redline | a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2023, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe
Size

206KB
MD5

4b7302ac53a8b3ac22af1d9781e03e3b
SHA1

5c8154844c22c1cf48a876eac7e5ac8d88dccf25
SHA256

a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483
SHA512

f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0
SSDEEP

3072:meTRJ0kHbnpN23kQKp5XzutZXKGrpeN84LuZAIybiy3xEfbi:FTR2AnpN2wDurXBeBuZAIMEj

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0846358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0846358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0846358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0846358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0846358.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0846358.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023127-181.dat	family_redline
behavioral1/files/0x0007000000023127-182.dat	family_redline
behavioral1/memory/4656-183-0x0000000000C40000-0x0000000000C70000-memory.dmp	family_redline
behavioral1/files/0x0006000000023131-225.dat	family_redline
behavioral1/files/0x0006000000023131-250.dat	family_redline
behavioral1/files/0x0006000000023131-251.dat	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 15 IoCs

pid	Process
3024	metado.exe
2840	foto124.exe
1792	x1736423.exe
4992	x4847134.exe
4656	f3564653.exe
2232	fotod25.exe
1552	y9104090.exe
2564	y4559475.exe
2140	y3875235.exe
3576	j8770007.exe
4256	k0846358.exe
3816	l6693273.exe
4368	metado.exe
1424	metado.exe
3040	metado.exe

Loads dropped DLL 1 IoCs

pid	Process
4684	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0846358.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1736423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1736423.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y4559475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	y3875235.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4847134.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y9104090.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3875235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto124.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000018051\\foto124.exe"	metado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4847134.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fotod25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000019051\\fotod25.exe"	metado.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9104090.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4559475.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 1664	3576	j8770007.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4712	3576	WerFault.exe	102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1664	AppLaunch.exe
1664	AppLaunch.exe
4256	k0846358.exe
4256	k0846358.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	AppLaunch.exe
Token: SeDebugPrivilege	4256	k0846358.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
808	a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3024	808	a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe	83
PID 808 wrote to memory of 3024	808	a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe	83
PID 808 wrote to memory of 3024	808	a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe	83
PID 3024 wrote to memory of 1056	3024	metado.exe	84
PID 3024 wrote to memory of 1056	3024	metado.exe	84
PID 3024 wrote to memory of 1056	3024	metado.exe	84
PID 3024 wrote to memory of 1192	3024	metado.exe	86
PID 3024 wrote to memory of 1192	3024	metado.exe	86
PID 3024 wrote to memory of 1192	3024	metado.exe	86
PID 1192 wrote to memory of 5024	1192	cmd.exe	88
PID 1192 wrote to memory of 5024	1192	cmd.exe	88
PID 1192 wrote to memory of 5024	1192	cmd.exe	88
PID 1192 wrote to memory of 1324	1192	cmd.exe	89
PID 1192 wrote to memory of 1324	1192	cmd.exe	89
PID 1192 wrote to memory of 1324	1192	cmd.exe	89
PID 1192 wrote to memory of 3248	1192	cmd.exe	90
PID 1192 wrote to memory of 3248	1192	cmd.exe	90
PID 1192 wrote to memory of 3248	1192	cmd.exe	90
PID 1192 wrote to memory of 3440	1192	cmd.exe	91
PID 1192 wrote to memory of 3440	1192	cmd.exe	91
PID 1192 wrote to memory of 3440	1192	cmd.exe	91
PID 1192 wrote to memory of 1124	1192	cmd.exe	92
PID 1192 wrote to memory of 1124	1192	cmd.exe	92
PID 1192 wrote to memory of 1124	1192	cmd.exe	92
PID 1192 wrote to memory of 4916	1192	cmd.exe	93
PID 1192 wrote to memory of 4916	1192	cmd.exe	93
PID 1192 wrote to memory of 4916	1192	cmd.exe	93
PID 3024 wrote to memory of 2840	3024	metado.exe	94
PID 3024 wrote to memory of 2840	3024	metado.exe	94
PID 3024 wrote to memory of 2840	3024	metado.exe	94
PID 2840 wrote to memory of 1792	2840	foto124.exe	95
PID 2840 wrote to memory of 1792	2840	foto124.exe	95
PID 2840 wrote to memory of 1792	2840	foto124.exe	95
PID 1792 wrote to memory of 4992	1792	x1736423.exe	96
PID 1792 wrote to memory of 4992	1792	x1736423.exe	96
PID 1792 wrote to memory of 4992	1792	x1736423.exe	96
PID 4992 wrote to memory of 4656	4992	x4847134.exe	97
PID 4992 wrote to memory of 4656	4992	x4847134.exe	97
PID 4992 wrote to memory of 4656	4992	x4847134.exe	97
PID 3024 wrote to memory of 2232	3024	metado.exe	98
PID 3024 wrote to memory of 2232	3024	metado.exe	98
PID 3024 wrote to memory of 2232	3024	metado.exe	98
PID 2232 wrote to memory of 1552	2232	fotod25.exe	99
PID 2232 wrote to memory of 1552	2232	fotod25.exe	99
PID 2232 wrote to memory of 1552	2232	fotod25.exe	99
PID 1552 wrote to memory of 2564	1552	y9104090.exe	100
PID 1552 wrote to memory of 2564	1552	y9104090.exe	100
PID 1552 wrote to memory of 2564	1552	y9104090.exe	100
PID 2564 wrote to memory of 2140	2564	y4559475.exe	101
PID 2564 wrote to memory of 2140	2564	y4559475.exe	101
PID 2564 wrote to memory of 2140	2564	y4559475.exe	101
PID 2140 wrote to memory of 3576	2140	y3875235.exe	102
PID 2140 wrote to memory of 3576	2140	y3875235.exe	102
PID 2140 wrote to memory of 3576	2140	y3875235.exe	102
PID 3576 wrote to memory of 1664	3576	j8770007.exe	104
PID 3576 wrote to memory of 1664	3576	j8770007.exe	104
PID 3576 wrote to memory of 1664	3576	j8770007.exe	104
PID 3576 wrote to memory of 1664	3576	j8770007.exe	104
PID 3576 wrote to memory of 1664	3576	j8770007.exe	104
PID 2140 wrote to memory of 4256	2140	y3875235.exe	107
PID 2140 wrote to memory of 4256	2140	y3875235.exe	107
PID 2564 wrote to memory of 3816	2564	y4559475.exe	108
PID 2564 wrote to memory of 3816	2564	y4559475.exe	108
PID 2564 wrote to memory of 3816	2564	y4559475.exe	108

C:\Users\Admin\AppData\Local\Temp\a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe
"C:\Users\Admin\AppData\Local\Temp\a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
  "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metado.exe" /P "Admin:N"
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metado.exe" /P "Admin:R" /E
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:N"
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:R" /E
      4⤵
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\1000018051\foto124.exe
    "C:\Users\Admin\AppData\Local\Temp\1000018051\foto124.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1736423.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1736423.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4847134.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4847134.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3564653.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3564653.exe
        6⤵
        Executes dropped EXE
        
        PID:4656
- - C:\Users\Admin\AppData\Local\Temp\1000019051\fotod25.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019051\fotod25.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9104090.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9104090.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4559475.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4559475.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y3875235.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y3875235.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j8770007.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j8770007.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 560
        8⤵
        Program crash
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0846358.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0846358.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6693273.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6693273.exe
        6⤵
        Executes dropped EXE
        
        PID:3816
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3576 -ip 3576
1⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000018051\foto124.exe

Filesize
578KB

MD5
fbc5c27bbd0c49b6445bc3aca742c842

SHA1
1a6734011480dc51b4ae368009b70b31e4fff1bd

SHA256
1ed611ea9ee247df547c3bcc849453e723b52a2defccf3448fb6e94abdb7497e

SHA512
7a3e3402af148c50d0dfc662aea21a4ed32c934535a8b348faaf08afb3a087d6e279453ebb008f9eb0219032a8ec9d0ed9c962fd62a440fa0ee6d654165452b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018051\foto124.exe

Filesize
578KB

MD5
fbc5c27bbd0c49b6445bc3aca742c842

SHA1
1a6734011480dc51b4ae368009b70b31e4fff1bd

SHA256
1ed611ea9ee247df547c3bcc849453e723b52a2defccf3448fb6e94abdb7497e

SHA512
7a3e3402af148c50d0dfc662aea21a4ed32c934535a8b348faaf08afb3a087d6e279453ebb008f9eb0219032a8ec9d0ed9c962fd62a440fa0ee6d654165452b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018051\foto124.exe

Filesize
578KB

MD5
fbc5c27bbd0c49b6445bc3aca742c842

SHA1
1a6734011480dc51b4ae368009b70b31e4fff1bd

SHA256
1ed611ea9ee247df547c3bcc849453e723b52a2defccf3448fb6e94abdb7497e

SHA512
7a3e3402af148c50d0dfc662aea21a4ed32c934535a8b348faaf08afb3a087d6e279453ebb008f9eb0219032a8ec9d0ed9c962fd62a440fa0ee6d654165452b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019051\fotod25.exe

Filesize
724KB

MD5
a8b0107515ffdcde72280e31292253f0

SHA1
4b92f99c69defd96bd2ef9e34885b7a2c1aeaa51

SHA256
f3003ea7240d31703c5e099e3eaff3af9b527a933e20e15633d77b3f0eade20d

SHA512
9e1d5ce280a41a3fd172a6ea69e30c8198632210b05470cd106a508c49fd21132af0660d6fc5584717049e2525c78bb91f77a0d3ad1db71d8029b7d2865465ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019051\fotod25.exe

Filesize
724KB

MD5
a8b0107515ffdcde72280e31292253f0

SHA1
4b92f99c69defd96bd2ef9e34885b7a2c1aeaa51

SHA256
f3003ea7240d31703c5e099e3eaff3af9b527a933e20e15633d77b3f0eade20d

SHA512
9e1d5ce280a41a3fd172a6ea69e30c8198632210b05470cd106a508c49fd21132af0660d6fc5584717049e2525c78bb91f77a0d3ad1db71d8029b7d2865465ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019051\fotod25.exe

Filesize
724KB

MD5
a8b0107515ffdcde72280e31292253f0

SHA1
4b92f99c69defd96bd2ef9e34885b7a2c1aeaa51

SHA256
f3003ea7240d31703c5e099e3eaff3af9b527a933e20e15633d77b3f0eade20d

SHA512
9e1d5ce280a41a3fd172a6ea69e30c8198632210b05470cd106a508c49fd21132af0660d6fc5584717049e2525c78bb91f77a0d3ad1db71d8029b7d2865465ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1736423.exe

Filesize
378KB

MD5
ac685bcf755f7d08a63dd67e335b178d

SHA1
ccf0d8070f32c52f12b07879e103c3e76b54d3c5

SHA256
f21e5c85cb671573a3fe8691be5c3446cbe4e40f1d341590dbc7ace3eab7d8a9

SHA512
985ff9d033ea9aa35fa86b991df12986716b5adf19fe62f3230ffd7428b3e19d99f01c07ab2d056c4423f56ff5a38f9c5fc751eb102e57e539e6eb95f14869c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1736423.exe

Filesize
378KB

MD5
ac685bcf755f7d08a63dd67e335b178d

SHA1
ccf0d8070f32c52f12b07879e103c3e76b54d3c5

SHA256
f21e5c85cb671573a3fe8691be5c3446cbe4e40f1d341590dbc7ace3eab7d8a9

SHA512
985ff9d033ea9aa35fa86b991df12986716b5adf19fe62f3230ffd7428b3e19d99f01c07ab2d056c4423f56ff5a38f9c5fc751eb102e57e539e6eb95f14869c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4847134.exe

Filesize
206KB

MD5
31463c61bd8aeb2f50593f5e31329260

SHA1
4794c54ac9eb6112390f1a95fc1589da13ec8aa1

SHA256
76166d958bcfe1d7ffb5b910b36843d89fceda8858355b868733381e79725760

SHA512
5a5f39c40fe0fa141f16bd3028334dda6651a466feb85c3a843842f9f88ef589148034b648a7c6eb533f4e90f2da067d1fc4f9fd3e8594acfae07f9b2efce25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4847134.exe

Filesize
206KB

MD5
31463c61bd8aeb2f50593f5e31329260

SHA1
4794c54ac9eb6112390f1a95fc1589da13ec8aa1

SHA256
76166d958bcfe1d7ffb5b910b36843d89fceda8858355b868733381e79725760

SHA512
5a5f39c40fe0fa141f16bd3028334dda6651a466feb85c3a843842f9f88ef589148034b648a7c6eb533f4e90f2da067d1fc4f9fd3e8594acfae07f9b2efce25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3564653.exe

Filesize
172KB

MD5
7bce103a6181988d5228ae26515fe6e5

SHA1
b8945dc1c777ad3e98b37e9e8b8fc1750df21f83

SHA256
74d395cedd734709cb103b3b669a4804a4377ef61e3bebca47fd9d6022a6383c

SHA512
9a2ef297cc03b8a553ff645f713b210db687866f0399c9261a65c58c0c815a89e497852b7b7a14b27f59743c0de1ef912e572dd4fe495a3dfa410d100d99dd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3564653.exe

Filesize
172KB

MD5
7bce103a6181988d5228ae26515fe6e5

SHA1
b8945dc1c777ad3e98b37e9e8b8fc1750df21f83

SHA256
74d395cedd734709cb103b3b669a4804a4377ef61e3bebca47fd9d6022a6383c

SHA512
9a2ef297cc03b8a553ff645f713b210db687866f0399c9261a65c58c0c815a89e497852b7b7a14b27f59743c0de1ef912e572dd4fe495a3dfa410d100d99dd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9104090.exe

Filesize
524KB

MD5
cde7b91c21b59ee714a727d090bb335e

SHA1
4d0d3024ef91b124085fba179126de7ef2037f30

SHA256
72acfe06c98e3c18d63307c5f6fb644ee54780e4232caeabe0f10197ae97bc10

SHA512
d7eea30ad406a2c28ac971c11119446b3c091d4dbe93ce7ad2cc66658128a1f120d594d568883a011d8c57f36e37e307419f3073b5c19a96cdf39a0044dbef65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9104090.exe

Filesize
524KB

MD5
cde7b91c21b59ee714a727d090bb335e

SHA1
4d0d3024ef91b124085fba179126de7ef2037f30

SHA256
72acfe06c98e3c18d63307c5f6fb644ee54780e4232caeabe0f10197ae97bc10

SHA512
d7eea30ad406a2c28ac971c11119446b3c091d4dbe93ce7ad2cc66658128a1f120d594d568883a011d8c57f36e37e307419f3073b5c19a96cdf39a0044dbef65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4559475.exe

Filesize
352KB

MD5
30b5e8fd6a5a6d759ff8abbbbb63de25

SHA1
79a2f79278e5111e039e246d84fe5664f03c87d6

SHA256
9e822b2685dc8e68cad91fffca2b6343eb2ee5e6d10e83d4f198da95bd04c093

SHA512
269d74f4f969114a203bd854768a383afd0e9ac78f11f893acbd2b61744f994b95789a522ea075d6397f19fe152a1e7b68eabf820ff598161fbe0b15332a3652

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4559475.exe

Filesize
352KB

MD5
30b5e8fd6a5a6d759ff8abbbbb63de25

SHA1
79a2f79278e5111e039e246d84fe5664f03c87d6

SHA256
9e822b2685dc8e68cad91fffca2b6343eb2ee5e6d10e83d4f198da95bd04c093

SHA512
269d74f4f969114a203bd854768a383afd0e9ac78f11f893acbd2b61744f994b95789a522ea075d6397f19fe152a1e7b68eabf820ff598161fbe0b15332a3652

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6693273.exe

Filesize
172KB

MD5
8bce48a231b30972e2059212237f7b79

SHA1
1e2cb7d0a1e9c908adebbafd56da3c39df4b8989

SHA256
1806e83fec59b3108ede1a3cc543b46be0b9f3e268a6069a832dab82c459ff95

SHA512
44a0110c22a534cf63e967aa57c5fbb0fd2566791f967037cc4b5eb8bb21b573256b354591cc3cad2a7e9a285b84808c6432fbf83c79f049b5dc4cbbbb2f0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6693273.exe

Filesize
172KB

MD5
8bce48a231b30972e2059212237f7b79

SHA1
1e2cb7d0a1e9c908adebbafd56da3c39df4b8989

SHA256
1806e83fec59b3108ede1a3cc543b46be0b9f3e268a6069a832dab82c459ff95

SHA512
44a0110c22a534cf63e967aa57c5fbb0fd2566791f967037cc4b5eb8bb21b573256b354591cc3cad2a7e9a285b84808c6432fbf83c79f049b5dc4cbbbb2f0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6693273.exe

Filesize
172KB

MD5
8bce48a231b30972e2059212237f7b79

SHA1
1e2cb7d0a1e9c908adebbafd56da3c39df4b8989

SHA256
1806e83fec59b3108ede1a3cc543b46be0b9f3e268a6069a832dab82c459ff95

SHA512
44a0110c22a534cf63e967aa57c5fbb0fd2566791f967037cc4b5eb8bb21b573256b354591cc3cad2a7e9a285b84808c6432fbf83c79f049b5dc4cbbbb2f0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y3875235.exe

Filesize
196KB

MD5
e225afec85df785655e343e70658deae

SHA1
728b408cc0246fb9495a431ced95c4163b0c8f8e

SHA256
d0814838ce3c4770aa82d92592ebe53ede600846faadeae94d5900d16c23d38d

SHA512
10a28e52ba253cc862858e76f3d4284e5290fd53a30782d5cd373d790245c21e2ad5c9c17a6d38cff15be5d1fbaebdc1380f10a4f77a51e17bffcd428fa01170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y3875235.exe

Filesize
196KB

MD5
e225afec85df785655e343e70658deae

SHA1
728b408cc0246fb9495a431ced95c4163b0c8f8e

SHA256
d0814838ce3c4770aa82d92592ebe53ede600846faadeae94d5900d16c23d38d

SHA512
10a28e52ba253cc862858e76f3d4284e5290fd53a30782d5cd373d790245c21e2ad5c9c17a6d38cff15be5d1fbaebdc1380f10a4f77a51e17bffcd428fa01170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j8770007.exe

Filesize
101KB

MD5
168868d078b42fc8f7e10081c6491ed7

SHA1
1511d5befdd9be356e5e027a1150bf9ca9e9fa30

SHA256
f58ccb9c4912b6a30ec1dc3ebf4ef8c6bfc50025d1b9597c4d117d8de21fed34

SHA512
e7ff217300bde31e3ab597ecb5f025dca343fbb43d683ed0ff6e1be63e3d446eac6541cd6c9cff727d8be976d6de06f68032e11aa2a5e43580c8210f3670d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j8770007.exe

Filesize
101KB

MD5
168868d078b42fc8f7e10081c6491ed7

SHA1
1511d5befdd9be356e5e027a1150bf9ca9e9fa30

SHA256
f58ccb9c4912b6a30ec1dc3ebf4ef8c6bfc50025d1b9597c4d117d8de21fed34

SHA512
e7ff217300bde31e3ab597ecb5f025dca343fbb43d683ed0ff6e1be63e3d446eac6541cd6c9cff727d8be976d6de06f68032e11aa2a5e43580c8210f3670d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0846358.exe

Filesize
12KB

MD5
a1c4b6edd7a5e2bea771f03481a3c7a7

SHA1
8b433abaef697e476fc0a58cde9671471d8dce66

SHA256
9f965ce64e1c4d03cba2d7301d184ebe6180119cb28f41efdb6ef897a0e71146

SHA512
2ef151da71061178e0d6a47f143334088689f51c26622c0bb2f19b32529399dfd8ae1ef9ffe756862027370f6504003b428df4e330f418e001b13200ab0aee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0846358.exe

Filesize
12KB

MD5
a1c4b6edd7a5e2bea771f03481a3c7a7

SHA1
8b433abaef697e476fc0a58cde9671471d8dce66

SHA256
9f965ce64e1c4d03cba2d7301d184ebe6180119cb28f41efdb6ef897a0e71146

SHA512
2ef151da71061178e0d6a47f143334088689f51c26622c0bb2f19b32529399dfd8ae1ef9ffe756862027370f6504003b428df4e330f418e001b13200ab0aee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0846358.exe

Filesize
12KB

MD5
a1c4b6edd7a5e2bea771f03481a3c7a7

SHA1
8b433abaef697e476fc0a58cde9671471d8dce66

SHA256
9f965ce64e1c4d03cba2d7301d184ebe6180119cb28f41efdb6ef897a0e71146

SHA512
2ef151da71061178e0d6a47f143334088689f51c26622c0bb2f19b32529399dfd8ae1ef9ffe756862027370f6504003b428df4e330f418e001b13200ab0aee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
4b7302ac53a8b3ac22af1d9781e03e3b

SHA1
5c8154844c22c1cf48a876eac7e5ac8d88dccf25

SHA256
a51b071542599d1e5428713cbd3160c261fa84dde9bb7e4f682b7fc92b79a483

SHA512
f9b01c03f57897140918e14111952ede3501e3b71305b925eda0bcc97f51faccf387fcc1e24373cd53ebf916b3781ac3fbeef4f02b4e4f60c580b667a88ca0a0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1664-237-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3816-252-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3816-254-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4256-245-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/4656-246-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4656-184-0x000000000B100000-0x000000000B718000-memory.dmp

Filesize
6.1MB

Download
memory/4656-207-0x000000000AB60000-0x000000000AB9C000-memory.dmp

Filesize
240KB

Download
memory/4656-183-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/4656-205-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4656-202-0x000000000AB00000-0x000000000AB12000-memory.dmp

Filesize
72KB

Download
memory/4656-196-0x000000000ABF0000-0x000000000ACFA000-memory.dmp

Filesize
1.0MB

Download