redline | d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39 | Triage

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 15:42 UTC

Sharing

Report Analysis Logs

General

Target

9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
Size

479KB
MD5

869d623180dff73397b5f34058e106f2
SHA1

1af73065d328029ee3d82ddd8f625ad3a9d9bcff
SHA256

9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04
SHA512

bc8a1c93dea8662be47d3737435605efca351a80803e3b41f71da9914153eb0c320d572085e1b2671875951c3311634beae8002e984c1a69f7e98a7258c90498
SSDEEP

12288:NMrLy90WwlKPPzKp3NwVDYy0GqUI6TJ60b:Cy0eLqNwVDYBG7IuN

Score

10^/10

redline dimas evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3532406.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023419-53.dat	family_redline
behavioral14/memory/1872-55-0x0000000000D30000-0x0000000000D5A000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2556	y8339271.exe
2648	k3532406.exe
1872	l8874809.exe

Windows security modification 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3532406.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8339271.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	k3532406.exe
2648	k3532406.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	k3532406.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2556	4416	9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe	83
PID 4416 wrote to memory of 2556	4416	9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe	83
PID 4416 wrote to memory of 2556	4416	9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe	83
PID 2556 wrote to memory of 2648	2556	y8339271.exe	84
PID 2556 wrote to memory of 2648	2556	y8339271.exe	84
PID 2556 wrote to memory of 2648	2556	y8339271.exe	84
PID 2556 wrote to memory of 1872	2556	y8339271.exe	92
PID 2556 wrote to memory of 1872	2556	y8339271.exe	92
PID 2556 wrote to memory of 1872	2556	y8339271.exe	92

C:\Users\Admin\AppData\Local\Temp\9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
"C:\Users\Admin\AppData\Local\Temp\9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe
    3⤵
    - Executes dropped EXE
    PID:1872

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 64E04C526B514C59AAD875294D8EDB54 Ref B: LON04EDGE1115 Ref C: 2024-05-14T15:42:34Z
date: Tue, 14 May 2024 15:42:33 GMT
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=31AA3C07A1D66EC318702878A0F16F46; domain=.bing.com; expires=Sun, 08-Jun-2025 15:42:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ED5E5ABF88D34668A022E9DB338AD4DF Ref B: LON04EDGE0617 Ref C: 2024-05-14T15:42:34Z
date: Tue, 14 May 2024 15:42:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31AA3C07A1D66EC318702878A0F16F46

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=_tYi6L3d4069GiEDxJfNZoFwY03kiRQkpV6y7NGi5dk; domain=.bing.com; expires=Sun, 08-Jun-2025 15:42:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DEF0DD201C75436A91A03EE6E9F8B638 Ref B: LON04EDGE0617 Ref C: 2024-05-14T15:42:34Z
date: Tue, 14 May 2024 15:42:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31AA3C07A1D66EC318702878A0F16F46; MSPTC=_tYi6L3d4069GiEDxJfNZoFwY03kiRQkpV6y7NGi5dk

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 98414139D5BD4E3FBD8D22F0AA3F7FDF Ref B: LON04EDGE0617 Ref C: 2024-05-14T15:42:34Z
date: Tue, 14 May 2024 15:42:34 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.225:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=31AA3C07A1D66EC318702878A0F16F46; MSPTC=_tYi6L3d4069GiEDxJfNZoFwY03kiRQkpV6y7NGi5dk
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Tue, 14 May 2024 15:42:36 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.dd53dd58.1715701356.32791443
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

225.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.83.221.88.in-addr.arpa

IN PTR

Response

225.83.221.88.in-addr.arpa

IN PTR

a88-221-83-225deploystaticakamaitechnologiescom
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

31.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.121.18.2.in-addr.arpa

IN PTR

Response

31.121.18.2.in-addr.arpa

IN PTR

a2-18-121-31deploystaticakamaitechnologiescom
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

24.0kB
690.4kB
507
505

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204
88.221.83.225:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.4kB
17
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
185.161.248.75:4132

l8874809.exe

260 B
5
185.161.248.75:4132

l8874809.exe

260 B
5
185.161.248.75:4132

l8874809.exe

260 B
5
185.161.248.75:4132

l8874809.exe

260 B
5
185.161.248.75:4132

l8874809.exe

260 B
5
185.161.248.75:4132

l8874809.exe

52 B
1

8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

225.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

225.83.221.88.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

31.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

31.121.18.2.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe

Filesize
307KB

MD5
a28b1e892c10ba5e054b20faf5519263

SHA1
d9988318cdfbb97edaa2712790cc35f3181ff7b4

SHA256
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e

SHA512
fe5ef2074e8f98a066568c6ecd35bae22a556c41f5546820b1e078c0e1fe5458b15e422b9cc4c8459d307e50a0c28b9256c497f47a9fdf5e6aa6de2496c5f3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe

Filesize
185KB

MD5
3e630811e041742e84b8ea3e59c277d1

SHA1
8a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1

SHA256
960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b

SHA512
8d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe

Filesize
145KB

MD5
8cbdb1bc227685c0b07cf0022188ca55

SHA1
db385aabb4a08bcabfcaba8606eb4ea20ab61609

SHA256
4d916a161e438b629309131ba9510f57158456d5484925161561089db28b227d

SHA512
3960c636f656a7e731d0215a9959adc9bad017cf9fe1b0a208da70155a694544a64744d7724ba534ac0fcd0b7208a99adde90b195fdde2ef19710258f95a47ea

Download Submit
memory/1872-60-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/1872-59-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/1872-58-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/1872-57-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/1872-56-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/1872-55-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/2648-41-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-33-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-27-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-49-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-47-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-46-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-43-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-21-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-39-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-37-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-35-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-23-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-31-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-29-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-25-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-22-0x0000000004F60000-0x0000000004F77000-memory.dmp

Filesize
92KB

Download
memory/2648-51-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-20-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/2648-19-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-17-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-18-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2648-16-0x0000000004970000-0x0000000004F14000-memory.dmp

Filesize
5.6MB

Download
memory/2648-15-0x00000000020C0000-0x00000000020DE000-memory.dmp

Filesize
120KB

Download
memory/2648-14-0x000000007400E000-0x000000007400F000-memory.dmp

Filesize
4KB

Download