redline | 4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Size

322KB
MD5

61c5a8e414a47b8cc2c69e1ac4370a35
SHA1

d6d66b31e7ebe3bd032a33fbe35fed2720fae964
SHA256

4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
SHA512

b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
SSDEEP

6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a

Score

10^/10

redline diamotrix credential_access discovery execution infostealer persistence spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002356f-73.dat	family_redline
behavioral2/memory/3260-80-0x0000000000950000-0x00000000009A2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	D7C3.tmp.svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
3260	D467.tmp.uIZtAux.exe
3128	D7C3.tmp.svchost.exe
756	2EAE.tmp.zbi.exe
2000	servisis.exe
3076	servisis.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023572-88.dat	upx
behavioral2/memory/3128-94-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/3128-108-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/2000-126-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/2000-127-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/3076-205-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_{9A03F4DD63A93441041814} = "C:\\Users\\Admin\\AppData\\Roaming\\{9A03F4DD63A93441041814}\\Service_{9A03F4DD63A93441041814}.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{9A03F4DD63A93441041814}\\{9A03F4DD63A93441041814}.exe"	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	relog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 2520	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	86

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4684	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D467.tmp.uIZtAux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D7C3.tmp.svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servisis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servisis.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3372	schtasks.exe
4828	schtasks.exe
3592	schtasks.exe
1352	schtasks.exe
1104	schtasks.exe
4124	schtasks.exe
3620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
3580	Explorer.EXE
3580	Explorer.EXE
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe
2520	relog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeSecurityPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeTakeOwnershipPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeLoadDriverPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeSystemProfilePrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeSystemtimePrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeProfSingleProcessPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeIncBasePriorityPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeCreatePagefilePrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeBackupPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeRestorePrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeShutdownPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeDebugPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeSystemEnvironmentPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeRemoteShutdownPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeUndockPrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeManageVolumePrivilege	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: 33	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: 34	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: 35	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: 36	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe
Token: SeDebugPrivilege	2520	relog.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3580	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1352	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	83
PID 4076 wrote to memory of 1352	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	83
PID 4076 wrote to memory of 2520	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	86
PID 4076 wrote to memory of 2520	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	86
PID 4076 wrote to memory of 2520	4076	4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe	86
PID 2520 wrote to memory of 1104	2520	relog.exe	90
PID 2520 wrote to memory of 1104	2520	relog.exe	90
PID 2520 wrote to memory of 4124	2520	relog.exe	92
PID 2520 wrote to memory of 4124	2520	relog.exe	92
PID 2520 wrote to memory of 3620	2520	relog.exe	94
PID 2520 wrote to memory of 3620	2520	relog.exe	94
PID 2520 wrote to memory of 3372	2520	relog.exe	96
PID 2520 wrote to memory of 3372	2520	relog.exe	96
PID 2520 wrote to memory of 4828	2520	relog.exe	98
PID 2520 wrote to memory of 4828	2520	relog.exe	98
PID 2520 wrote to memory of 3580	2520	relog.exe	56
PID 2520 wrote to memory of 3580	2520	relog.exe	56
PID 3580 wrote to memory of 3260	3580	Explorer.EXE	100
PID 3580 wrote to memory of 3260	3580	Explorer.EXE	100
PID 3580 wrote to memory of 3260	3580	Explorer.EXE	100
PID 3580 wrote to memory of 3128	3580	Explorer.EXE	101
PID 3580 wrote to memory of 3128	3580	Explorer.EXE	101
PID 3580 wrote to memory of 3128	3580	Explorer.EXE	101
PID 3128 wrote to memory of 3592	3128	D7C3.tmp.svchost.exe	102
PID 3128 wrote to memory of 3592	3128	D7C3.tmp.svchost.exe	102
PID 3128 wrote to memory of 3592	3128	D7C3.tmp.svchost.exe	102
PID 3580 wrote to memory of 756	3580	Explorer.EXE	107
PID 3580 wrote to memory of 756	3580	Explorer.EXE	107
PID 756 wrote to memory of 4684	756	2EAE.tmp.zbi.exe	109
PID 756 wrote to memory of 4684	756	2EAE.tmp.zbi.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
  "C:\Users\Admin\AppData\Local\Temp\4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{9A03F4DD63A93441041814}\{9A03F4DD63A93441041814}.exe" /sc onstart /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1352
- - C:\Windows\system32\relog.exe
    C:\Windows\system32\relog.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "lKR2CVdWcH" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1104
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "lKR2CVdWcH" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4124
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "lKR2CVdWcH" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3620
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "lKR2CVdWcH" /tr "C:\Users\Admin\AppData\Roaming\Sun\Service_Sun.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3372
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "lKR2CVdWcH" /tr "C:\Users\Admin\AppData\Roaming\{9A03F4DD63A93441041814}\Service_{9A03F4DD63A93441041814}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4828
- C:\Users\Admin\AppData\Local\Temp\D467.tmp.uIZtAux.exe
  "C:\Users\Admin\AppData\Local\Temp\D467.tmp.uIZtAux.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Users\Admin\AppData\Local\Temp\D7C3.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\D7C3.tmp.svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3592
- C:\Users\Admin\AppData\Local\Temp\2EAE.tmp.zbi.exe
  "C:\Users\Admin\AppData\Local\Temp\2EAE.tmp.zbi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4684

C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000

C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EAE.tmp.zbi.exe

Filesize
5.2MB

MD5
0534ab10184891cd61d262bfd79b7b4c

SHA1
a13d37959a92bc37f4d3c42eb53d77cc760f448a

SHA256
191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b

SHA512
381af090cc87f2f2b8583c28a164f8f2e978c2bdffe3161d37fa30e38c5e026b90ae5f45dd13f9ded8ee207e4694abf2a58256deb8986ec11d802b7578f6be9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5xrgS2N0AWUUi6snmU8IUgOnU8zHg\screen1.png

Filesize
472KB

MD5
71abd59ae81e0e8482875b554fe04679

SHA1
440cedcf22040752931922671d6a922b1421ba36

SHA256
b62555a7c66aaea4c66509fe11cc73191b4c5b2659f2bff97ca69d6c0e3b733d

SHA512
25f05c3b9d96a35e0726d53d9f633d89b3bd1271fc6e35fc1111494df638b7a9d8ac290d79413ff9cc0dbebb6316a8831a411af19397400ec61c237ee4c562c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5xrgS2N0AWUUi6snmU8IUgOnU8zHg\sensitive-files.zip

Filesize
8.7MB

MD5
8c524d0f09e93645dfc196a17ba86dd0

SHA1
b7d9bb250f25f185618d311d8d032bd27f29e2ad

SHA256
9eac4a1e77a1c5331f33f59fdfef417d499a21bb66bbcc0a85792118448ad140

SHA512
9e7e3dd2157519aebc8063e987c4f8078862dc73dd9b64e3b43f29df596dc2109c53e2ccd716b87ab352fda2c0165ab8e9cd3e03273b19a9398232b789556955

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5xrgS2N0AWUUi6snmU8IUgOnU8zHg\user_info.txt

Filesize
721B

MD5
ce1f4e4679d9ff126dfc2160f5a9afb3

SHA1
bb8cf8eee1e2a8cc06dab047bd11c8b6b977c051

SHA256
99dd17276f31c20c7ed8a7be5ef538edfad98c83e136598b98d5b96b1b40a7a8

SHA512
21b87431a0b30a0fd6c7b0e7a40e6dcb3ca7d733177fc45d88646461378d940882aaf28bed4a481fdfc90fc39e478a21fd978f5b1448148dadb1830ebd6cddba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CreditCardData

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D467.tmp.uIZtAux.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7C3.tmp.svchost.exe

Filesize
321KB

MD5
6ddd28445b8fc2485cb72f22d1adc936

SHA1
403c02d952120aafc6fb659a0ce0b99b1384442c

SHA256
d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7

SHA512
9abc68fab4c2a37f6cf07e2d1d7baccf26da411969b6dca4508776b9f57e3ed228dbc1a50e6dc4784791bdb86423d1f20c0f4d118c20d23951906a14ebd4682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aa2qqg3o.emn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

Filesize
322KB

MD5
61c5a8e414a47b8cc2c69e1ac4370a35

SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964

SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92

Download Submit
C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml

Filesize
1KB

MD5
2b29aa25ee90747f05e920706e4dfc4f

SHA1
2ec04aa0574178e5b5245362fdb5b1cfbf4ec637

SHA256
93e469a8135addc4822f19a7afb7d02baea8242626188ce3e2b039862fc67511

SHA512
2a3f6bda5c957eed82b5fdf39bb33d109c68e39a1e096c944bfe725f027757efa87bc44ea037f9baf47426d0335a12639ff67c626aec3fc1c5c430b2efbf44fb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
memory/2000-127-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2000-126-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2520-105-0x00007FF60E4B0000-0x00007FF60E506000-memory.dmp

Filesize
344KB

Download
memory/2520-60-0x00007FF60E4B0000-0x00007FF60E506000-memory.dmp

Filesize
344KB

Download
memory/3076-205-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3128-94-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3128-108-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3260-82-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/3260-80-0x0000000000950000-0x00000000009A2000-memory.dmp

Filesize
328KB

Download
memory/3260-106-0x0000000007180000-0x0000000007342000-memory.dmp

Filesize
1.8MB

Download
memory/3260-107-0x0000000008070000-0x000000000859C000-memory.dmp

Filesize
5.2MB

Download
memory/3260-102-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/3260-101-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/3260-100-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/3260-99-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/3260-130-0x0000000001160000-0x00000000011B0000-memory.dmp

Filesize
320KB

Download
memory/3260-104-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3260-98-0x00000000063F0000-0x0000000006A08000-memory.dmp

Filesize
6.1MB

Download
memory/3260-83-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/3260-81-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/3580-66-0x0000000002930000-0x0000000002973000-memory.dmp

Filesize
268KB

Download
memory/3580-68-0x0000000002B40000-0x0000000002B97000-memory.dmp

Filesize
348KB

Download
memory/3580-63-0x00000000028D0000-0x00000000028E6000-memory.dmp

Filesize
88KB

Download
memory/4684-140-0x000001B774490000-0x000001B7744B2000-memory.dmp

Filesize
136KB

Download