Analysis
-
max time kernel
89s -
max time network
129s -
platform
windows11_x64 -
resource
win11 -
submitted
20-10-2021 01:01
Static task
static1
Behavioral task
behavioral1
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win7-de-20210920
Behavioral task
behavioral3
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win11
Behavioral task
behavioral4
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-ja-20211014
Behavioral task
behavioral5
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-en-20210920
Behavioral task
behavioral6
Sample
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Resource
win10-de-20211014
General
-
Target
Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
-
Size
15.1MB
-
MD5
083776e54ad37b3a45d7e6516b1e13fb
-
SHA1
e784e8f041dfb7612e8439518ed587f1f878b9eb
-
SHA256
4334163e03a3cae86600be22c3deb8e786142db27883cc99f0536f713621df9d
-
SHA512
0985538bf8c2add2e85ac09e64826e0993fae2b1b4e7643a42f010201e4e8f2065f673a795aa4eabf7bee26709f35fbc84553042f40ce3a2fde96a271c43590c
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1012 created 3148 1012 WerFault.exe Panel.exe -
Executes dropped EXE 3 IoCs
Processes:
crack.execrack.exePanel.exepid process 3292 crack.exe 1880 crack.exe 3148 Panel.exe -
Sets service image path in registry 2 TTPs
-
Drops startup file 2 IoCs
Processes:
crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2580 3148 WerFault.exe Panel.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe -
Modifies registry class 4 IoCs
Processes:
Redline_20_2_crack.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Redline_20_2_crack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Redline_20_2_crack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Redline_20_2_crack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Redline_20_2_crack.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
crack.exepid process 3292 crack.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 2580 WerFault.exe 2580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exesvchost.exeTiWorker.exedescription pid process Token: SeSystemtimePrivilege 4612 svchost.exe Token: SeSystemtimePrivilege 4612 svchost.exe Token: SeIncBasePriorityPrivilege 4612 svchost.exe Token: SeShutdownPrivilege 1220 svchost.exe Token: SeCreatePagefilePrivilege 1220 svchost.exe Token: SeShutdownPrivilege 1220 svchost.exe Token: SeCreatePagefilePrivilege 1220 svchost.exe Token: SeShutdownPrivilege 1220 svchost.exe Token: SeCreatePagefilePrivilege 1220 svchost.exe Token: SeShutdownPrivilege 2336 svchost.exe Token: SeCreatePagefilePrivilege 2336 svchost.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeShutdownPrivilege 1220 svchost.exe Token: SeCreatePagefilePrivilege 1220 svchost.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Redline_20_2_crack.exePanel.exepid process 4928 Redline_20_2_crack.exe 4928 Redline_20_2_crack.exe 3148 Panel.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
svchost.exeRedline_20_2_crack.exeWerFault.exedescription pid process target process PID 2336 wrote to memory of 2516 2336 svchost.exe MoUsoCoreWorker.exe PID 2336 wrote to memory of 2516 2336 svchost.exe MoUsoCoreWorker.exe PID 4928 wrote to memory of 3292 4928 Redline_20_2_crack.exe crack.exe PID 4928 wrote to memory of 3292 4928 Redline_20_2_crack.exe crack.exe PID 1012 wrote to memory of 3148 1012 WerFault.exe Panel.exe PID 1012 wrote to memory of 3148 1012 WerFault.exe Panel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\New folder\crack.exe"C:\Users\Admin\Desktop\New folder\crack.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv NhUJ642WskKLYRDgxSoWYQ.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv sbePE9p7cEmNT2HJTnSbtw.0.21⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\ReadMe.txt1⤵
-
C:\Users\Admin\Desktop\New folder\crack.exe"C:\Users\Admin\Desktop\New folder\crack.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3148 -s 9922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3148 -ip 31481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exeMD5
f4e19b67ef27af1434151a512860574e
SHA156304fc2729974124341e697f3b21c84a8dd242a
SHA256c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
SHA512a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exeMD5
f4e19b67ef27af1434151a512860574e
SHA156304fc2729974124341e697f3b21c84a8dd242a
SHA256c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
SHA512a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe.configMD5
494890d393a5a8c54771186a87b0265e
SHA1162fa5909c1c3f84d34bda5d3370a957fe58c9c8
SHA256f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7
SHA51240fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395
-
C:\Users\Admin\Desktop\New folder\ReadMe.txtMD5
1aa5bac6cacd74746ec6c3eb28e0092b
SHA15ed229ae018700778a8b617c1c92baf0ceaf18c8
SHA256e6bc141f184b9e8a476b3d79ff5b6d864b4a164915c641c7fcf1fefb95d44ac7
SHA5127c5816c11824dadf9ff9e80b7eb8a4eb3efbfd2fd08a34b5d61ed148303ec6cfb313df4122b5d0a3151c943d8bc67ae6de9c3b1ef59371dd941da64609aa24a9
-
C:\Users\Admin\Desktop\New folder\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
C:\Users\Admin\Desktop\New folder\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
C:\Users\Admin\Desktop\New folder\crack.exeMD5
d2092715d71b90721291a1d59f69a8cc
SHA199ebd7a6601d85cc7206b5a9dbf623ec9e5963ad
SHA256b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679
SHA5123b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322
-
memory/1220-151-0x000001D693E70000-0x000001D693E74000-memory.dmpFilesize
16KB
-
memory/2516-152-0x0000000000000000-mapping.dmp
-
memory/3148-167-0x000000001ACC0000-0x000000001AE60000-memory.dmpFilesize
1.6MB
-
memory/3148-165-0x00007FFCB05F0000-0x00007FFCB10B1000-memory.dmpFilesize
10.8MB
-
memory/3148-168-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/3148-169-0x00007FFCD4DF0000-0x00007FFCD4DF1000-memory.dmpFilesize
4KB
-
memory/3148-170-0x00007FFCD50B0000-0x00007FFCD50B1000-memory.dmpFilesize
4KB
-
memory/3292-158-0x0000000000B60000-0x0000000000B62000-memory.dmpFilesize
8KB
-
memory/3292-156-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3292-153-0x0000000000000000-mapping.dmp
-
memory/4656-146-0x0000021990C80000-0x0000021990C90000-memory.dmpFilesize
64KB
-
memory/4656-148-0x0000021993300000-0x0000021993304000-memory.dmpFilesize
16KB
-
memory/4656-147-0x0000021990D00000-0x0000021990D10000-memory.dmpFilesize
64KB