redline | 6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2

Analysis

max time kernel
151s
max time network
137s
platform
windows10_x64
resource
win10-en
submitted
07-09-2021 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
Size

247KB
MD5

db202ffaa07264fe2ffaa07fc03a44b4
SHA1

a15a2cf915b675a36f93e91798cd81cc4c2d11d6
SHA256

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2
SHA512

9a2f178a0c31f33dd91ae6a0f6cd65448c8cd65d7692ba91108fad9a8abe5817046e4890935877b439704667da97880c6e90b44d42c02ad6e57b0c1ce729cb7c

Score

10^/10

redline smokeloader zzzzz backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

Zzzzz

185.167.97.37:30904

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4148-183-0x0000000001100000-0x0000000001122000-memory.dmp	family_redline
behavioral1/memory/4148-193-0x00000000054D0000-0x0000000005AD6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1820-125-0x000000001CD60000-0x000000001CF87000-memory.dmp	Core1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

5672.exe59B0.exe624C.exe673E.exeVersato.exe.comVersato.exe.comRegAsm.exe

pid process

1820 5672.exe
1444 59B0.exe
2312 624C.exe
3908 673E.exe
2044 Versato.exe.com
4076 Versato.exe.com
4148 RegAsm.exe

pid	process
1820	5672.exe
1444	59B0.exe
2312	624C.exe
3908	673E.exe
2044	Versato.exe.com
4076	Versato.exe.com
4148	RegAsm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

624C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	624C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	624C.exe

Deletes itself 1 IoCs

Processes:

pid process

2112
Drops startup file 1 IoCs

Processes:

Versato.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmpVRlruOk.url Versato.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2112

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmpVRlruOk.url	Versato.exe.com

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\624C.exe	themida
C:\Users\Admin\AppData\Local\Temp\624C.exe	themida
behavioral1/memory/2312-144-0x0000000001210000-0x0000000001211000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5672.exe673E.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\mnau3y13masd132.exe = "C:\\Users\\Admin\\AppData\\Roaming\\mnau3y13masd132.exe"	5672.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	673E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	673E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

624C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 624C.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

624C.exe

pid process

2312 624C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	624C.exe

pid	process
2312	624C.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe5672.exeVersato.exe.com

description	pid	process	target process
PID 3332 set thread context of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 1820 set thread context of 3560	1820	5672.exe	explorer.exe
PID 4076 set thread context of 4148	4076	Versato.exe.com	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2224 1444 WerFault.exe 59B0.exe

pid	pid_target	process	target process
2224	1444	WerFault.exe	59B0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exeexplorer.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3996 PING.EXE

pid	process
3996	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe

pid	process
2796	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
2796	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112
2112

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2112
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exeexplorer.exe

pid process

2796 6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
3560 explorer.exe
2112
2112

pid	process
2112

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

59B0.exe624C.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeDebugPrivilege	1444	59B0.exe
Token: SeDebugPrivilege	2312	624C.exe
Token: SeRestorePrivilege	2224	WerFault.exe
Token: SeBackupPrivilege	2224	WerFault.exe
Token: SeDebugPrivilege	2224	WerFault.exe
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112
Token: SeCreatePagefilePrivilege	2112
Token: SeShutdownPrivilege	2112

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Versato.exe.comVersato.exe.com

pid	process
2044	Versato.exe.com
2112
2112
2044	Versato.exe.com
2044	Versato.exe.com
2112
2112
4076	Versato.exe.com
2112
2112
4076	Versato.exe.com
4076	Versato.exe.com
2112
2112

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Versato.exe.comVersato.exe.com

pid process

2044 Versato.exe.com
2044 Versato.exe.com
2044 Versato.exe.com
4076 Versato.exe.com
4076 Versato.exe.com
4076 Versato.exe.com
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2112

pid	process
2112

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe5672.exe673E.execmd.execmd.exeVersato.exe.comVersato.exe.com

description	pid	process	target process
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 3332 wrote to memory of 2796	3332	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
PID 2112 wrote to memory of 1820	2112		5672.exe
PID 2112 wrote to memory of 1820	2112		5672.exe
PID 2112 wrote to memory of 1444	2112		59B0.exe
PID 2112 wrote to memory of 1444	2112		59B0.exe
PID 2112 wrote to memory of 1444	2112		59B0.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 1820 wrote to memory of 3560	1820	5672.exe	explorer.exe
PID 2112 wrote to memory of 2312	2112		624C.exe
PID 2112 wrote to memory of 2312	2112		624C.exe
PID 2112 wrote to memory of 2312	2112		624C.exe
PID 2112 wrote to memory of 3908	2112		673E.exe
PID 2112 wrote to memory of 3908	2112		673E.exe
PID 2112 wrote to memory of 3908	2112		673E.exe
PID 3908 wrote to memory of 828	3908	673E.exe	dllhost.exe
PID 3908 wrote to memory of 828	3908	673E.exe	dllhost.exe
PID 3908 wrote to memory of 828	3908	673E.exe	dllhost.exe
PID 3908 wrote to memory of 440	3908	673E.exe	cmd.exe
PID 3908 wrote to memory of 440	3908	673E.exe	cmd.exe
PID 3908 wrote to memory of 440	3908	673E.exe	cmd.exe
PID 440 wrote to memory of 2824	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 2824	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 2824	440	cmd.exe	cmd.exe
PID 2824 wrote to memory of 2612	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 2612	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 2612	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 2044	2824	cmd.exe	Versato.exe.com
PID 2824 wrote to memory of 2044	2824	cmd.exe	Versato.exe.com
PID 2824 wrote to memory of 2044	2824	cmd.exe	Versato.exe.com
PID 2824 wrote to memory of 3996	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 3996	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 3996	2824	cmd.exe	PING.EXE
PID 2044 wrote to memory of 4076	2044	Versato.exe.com	Versato.exe.com
PID 2044 wrote to memory of 4076	2044	Versato.exe.com	Versato.exe.com
PID 2044 wrote to memory of 4076	2044	Versato.exe.com	Versato.exe.com
PID 2112 wrote to memory of 4116	2112		explorer.exe
PID 2112 wrote to memory of 4116	2112		explorer.exe
PID 2112 wrote to memory of 4116	2112		explorer.exe
PID 2112 wrote to memory of 4116	2112		explorer.exe
PID 4076 wrote to memory of 4148	4076	Versato.exe.com	RegAsm.exe
PID 4076 wrote to memory of 4148	4076	Versato.exe.com	RegAsm.exe
PID 4076 wrote to memory of 4148	4076	Versato.exe.com	RegAsm.exe
PID 4076 wrote to memory of 4148	4076	Versato.exe.com	RegAsm.exe
PID 4076 wrote to memory of 4148	4076	Versato.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
"C:\Users\Admin\AppData\Local\Temp\6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
"C:\Users\Admin\AppData\Local\Temp\6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2796

C:\Users\Admin\AppData\Local\Temp\5672.exe
C:\Users\Admin\AppData\Local\Temp\5672.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3560

C:\Users\Admin\AppData\Local\Temp\59B0.exe
C:\Users\Admin\AppData\Local\Temp\59B0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1668
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\624C.exe
C:\Users\Admin\AppData\Local\Temp\624C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\673E.exe
C:\Users\Admin\AppData\Local\Temp\673E.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Gia.mp3
2⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CSBfBxeJtRnGYDtOYiuftASpEnuDCCqwzUhWlIXdUdKFIPPXatwfwfBwZaKegniBRvhrdiEfpQxNQhAPJokbAKZrzkXRXVwcpoNkBLGkALukUNkMRVzyhJquvp$" Essere.mp3
4⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
Versato.exe.com g
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com g
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:3996

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5672.exe
MD5
482ab6ea0fe0ad6bfb42522c807a7fab

SHA1
cf6f9774adbda6c7c6af322482a79b5969983437

SHA256
1a01188d279bb62f8a821309d348e1e95713aaa446075bd796e113ce143e3246

SHA512
c3f5e7f19a0bf9b2e6368323ecb99f14da0726c7d5a8222333bf2e6dd97f112089c15172f6aaed89b8a3203ddc58ecba3ea1148ec415fb397a40c0ca8657350a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5672.exe
MD5
482ab6ea0fe0ad6bfb42522c807a7fab

SHA1
cf6f9774adbda6c7c6af322482a79b5969983437

SHA256
1a01188d279bb62f8a821309d348e1e95713aaa446075bd796e113ce143e3246

SHA512
c3f5e7f19a0bf9b2e6368323ecb99f14da0726c7d5a8222333bf2e6dd97f112089c15172f6aaed89b8a3203ddc58ecba3ea1148ec415fb397a40c0ca8657350a

Download Submit
C:\Users\Admin\AppData\Local\Temp\59B0.exe
MD5
54e4176aa7edcbc7ed79e0080422998e

SHA1
8ef9a69f2c910e8ff240969800d8972689fa4d7d

SHA256
9607df8f5c805b50ebd812273fe7a4018a7b344b6ac7a01996e3f7f9edd82221

SHA512
7d7af452453146078c49c68fd53ee1003d6809331dfe61d41d39f4d37359d830c28cb2e39c9014d45660d7ff6a79dd0427bc043485b1400cbe8a71bf717b2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\59B0.exe
MD5
54e4176aa7edcbc7ed79e0080422998e

SHA1
8ef9a69f2c910e8ff240969800d8972689fa4d7d

SHA256
9607df8f5c805b50ebd812273fe7a4018a7b344b6ac7a01996e3f7f9edd82221

SHA512
7d7af452453146078c49c68fd53ee1003d6809331dfe61d41d39f4d37359d830c28cb2e39c9014d45660d7ff6a79dd0427bc043485b1400cbe8a71bf717b2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\624C.exe
MD5
b9e19795828ab13d5aea6d4b90902c5f

SHA1
3d1fa613d002792deff337a0ef269de793772258

SHA256
1ea15e130e84fbf7f47973b4b593264a7b293bb5590328210c82e1f12a71c13a

SHA512
85d84c0d84e49df0cd92f905d217cc7ae5814c57de9ddd4969f2fc41f61018d8c7130b2a4f046883f3d6929a8465efa2a917b2538141c5a2b60345efc9f74412

Download Submit
C:\Users\Admin\AppData\Local\Temp\624C.exe
MD5
b9e19795828ab13d5aea6d4b90902c5f

SHA1
3d1fa613d002792deff337a0ef269de793772258

SHA256
1ea15e130e84fbf7f47973b4b593264a7b293bb5590328210c82e1f12a71c13a

SHA512
85d84c0d84e49df0cd92f905d217cc7ae5814c57de9ddd4969f2fc41f61018d8c7130b2a4f046883f3d6929a8465efa2a917b2538141c5a2b60345efc9f74412

Download Submit
C:\Users\Admin\AppData\Local\Temp\673E.exe
MD5
9d34489b28093f8041a0f396f88507ca

SHA1
d150a771aa0a0da4d698dd3b21c1fffaf064cd1c

SHA256
1bc8c25c47dc2b93edd0b858afe89b1da4f4a8e9caeae862f2ce709031cfaa71

SHA512
d29d619e6727362beda2a520e5742b44dd0f1660817be8549d3511b9e755f697433e0da917d2c5e2a9626262ef55fa6c9b240002195e6046c498e1b032f2fa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Alta.mp3
MD5
0862078bc943d82b2a19e2c42f7c0b15

SHA1
7767feb2e3bbe9e2025302964be82e709347f27d

SHA256
462023517b8204ac9a796d4132cde2d550dd153c3b9fd1838ae545f26ea70638

SHA512
ba2041b6c6dae398ce0c3fc6389810db3135ae8188e40dfb4f3e53fd016c57d4f75ee12f874ffffa872e57f873c9864b7d573cbc48186873f037ef9646dcf89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Essere.mp3
MD5
7fc4287df04cf93bfdb965ed0957f76e

SHA1
a1b1a6dce462d604a779b698d68c3794176202a8

SHA256
53b46b1c3ab80b003fff8ee3c6e6391b5e44e78145aacf0569cc79c1786af482

SHA512
4aecdf3cecf3d5901b44c3ae6f170f806931dc6a334598b15a6ae91f2ab842b9e733c25a18e5c00e1b7f956ce820970e2dbad11b797dc669c0939b348a6ca770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gia.mp3
MD5
1a585f778eeced5cf7b28ad82c7e5ae1

SHA1
f9d14529790064528ca53865ac61542a3071d3f1

SHA256
213968e88d7a52b444f7681ac58050ab13a6f8f2044b7ca2b15d93af88904bca

SHA512
77db1aa38bbfe146799c4234dc4012a6098f67c9950572c7db0cadfdd945953b9a38ddd837b06efbadd8cbf3e167cd7f1c0d18a33d28c81020b0e8b9ca11c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nell.mp3
MD5
69a61edc4f1ce200d69583b41f2201a1

SHA1
4e9ab549e0d73eb73faecbafc5261e59eb0ed73f

SHA256
952fd758fa7ffbea320756ad28b6353776de799f0bbffe159e06fd951ba6348d

SHA512
4306290f059c70939c36fb3d69268c3d29fa4d0bf92c2cc4145ca608b4ce11a543506df84af4772f9bbd386921973cd77c47a34caa29c072594153f9ae27ecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g
MD5
0862078bc943d82b2a19e2c42f7c0b15

SHA1
7767feb2e3bbe9e2025302964be82e709347f27d

SHA256
462023517b8204ac9a796d4132cde2d550dd153c3b9fd1838ae545f26ea70638

SHA512
ba2041b6c6dae398ce0c3fc6389810db3135ae8188e40dfb4f3e53fd016c57d4f75ee12f874ffffa872e57f873c9864b7d573cbc48186873f037ef9646dcf89c

Download Submit
memory/440-155-0x0000000000000000-mapping.dmp

Download
memory/828-154-0x0000000000000000-mapping.dmp

Download
memory/1444-175-0x0000000004950000-0x0000000004E4E000-memory.dmp

Filesize
5.0MB

Download
memory/1444-139-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1444-137-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1444-177-0x0000000005850000-0x000000000587F000-memory.dmp

Filesize
188KB

Download
memory/1444-129-0x0000000000000000-mapping.dmp

Download
memory/1820-126-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/1820-127-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1820-128-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1820-125-0x000000001CD60000-0x000000001CF87000-memory.dmp

Filesize
2.2MB

Download
memory/1820-124-0x000000001C210000-0x000000001C4EE000-memory.dmp

Filesize
2.9MB

Download
memory/1820-122-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1820-119-0x0000000000000000-mapping.dmp

Download
memory/1820-136-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

Filesize
8KB

Download
memory/2044-164-0x0000000000000000-mapping.dmp

Download
memory/2112-171-0x0000000000E00000-0x0000000000E15000-memory.dmp

Filesize
84KB

Download
memory/2112-118-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/2312-153-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/2312-147-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/2312-160-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/2312-158-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/2312-174-0x0000000008CB0000-0x0000000008CB1000-memory.dmp

Filesize
4KB

Download
memory/2312-152-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/2312-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2312-148-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2312-151-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2312-178-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/2312-173-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/2312-144-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/2312-176-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/2312-140-0x0000000000000000-mapping.dmp

Download
memory/2612-161-0x0000000000000000-mapping.dmp

Download
memory/2796-116-0x0000000000402E68-mapping.dmp

Download
memory/2796-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-157-0x0000000000000000-mapping.dmp

Download
memory/3332-117-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3560-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3560-133-0x0000000000402F14-mapping.dmp

Download
memory/3908-149-0x0000000000000000-mapping.dmp

Download
memory/3996-166-0x0000000000000000-mapping.dmp

Download
memory/4076-182-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/4076-169-0x0000000000000000-mapping.dmp

Download
memory/4116-179-0x0000000000000000-mapping.dmp

Download
memory/4116-181-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/4116-180-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/4148-183-0x0000000001100000-0x0000000001122000-memory.dmp

Filesize
136KB

Download
memory/4148-192-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4148-193-0x00000000054D0000-0x0000000005AD6000-memory.dmp

Filesize
6.0MB

Download

pid	process
2796	6beb4897838c91ed0cce6b12a9c8f5df073267b7627a29a2a79bc5afed35cdb2.exe
3560	explorer.exe
2112
2112