redline | e7e514f3fb155d14eef5f4fda3f5bc483a82678a810683d931aeaad2c48326fb

General

Target

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
Size

1.8MB
MD5

d7e66880341b1a0e1bd53696b64e4833
SHA1

1609e5620c3a8151adc69ba3b058538597d77aa6
SHA256

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8
SHA512

67b34ef9fa7a1ade39b56250dba47853f4a900294dca053ade07f4f59168c520d127ca8809eb2356767444d323424da449493f57946f84ae1d1c9bdb1c20e64f
SSDEEP

49152:nTvC/MTQYxsWR7aqXHHJpGPn8z+uPQVpSfyYEpq:TjTQYxsWRRnTGP86pA9Ep

Score

10^/10

redline sectoprat aspackv2 credential_access discovery evasion infostealer rat stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4496-54-0x0000000001300000-0x00000000013A6000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4496-54-0x0000000001300000-0x00000000013A6000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

description pid process target process

PID 4248 created 3552 4248 07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe Explorer.EXE

description	pid	process	target process
PID 4248 created 3552	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	Explorer.EXE

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vIqBsbAy.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vIqBsbAy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	vIqBsbAy.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvrOrxzllu.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvrOrxzllu.url	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

vIqBsbAy.exe

pid process

3720 vIqBsbAy.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

50 pastebin.com
51 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

78 eth0.me

pid	process
3720	vIqBsbAy.exe

flow	ioc
50	pastebin.com
51	pastebin.com

flow	ioc
78	eth0.me

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4248-0-0x0000000000420000-0x00000000005EC000-memory.dmp	autoit_exe
behavioral2/memory/4248-52-0x0000000000420000-0x00000000005EC000-memory.dmp	autoit_exe
behavioral2/memory/4248-60-0x0000000000420000-0x00000000005EC000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

description	pid	process	target process
PID 4248 set thread context of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe

Drops file in Program Files directory 64 IoCs

Processes:

vIqBsbAy.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	vIqBsbAy.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	vIqBsbAy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exevIqBsbAy.execmd.execmd.exejsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vIqBsbAy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

pid	process
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jsc.exe

description pid process

Token: SeDebugPrivilege 4496 jsc.exe

description	pid	process
Token: SeDebugPrivilege	4496	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

pid	process
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

pid	process
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exevIqBsbAy.exe

description	pid	process	target process
PID 4248 wrote to memory of 3720	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	vIqBsbAy.exe
PID 4248 wrote to memory of 3720	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	vIqBsbAy.exe
PID 4248 wrote to memory of 3720	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	vIqBsbAy.exe
PID 4248 wrote to memory of 3464	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	cmd.exe
PID 4248 wrote to memory of 3464	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	cmd.exe
PID 4248 wrote to memory of 3464	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	cmd.exe
PID 3720 wrote to memory of 4296	3720	vIqBsbAy.exe	cmd.exe
PID 3720 wrote to memory of 4296	3720	vIqBsbAy.exe	cmd.exe
PID 3720 wrote to memory of 4296	3720	vIqBsbAy.exe	cmd.exe
PID 4248 wrote to memory of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe
PID 4248 wrote to memory of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe
PID 4248 wrote to memory of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe
PID 4248 wrote to memory of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe
PID 4248 wrote to memory of 4496	4248	07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe	jsc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe
"C:\Users\Admin\AppData\Local\Temp\07f970cff95e1ebcde588ad8808915376341e9f371f9c05a9873f942988b4ac8.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\vIqBsbAy.exe
C:\Users\Admin\AppData\Local\Temp\vIqBsbAy.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7eb972d0.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvrOrxzllu.url" & echo URL="C:\Users\Admin\AppData\Local\wPJRUnDpdb\hnlUmHd.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvrOrxzllu.url"
2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\558308D1.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7eb972d0.bat

Filesize
191B

MD5
34164f179b938a2129b3b1fa5cf2987f

SHA1
c4c995125efe0d1e27a356771f52e1d8faf8f506

SHA256
96897b0de4667abcbe4c1f5a8e2b418fd240f8f5998201fecbb95d31cd46febc

SHA512
1dc23ea31b9c286ead4ba70c7387b2435159b731d86abb48170e8a3eac82ea6d7bc3422e1380ea08b1aa0b42e8d6dd5398e15229097b71c921b0b1cfe59dde61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIqBsbAy.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
memory/3720-5-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/3720-50-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/4248-0-0x0000000000420000-0x00000000005EC000-memory.dmp

Filesize
1.8MB

Download
memory/4248-52-0x0000000000420000-0x00000000005EC000-memory.dmp

Filesize
1.8MB

Download
memory/4248-53-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/4248-60-0x0000000000420000-0x00000000005EC000-memory.dmp

Filesize
1.8MB

Download
memory/4496-56-0x000000007350E000-0x000000007350F000-memory.dmp

Filesize
4KB

Download
memory/4496-57-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/4496-58-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/4496-59-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4496-54-0x0000000001300000-0x00000000013A6000-memory.dmp

Filesize
664KB

Download
memory/4496-61-0x000000007350E000-0x000000007350F000-memory.dmp

Filesize
4KB

Download
memory/4496-62-0x0000000007280000-0x0000000007442000-memory.dmp

Filesize
1.8MB

Download
memory/4496-63-0x00000000066B0000-0x0000000006726000-memory.dmp

Filesize
472KB

Download
memory/4496-64-0x0000000007980000-0x0000000007EAC000-memory.dmp

Filesize
5.2MB

Download
memory/4496-65-0x0000000007230000-0x000000000724E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads