redline | 5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe
Size

206KB
MD5

73bc64c893ede2084d4fdc76ab3c0e0c
SHA1

68f989f85916bba1d0ffb7708f1485374cf19bd6
SHA256

5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93
SHA512

ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d
SSDEEP

3072:meTRJ0kHbnpN23kQKp5XzutZXKGrpeN84LuZAIybiy3xEfbi:FTR2AnpN2wDurXBeBuZAIMEj

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3626843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3626843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3626843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3626843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3626843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3626843.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00030000000224b3-181.dat	family_redline
behavioral1/files/0x00030000000224b3-182.dat	family_redline
behavioral1/memory/4432-183-0x0000000000CA0000-0x0000000000CD0000-memory.dmp	family_redline
behavioral1/files/0x0006000000023167-220.dat	family_redline
behavioral1/files/0x0006000000023167-251.dat	family_redline
behavioral1/files/0x0006000000023167-252.dat	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 15 IoCs

pid	Process
4536	metado.exe
4340	foto124.exe
208	x1270466.exe
3400	x6384710.exe
4432	f0655800.exe
936	fotod25.exe
2164	y5903388.exe
4860	y4766783.exe
4696	y5808774.exe
3352	j5023922.exe
1376	k3626843.exe
412	metado.exe
4072	l5755839.exe
3404	metado.exe
2180	metado.exe

Loads dropped DLL 1 IoCs

pid	Process
5048	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3626843.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fotod25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4766783.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5808774.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto124.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\foto124.exe"	metado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6384710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y5903388.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fotod25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021051\\fotod25.exe"	metado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	y5808774.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5903388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y4766783.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6384710.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1270466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1270466.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3352 set thread context of 1316	3352	j5023922.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	3352	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1316	AppLaunch.exe
1316	AppLaunch.exe
1376	k3626843.exe
1376	k3626843.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	AppLaunch.exe
Token: SeDebugPrivilege	1376	k3626843.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4124	5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4536	4124	5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe	85
PID 4124 wrote to memory of 4536	4124	5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe	85
PID 4124 wrote to memory of 4536	4124	5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe	85
PID 4536 wrote to memory of 4632	4536	metado.exe	86
PID 4536 wrote to memory of 4632	4536	metado.exe	86
PID 4536 wrote to memory of 4632	4536	metado.exe	86
PID 4536 wrote to memory of 1436	4536	metado.exe	88
PID 4536 wrote to memory of 1436	4536	metado.exe	88
PID 4536 wrote to memory of 1436	4536	metado.exe	88
PID 1436 wrote to memory of 2756	1436	cmd.exe	90
PID 1436 wrote to memory of 2756	1436	cmd.exe	90
PID 1436 wrote to memory of 2756	1436	cmd.exe	90
PID 1436 wrote to memory of 2180	1436	cmd.exe	91
PID 1436 wrote to memory of 2180	1436	cmd.exe	91
PID 1436 wrote to memory of 2180	1436	cmd.exe	91
PID 1436 wrote to memory of 4676	1436	cmd.exe	92
PID 1436 wrote to memory of 4676	1436	cmd.exe	92
PID 1436 wrote to memory of 4676	1436	cmd.exe	92
PID 1436 wrote to memory of 3316	1436	cmd.exe	93
PID 1436 wrote to memory of 3316	1436	cmd.exe	93
PID 1436 wrote to memory of 3316	1436	cmd.exe	93
PID 1436 wrote to memory of 1388	1436	cmd.exe	94
PID 1436 wrote to memory of 1388	1436	cmd.exe	94
PID 1436 wrote to memory of 1388	1436	cmd.exe	94
PID 1436 wrote to memory of 1608	1436	cmd.exe	95
PID 1436 wrote to memory of 1608	1436	cmd.exe	95
PID 1436 wrote to memory of 1608	1436	cmd.exe	95
PID 4536 wrote to memory of 4340	4536	metado.exe	96
PID 4536 wrote to memory of 4340	4536	metado.exe	96
PID 4536 wrote to memory of 4340	4536	metado.exe	96
PID 4340 wrote to memory of 208	4340	foto124.exe	97
PID 4340 wrote to memory of 208	4340	foto124.exe	97
PID 4340 wrote to memory of 208	4340	foto124.exe	97
PID 208 wrote to memory of 3400	208	x1270466.exe	98
PID 208 wrote to memory of 3400	208	x1270466.exe	98
PID 208 wrote to memory of 3400	208	x1270466.exe	98
PID 3400 wrote to memory of 4432	3400	x6384710.exe	99
PID 3400 wrote to memory of 4432	3400	x6384710.exe	99
PID 3400 wrote to memory of 4432	3400	x6384710.exe	99
PID 4536 wrote to memory of 936	4536	metado.exe	100
PID 4536 wrote to memory of 936	4536	metado.exe	100
PID 4536 wrote to memory of 936	4536	metado.exe	100
PID 936 wrote to memory of 2164	936	fotod25.exe	101
PID 936 wrote to memory of 2164	936	fotod25.exe	101
PID 936 wrote to memory of 2164	936	fotod25.exe	101
PID 2164 wrote to memory of 4860	2164	y5903388.exe	102
PID 2164 wrote to memory of 4860	2164	y5903388.exe	102
PID 2164 wrote to memory of 4860	2164	y5903388.exe	102
PID 4860 wrote to memory of 4696	4860	y4766783.exe	103
PID 4860 wrote to memory of 4696	4860	y4766783.exe	103
PID 4860 wrote to memory of 4696	4860	y4766783.exe	103
PID 4696 wrote to memory of 3352	4696	y5808774.exe	104
PID 4696 wrote to memory of 3352	4696	y5808774.exe	104
PID 4696 wrote to memory of 3352	4696	y5808774.exe	104
PID 3352 wrote to memory of 1316	3352	j5023922.exe	106
PID 3352 wrote to memory of 1316	3352	j5023922.exe	106
PID 3352 wrote to memory of 1316	3352	j5023922.exe	106
PID 3352 wrote to memory of 1316	3352	j5023922.exe	106
PID 3352 wrote to memory of 1316	3352	j5023922.exe	106
PID 4696 wrote to memory of 1376	4696	y5808774.exe	109
PID 4696 wrote to memory of 1376	4696	y5808774.exe	109
PID 4860 wrote to memory of 4072	4860	y4766783.exe	111
PID 4860 wrote to memory of 4072	4860	y4766783.exe	111
PID 4860 wrote to memory of 4072	4860	y4766783.exe	111

C:\Users\Admin\AppData\Local\Temp\5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe
"C:\Users\Admin\AppData\Local\Temp\5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
  "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metado.exe" /P "Admin:N"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metado.exe" /P "Admin:R" /E
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:N"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:R" /E
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\1000020051\foto124.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020051\foto124.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1270466.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1270466.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6384710.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6384710.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0655800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0655800.exe
        6⤵
        Executes dropped EXE
        
        PID:4432
- - C:\Users\Admin\AppData\Local\Temp\1000021051\fotod25.exe
    "C:\Users\Admin\AppData\Local\Temp\1000021051\fotod25.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5903388.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5903388.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4766783.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4766783.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y5808774.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y5808774.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j5023922.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j5023922.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 156
        8⤵
        Program crash
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k3626843.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k3626843.exe
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l5755839.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l5755839.exe
        6⤵
        Executes dropped EXE
        
        PID:4072
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 3352
1⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:412

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000020051\foto124.exe

Filesize
578KB

MD5
559fb84baf6d7a8e007719aee2d7843b

SHA1
8808f9e518511a56bb9df8141039287b4b85fc9a

SHA256
1d5340d637fce5e7d3a4f1079e8164e227261383feefd2308f7ee76911f436b2

SHA512
09c2d8a6215c99edb1ba3b893e27e3da061d491a33ce18a604662cf1a91a3cf5f97376a76d8541e6072d982c80471329efce47d1d6e767bde02c675aa43d76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020051\foto124.exe

Filesize
578KB

MD5
559fb84baf6d7a8e007719aee2d7843b

SHA1
8808f9e518511a56bb9df8141039287b4b85fc9a

SHA256
1d5340d637fce5e7d3a4f1079e8164e227261383feefd2308f7ee76911f436b2

SHA512
09c2d8a6215c99edb1ba3b893e27e3da061d491a33ce18a604662cf1a91a3cf5f97376a76d8541e6072d982c80471329efce47d1d6e767bde02c675aa43d76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020051\foto124.exe

Filesize
578KB

MD5
559fb84baf6d7a8e007719aee2d7843b

SHA1
8808f9e518511a56bb9df8141039287b4b85fc9a

SHA256
1d5340d637fce5e7d3a4f1079e8164e227261383feefd2308f7ee76911f436b2

SHA512
09c2d8a6215c99edb1ba3b893e27e3da061d491a33ce18a604662cf1a91a3cf5f97376a76d8541e6072d982c80471329efce47d1d6e767bde02c675aa43d76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021051\fotod25.exe

Filesize
723KB

MD5
4ab68743c3288fafefa46d19229cb1e4

SHA1
ddb747297783e248295e6ab31d0b9d7a1c227794

SHA256
e2151bf5d391f61a9d2dfcd6c587ff1e794dcfea39995ebd32410c8a71a1f7be

SHA512
4aa1afed8de38463eb69860715e3459c503357e9a83069ccf56d12058d0bf7f51a0c5144d4e3b5822449001affacb0bab56d577b8545cbf2fc2d63448ca137cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021051\fotod25.exe

Filesize
723KB

MD5
4ab68743c3288fafefa46d19229cb1e4

SHA1
ddb747297783e248295e6ab31d0b9d7a1c227794

SHA256
e2151bf5d391f61a9d2dfcd6c587ff1e794dcfea39995ebd32410c8a71a1f7be

SHA512
4aa1afed8de38463eb69860715e3459c503357e9a83069ccf56d12058d0bf7f51a0c5144d4e3b5822449001affacb0bab56d577b8545cbf2fc2d63448ca137cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021051\fotod25.exe

Filesize
723KB

MD5
4ab68743c3288fafefa46d19229cb1e4

SHA1
ddb747297783e248295e6ab31d0b9d7a1c227794

SHA256
e2151bf5d391f61a9d2dfcd6c587ff1e794dcfea39995ebd32410c8a71a1f7be

SHA512
4aa1afed8de38463eb69860715e3459c503357e9a83069ccf56d12058d0bf7f51a0c5144d4e3b5822449001affacb0bab56d577b8545cbf2fc2d63448ca137cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1270466.exe

Filesize
378KB

MD5
1f074c6d9227b2059d2658e7664952d9

SHA1
8d234c233f62157483837aaee081b7eac3855597

SHA256
16bd13bb98512071f65763bff14f9a3ce89544fcf3983723960126a18459ec68

SHA512
ca9718d2636ecf3c68f074a02a99a528f92ad0e9e8c0ff7500de0736c06efee45739f9e9ca184851885324ba6b2da54b174468c95cdb485264a875bf9c0a7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1270466.exe

Filesize
378KB

MD5
1f074c6d9227b2059d2658e7664952d9

SHA1
8d234c233f62157483837aaee081b7eac3855597

SHA256
16bd13bb98512071f65763bff14f9a3ce89544fcf3983723960126a18459ec68

SHA512
ca9718d2636ecf3c68f074a02a99a528f92ad0e9e8c0ff7500de0736c06efee45739f9e9ca184851885324ba6b2da54b174468c95cdb485264a875bf9c0a7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6384710.exe

Filesize
206KB

MD5
73521659c757108ede304558f336cc73

SHA1
52a0dbf32c9232cd6c75cca063102fa9b6dfa2f3

SHA256
573135ade806aeb921245548bdbe0f25720258d97f4fc87924d1540c05a0de34

SHA512
4eb6555b28bcea733822dc4b73af894d0119f6871326c0e922481e3e3601f382f46d2895bc632f2868044e46578f601dbaa5c9b23d17bba95404b0744cccd4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6384710.exe

Filesize
206KB

MD5
73521659c757108ede304558f336cc73

SHA1
52a0dbf32c9232cd6c75cca063102fa9b6dfa2f3

SHA256
573135ade806aeb921245548bdbe0f25720258d97f4fc87924d1540c05a0de34

SHA512
4eb6555b28bcea733822dc4b73af894d0119f6871326c0e922481e3e3601f382f46d2895bc632f2868044e46578f601dbaa5c9b23d17bba95404b0744cccd4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0655800.exe

Filesize
172KB

MD5
ab9012ed1c28611d36d3c383d222d978

SHA1
7f57a9a31c15e59f872d3c65804e4e2cef260500

SHA256
c2ee9e0e90a736ebe01790fadacef75d215b1a252b1bce592157fc2491262c9a

SHA512
aa790a46b46ab1484be82b12bf6299f372d392fed41d9e74753fa07f02ef425d0a3d21c964def85416b044838b6cef2fd180bdf2ec6f2033767c948c98781cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0655800.exe

Filesize
172KB

MD5
ab9012ed1c28611d36d3c383d222d978

SHA1
7f57a9a31c15e59f872d3c65804e4e2cef260500

SHA256
c2ee9e0e90a736ebe01790fadacef75d215b1a252b1bce592157fc2491262c9a

SHA512
aa790a46b46ab1484be82b12bf6299f372d392fed41d9e74753fa07f02ef425d0a3d21c964def85416b044838b6cef2fd180bdf2ec6f2033767c948c98781cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5903388.exe

Filesize
524KB

MD5
b5d4fb3038bd4353aebc88205af5c636

SHA1
7287345d7294bdfe4020f4e1a2ca474e269d3759

SHA256
8696ea4057bb2e21acd183934dce83be876527de3faf8ec828f76debd7f5d7c6

SHA512
49e0f6592b9b1b5feaa28a2e220913254ba63c17d30fb4fab419e2923229205ab4c7ea61ef0ac735d585c117280472f6f6493a38f7edf3a73045b33eee5b27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5903388.exe

Filesize
524KB

MD5
b5d4fb3038bd4353aebc88205af5c636

SHA1
7287345d7294bdfe4020f4e1a2ca474e269d3759

SHA256
8696ea4057bb2e21acd183934dce83be876527de3faf8ec828f76debd7f5d7c6

SHA512
49e0f6592b9b1b5feaa28a2e220913254ba63c17d30fb4fab419e2923229205ab4c7ea61ef0ac735d585c117280472f6f6493a38f7edf3a73045b33eee5b27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4766783.exe

Filesize
351KB

MD5
4d2721303791a2cc0e2e3aad0eae967c

SHA1
a48c1024d64299564136458eeee9ac4c20acbc60

SHA256
7a4480bc46faa077031332e4b0b052f6a9349cbec8aa0b6936bbf6289127fe91

SHA512
1cdf1f15d0fddc7faed9e581f34e16bf8a4689d9c54326d3c7fc37909cf31b1d77524690ae90dc5c25332063be69adf1ebcc258c926a96248a260a16fac43bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4766783.exe

Filesize
351KB

MD5
4d2721303791a2cc0e2e3aad0eae967c

SHA1
a48c1024d64299564136458eeee9ac4c20acbc60

SHA256
7a4480bc46faa077031332e4b0b052f6a9349cbec8aa0b6936bbf6289127fe91

SHA512
1cdf1f15d0fddc7faed9e581f34e16bf8a4689d9c54326d3c7fc37909cf31b1d77524690ae90dc5c25332063be69adf1ebcc258c926a96248a260a16fac43bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l5755839.exe

Filesize
172KB

MD5
f46766362c5d293c48186b56aaff0d21

SHA1
c7df22e0821cfe7b96af4a186b2fe387d3b90df3

SHA256
39510c763015e86e155ec455719fa9eb1a85451ec5772195bc9812b190dc317b

SHA512
316814c96f920bcd8aea24d4725a8c43249eb7989d183f35c1597b07897d9e4b9a4103926e3d946c218bbaac329f3ecab37cce49e74392f19e6f9119d16ebf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l5755839.exe

Filesize
172KB

MD5
f46766362c5d293c48186b56aaff0d21

SHA1
c7df22e0821cfe7b96af4a186b2fe387d3b90df3

SHA256
39510c763015e86e155ec455719fa9eb1a85451ec5772195bc9812b190dc317b

SHA512
316814c96f920bcd8aea24d4725a8c43249eb7989d183f35c1597b07897d9e4b9a4103926e3d946c218bbaac329f3ecab37cce49e74392f19e6f9119d16ebf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l5755839.exe

Filesize
172KB

MD5
f46766362c5d293c48186b56aaff0d21

SHA1
c7df22e0821cfe7b96af4a186b2fe387d3b90df3

SHA256
39510c763015e86e155ec455719fa9eb1a85451ec5772195bc9812b190dc317b

SHA512
316814c96f920bcd8aea24d4725a8c43249eb7989d183f35c1597b07897d9e4b9a4103926e3d946c218bbaac329f3ecab37cce49e74392f19e6f9119d16ebf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y5808774.exe

Filesize
196KB

MD5
8b9c1c4e93b693181e6408b1f803b1cc

SHA1
6c74ea94981c9c36e968de8a46b00a8bd0ce4e92

SHA256
a89bcabf52b76ca971a781a37767fd6d0920ccd2298ad47404dcb2260c99cdfe

SHA512
e857f21ceef9a7a1012647f181db032f88e46c52cf1fb0f54ba4f0d271d7e67f266e018b2ad88f4a557c8d5de90800243f984bc0f996a6c48139754d7ea9ea4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y5808774.exe

Filesize
196KB

MD5
8b9c1c4e93b693181e6408b1f803b1cc

SHA1
6c74ea94981c9c36e968de8a46b00a8bd0ce4e92

SHA256
a89bcabf52b76ca971a781a37767fd6d0920ccd2298ad47404dcb2260c99cdfe

SHA512
e857f21ceef9a7a1012647f181db032f88e46c52cf1fb0f54ba4f0d271d7e67f266e018b2ad88f4a557c8d5de90800243f984bc0f996a6c48139754d7ea9ea4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j5023922.exe

Filesize
101KB

MD5
7b579da59a8ab11da5b6b63b819f9956

SHA1
5bce6dea7a9cbe18a5f22098286229f412594eec

SHA256
944eb5ee109a4ab398d1b246808f83254ff4100dc30a563ff7cea3eb95222426

SHA512
5f169e7dddd6646650eb91f3bb6b519bc0d0c03a95fb04d0656269a6e9a955f543575f2f05d706913a32d5368ddfd3263b5e033fdbf942deea80b8eaa7d54b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j5023922.exe

Filesize
101KB

MD5
7b579da59a8ab11da5b6b63b819f9956

SHA1
5bce6dea7a9cbe18a5f22098286229f412594eec

SHA256
944eb5ee109a4ab398d1b246808f83254ff4100dc30a563ff7cea3eb95222426

SHA512
5f169e7dddd6646650eb91f3bb6b519bc0d0c03a95fb04d0656269a6e9a955f543575f2f05d706913a32d5368ddfd3263b5e033fdbf942deea80b8eaa7d54b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k3626843.exe

Filesize
12KB

MD5
e3f66fef21fa2c33ecb7ee8b38167083

SHA1
6bea6eaa6c71590aacd5a56b2393f8f8dec7aad9

SHA256
d87bafa19ea183158a9651bfd9f5c0470d090809cad9016ab81ca87a98f09e43

SHA512
b3d5e22e6ec85c589982f1e3423bfbe610be32bd5063de49a00595224b403bf32ca530f7b5e70d3286bee837b690d1c781e4fe35b58738897fe3a10249c92cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k3626843.exe

Filesize
12KB

MD5
e3f66fef21fa2c33ecb7ee8b38167083

SHA1
6bea6eaa6c71590aacd5a56b2393f8f8dec7aad9

SHA256
d87bafa19ea183158a9651bfd9f5c0470d090809cad9016ab81ca87a98f09e43

SHA512
b3d5e22e6ec85c589982f1e3423bfbe610be32bd5063de49a00595224b403bf32ca530f7b5e70d3286bee837b690d1c781e4fe35b58738897fe3a10249c92cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k3626843.exe

Filesize
12KB

MD5
e3f66fef21fa2c33ecb7ee8b38167083

SHA1
6bea6eaa6c71590aacd5a56b2393f8f8dec7aad9

SHA256
d87bafa19ea183158a9651bfd9f5c0470d090809cad9016ab81ca87a98f09e43

SHA512
b3d5e22e6ec85c589982f1e3423bfbe610be32bd5063de49a00595224b403bf32ca530f7b5e70d3286bee837b690d1c781e4fe35b58738897fe3a10249c92cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
73bc64c893ede2084d4fdc76ab3c0e0c

SHA1
68f989f85916bba1d0ffb7708f1485374cf19bd6

SHA256
5d6b96d3b89efb4f72865341c5ed484fab742a181face0eaf7d642e002eebb93

SHA512
ae803509c8041cc7a113fd02d8d4e263db4ca153fecea953163fa77ab41540d4665fa0ba878a52ba6f52aaf6e610b505d0e45896eaa2a41c29b5a951f4e2231d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1316-236-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1376-245-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/4072-254-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4072-253-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4432-233-0x000000000AB70000-0x000000000AB82000-memory.dmp

Filesize
72KB

Download
memory/4432-241-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4432-234-0x000000000ABD0000-0x000000000AC0C000-memory.dmp

Filesize
240KB

Download
memory/4432-248-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4432-228-0x000000000B170000-0x000000000B788000-memory.dmp

Filesize
6.1MB

Download
memory/4432-274-0x000000000B790000-0x000000000B806000-memory.dmp

Filesize
472KB

Download
memory/4432-275-0x000000000B810000-0x000000000B8A2000-memory.dmp

Filesize
584KB

Download
memory/4432-276-0x000000000BE60000-0x000000000C404000-memory.dmp

Filesize
5.6MB

Download
memory/4432-277-0x000000000B8B0000-0x000000000B916000-memory.dmp

Filesize
408KB

Download
memory/4432-232-0x000000000AC60000-0x000000000AD6A000-memory.dmp

Filesize
1.0MB

Download
memory/4432-183-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

Filesize
192KB

Download