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9

General

Target

WX3.exe
Size

916KB
MD5

9ac6079806fb87b0f396b7af773db257
SHA1

ef3ad6fe0aa54146701c57424d0efb6b62abdb6c
SHA256

cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9
SHA512

3b68b75593d22bec2b12bde480ab7c434a9c47cdc90fc79a23a6744ba7027a376bbce9809b18e09e290627cee122952b8a57598ffcaf4bc38698a19eebc82a63
SSDEEP

12288:2Mrby906ebnGZA2B4FGP25i6A24wVkI3LFacF48DTwWYIierlXPsw1VUyz6WfbVF:tyS92B32Uu4wiAHxPxLnirC

Score

10^/10

healer redline maxi norm dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

maxi

C2

77.91.124.145:4125

Attributes

auth_value
6e90da232d4c2e35c1a36c250f5f8904

Signatures

Detects Healer an antivirus disabler dropper 20 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe	healer
behavioral1/memory/2680-28-0x0000000000900000-0x000000000090A000-memory.dmp	healer
behavioral1/memory/2844-44-0x0000000001DC0000-0x0000000001DDA000-memory.dmp	healer
behavioral1/memory/2844-45-0x0000000002060000-0x0000000002078000-memory.dmp	healer
behavioral1/memory/2844-46-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-47-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-49-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-57-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-65-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-73-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-71-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-69-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-67-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-63-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-61-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-59-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-55-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-53-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2844-51-0x0000000002060000-0x0000000002072000-memory.dmp	healer
behavioral1/memory/2664-2171-0x0000000004A60000-0x0000000004AA0000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

bu035792.execor0582.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0582.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu035792.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-2172-0x00000000020E0000-0x0000000002112000-memory.dmp	family_redline
\Windows\Temp\1.exe	family_redline
behavioral1/memory/2140-2183-0x0000000000ED0000-0x0000000000F00000-memory.dmp	family_redline
\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe	family_redline
behavioral1/memory/3012-2192-0x0000000000270000-0x000000000029E000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

Processes:

kina0373.exekina8931.exebu035792.execor0582.exedmO95s84.exe1.exeen015455.exe

pid process

2240 kina0373.exe
2772 kina8931.exe
2680 bu035792.exe
2844 cor0582.exe
2664 dmO95s84.exe
2140 1.exe
3012 en015455.exe

pid	process
2240	kina0373.exe
2772	kina8931.exe
2680	bu035792.exe
2844	cor0582.exe
2664	dmO95s84.exe
2140	1.exe
3012	en015455.exe

Loads dropped DLL 15 IoCs

Processes:

WX3.exekina0373.exekina8931.execor0582.exedmO95s84.exe1.exeen015455.exe

pid	process
2536	WX3.exe
2240	kina0373.exe
2240	kina0373.exe
2772	kina8931.exe
2772	kina8931.exe
2772	kina8931.exe
2772	kina8931.exe
2844	cor0582.exe
2240	kina0373.exe
2240	kina0373.exe
2664	dmO95s84.exe
2664	dmO95s84.exe
2140	1.exe
2536	WX3.exe
3012	en015455.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cor0582.exebu035792.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	cor0582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0582.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	bu035792.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu035792.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WX3.exekina0373.exekina8931.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WX3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina0373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina8931.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bu035792.execor0582.exe

pid process

2680 bu035792.exe
2680 bu035792.exe
2844 cor0582.exe
2844 cor0582.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bu035792.execor0582.exedmO95s84.exe

description pid process

Token: SeDebugPrivilege 2680 bu035792.exe
Token: SeDebugPrivilege 2844 cor0582.exe
Token: SeDebugPrivilege 2664 dmO95s84.exe

pid	process
2680	bu035792.exe
2680	bu035792.exe
2844	cor0582.exe
2844	cor0582.exe

description	pid	process
Token: SeDebugPrivilege	2680	bu035792.exe
Token: SeDebugPrivilege	2844	cor0582.exe
Token: SeDebugPrivilege	2664	dmO95s84.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

WX3.exekina0373.exekina8931.exedmO95s84.exe

description	pid	process	target process
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2536 wrote to memory of 2240	2536	WX3.exe	kina0373.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2240 wrote to memory of 2772	2240	kina0373.exe	kina8931.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2680	2772	kina8931.exe	bu035792.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2772 wrote to memory of 2844	2772	kina8931.exe	cor0582.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2240 wrote to memory of 2664	2240	kina0373.exe	dmO95s84.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2664 wrote to memory of 2140	2664	dmO95s84.exe	1.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe
PID 2536 wrote to memory of 3012	2536	WX3.exe	en015455.exe

C:\Users\Admin\AppData\Local\Temp\WX3.exe
"C:\Users\Admin\AppData\Local\Temp\WX3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\en015455.exe
Filesize
168KB

MD5
9d86063fc7de11762516c0e39a895cdc

SHA1
ecab5814409a278e305dda153a7a58f4057f282d

SHA256
24ccce9355286d59cbb8fefc1de4c8115dab62747bf2a868fca792060816f361

SHA512
24a2339d7a8a5a69e3faa641ef65d4dad444a0c637bdc8650120e1c0af73ef8ae002e5ea11b5e2aace495162fd72f42afb6ba843288ac5e252dcdc4af3bf6a5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0373.exe
Filesize
762KB

MD5
f876d8769b0abf367823f01afc87f65a

SHA1
957a66e805c61f60c6b820e2fb8ca67dae3fbed5

SHA256
fbec8ee70fb0156a1c0591f271ce602693d35ce4621e5d588bbe6aa1c44fc487

SHA512
c4dc20b2aa8878d4f359b05af51c976f43b47581d69aa2e602f5df7cf9d41f65b241c49801c667298768632d4116d6c567512b369bfe88119a881ebaf705638c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmO95s84.exe
Filesize
417KB

MD5
9f440200db1ef238efcf4f1d486d5b4f

SHA1
d6f3608fed2cfd6fce641d67462e6c85705b93dc

SHA256
2b25c6ba02dbb797af2a65d358543b64627ebcc16a8f5361ba18a95402e7f434

SHA512
48a311c11713bcd1bc6f28defc17dfee6c612da2fa659549335eea549b8b9da7169ca842480c96d7757644c42f504caad086c1085132e595c5073ac29ee65e32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8931.exe
Filesize
315KB

MD5
d7b3fd8dc7bee73705a82a30f37d2021

SHA1
eb6e8d763a83a08ff7f5dcfdbd89911419651901

SHA256
1a60fc409319e0d1b88870ad787512c4926f6a667a7576859238aa2b93143829

SHA512
45bc46c550b254c3f160020c51c0f835d929def6ccba0b38f2562285fba212961267dbbfa92a11120232c1d6f46f4b97b1ae4c45e6e977b2f7877dc809135113

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu035792.exe
Filesize
12KB

MD5
1cd26b99e5e0ac90baa24c25deb05985

SHA1
fe2d38868cfabd33ea06b30b2c8362d53f5d841e

SHA256
b33847e5d19af70672a49b8a34d1ba576fdc4f054835dfe6f424441b2caa9a72

SHA512
889f3724d758a55f7f17b61d74e04a0392765ddf8f03acaceca2317affb7c34a655efee18c14c3a52f67e6a0bc33521b686acebc10dcfb7fa128e72b326baddb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor0582.exe
Filesize
233KB

MD5
93915da06ce64c4f01792696d8bac219

SHA1
ab0245ba9fee65cc76ea21f8ca52d7b74ee39eae

SHA256
34111d4f8888f21f4090d2321aa9aa8e4568916aef0f640523c95592efdef514

SHA512
4c2c7b547bd19bdf1713ded521155d68546fb867428b7bc2d8f49aedf66dabf61d14d9199ec7698c01b4f8f3f8fbae16b29a2ef092027228cba6daa8e68807a2

Download Submit
\Windows\Temp\1.exe
Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2140-2185-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2140-2183-0x0000000000ED0000-0x0000000000F00000-memory.dmp

Filesize
192KB

Download
memory/2664-108-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-120-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-2184-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2664-2182-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2664-2172-0x00000000020E0000-0x0000000002112000-memory.dmp

Filesize
200KB

Download
memory/2664-2171-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2664-124-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-122-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-118-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-116-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-114-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-112-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-110-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-106-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-104-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-102-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-100-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-98-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-96-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-94-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-88-0x0000000000310000-0x000000000036B000-memory.dmp

Filesize
364KB

Download
memory/2664-87-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/2664-86-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2664-90-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/2664-89-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2664-91-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2664-92-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2680-30-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-28-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/2680-29-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-73-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-65-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-59-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-61-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-63-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-67-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-42-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2844-69-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-71-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-43-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-44-0x0000000001DC0000-0x0000000001DDA000-memory.dmp

Filesize
104KB

Download
memory/2844-55-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-57-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-49-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-47-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-41-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2844-53-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-46-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-51-0x0000000002060000-0x0000000002072000-memory.dmp

Filesize
72KB

Download
memory/2844-45-0x0000000002060000-0x0000000002078000-memory.dmp

Filesize
96KB

Download
memory/2844-75-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3012-2192-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/3012-2193-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads