redline | d821f67cf00a3ffb8c9499e1f6c40ffccf7bdb9e971e3a87a5d4e915eb6830b4

General

Target

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
Size

2.6MB
MD5

55e393da1714013720ddf266c7906f43
SHA1

91a636913604184c010c2d9e0b331a804a2c0ab4
SHA256

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
SHA512

40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
SSDEEP

49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z

Score

10^/10

redline sectoprat xmrig tg discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\b.exe	family_redline
behavioral1/memory/2828-22-0x0000000001060000-0x000000000107E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\b.exe	family_sectoprat
behavioral1/memory/2828-22-0x0000000001060000-0x000000000107E000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1992-240-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-241-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-243-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-244-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1992-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

a.exeb.exewfnmgjmvvtwt.exe

pid process

2660 a.exe
2828 b.exe
468
2968 wfnmgjmvvtwt.exe

pid	process
2660	a.exe
2828	b.exe
468
2968	wfnmgjmvvtwt.exe

Loads dropped DLL 4 IoCs

Processes:

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe

pid	process
1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
468

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-235-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-236-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-241-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1992-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exea.exepowershell.exewfnmgjmvvtwt.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	a.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	wfnmgjmvvtwt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

wfnmgjmvvtwt.exe

description	pid	process	target process
PID 2968 set thread context of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 set thread context of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

320 sc.exe
2012 sc.exe
2508 sc.exe
2832 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
320	sc.exe
2012	sc.exe
2508	sc.exe
2832	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30922b6bf084da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeb.exea.exepowershell.exewfnmgjmvvtwt.exepowershell.execonhost.exe

pid	process
2972	powershell.exe
2804	powershell.exe
2828	b.exe
2828	b.exe
2660	a.exe
2392	powershell.exe
2660	a.exe
2660	a.exe
2660	a.exe
2660	a.exe
2660	a.exe
2968	wfnmgjmvvtwt.exe
3028	powershell.exe
2968	wfnmgjmvvtwt.exe
2968	wfnmgjmvvtwt.exe
2968	wfnmgjmvvtwt.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe
1992	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exeb.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2828	b.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeLockMemoryPrivilege	1992	conhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.execmd.exewfnmgjmvvtwt.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 2804	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2804	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2804	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2804	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2972	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2972	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2972	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2972	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 1256 wrote to memory of 2660	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 1256 wrote to memory of 2660	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 1256 wrote to memory of 2660	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 1256 wrote to memory of 2660	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 1256 wrote to memory of 2828	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 1256 wrote to memory of 2828	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 1256 wrote to memory of 2828	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 1256 wrote to memory of 2828	1256	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 3064 wrote to memory of 340	3064	cmd.exe	wusa.exe
PID 3064 wrote to memory of 340	3064	cmd.exe	wusa.exe
PID 3064 wrote to memory of 340	3064	cmd.exe	wusa.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 2640	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 1256 wrote to memory of 2480	1256	cmd.exe	wusa.exe
PID 1256 wrote to memory of 2480	1256	cmd.exe	wusa.exe
PID 1256 wrote to memory of 2480	1256	cmd.exe	wusa.exe
PID 2968 wrote to memory of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe
PID 2968 wrote to memory of 1992	2968	wfnmgjmvvtwt.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
"C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "TDFIYZSJ"
3⤵
- Launches sc.exe
PID:320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "TDFIYZSJ"
3⤵
- Launches sc.exe
PID:2508

C:\Users\Admin\AppData\Roaming\b.exe
"C:\Users\Admin\AppData\Roaming\b.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2480

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2640

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8666.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96C4.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96E9.tmp
Filesize
92KB

MD5
cecd507c6f492a99481169aee2953402

SHA1
92eb8f999e617fe6389d446f86c13da4345a3591

SHA256
861e59e3dd349b246bbdbfb17b8771899df01feb9439e60e3f38cf5c221cfeda

SHA512
e8a2bdfa874c0141e41766dd416675c931ac17e05cd8afaa4b729e9e2deef317aa8a1a848976fcedae4ab39c7b88db42c1205a7572b283fd4f97068bd5ec424c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
dabf7040c99173b15167b2deb3e8807b

SHA1
2fc77de10a7a770f601fad4d5876d7191467edb5

SHA256
6121555eaf82af4245cd4f7a6d0d2fc2e3ecc87ee736e4bcdd9e6c449fa73bdc

SHA512
7f00b50d2e722991238ef4ab33af27747971c1dce160d3b0047649e8a14e6fabd11f4b6f77d8ff26b39d338cb50efbc86d4ed90ffba70e3214bd6cbb1d45c2ce

Download Submit
C:\Users\Admin\AppData\Roaming\b.exe
Filesize
95KB

MD5
184ac479b3a878e9ac5535770ca34a2b

SHA1
1f99039911cc2cfd1a62ce348429ddd0f4435a60

SHA256
8e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c

SHA512
e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4

Download Submit
\Users\Admin\AppData\Roaming\a.exe
Filesize
2.5MB

MD5
6fd62e635b39a02ba8cac6fc124c9475

SHA1
e13080b9cc546e44a9f1c419ba86aeb190a14b2d

SHA256
78b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870

SHA512
e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc

Download Submit
memory/1992-242-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/1992-235-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-241-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-254-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/1992-250-0x0000000000860000-0x0000000000880000-memory.dmp

Filesize
128KB

Download
memory/1992-251-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/1992-253-0x0000000000860000-0x0000000000880000-memory.dmp

Filesize
128KB

Download
memory/1992-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-236-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1992-237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2392-202-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2392-209-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2392-210-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2392-208-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2392-207-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2392-206-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2392-205-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2392-204-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2640-228-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2640-227-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2640-229-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2640-232-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2640-226-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2640-230-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-25-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2804-27-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-32-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2804-31-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-71-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-203-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-22-0x0000000001060000-0x000000000107E000-memory.dmp

Filesize
120KB

Download
memory/2828-23-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-252-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-223-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2972-24-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-26-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2972-33-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-28-0x00000000738E0000-0x0000000073E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-30-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2972-29-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/3028-217-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/3028-216-0x00000000199C0000-0x0000000019CA2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-225-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-218-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-224-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/3028-219-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/3028-220-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-222-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/3028-221-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads