redline | 10df04c2c19b07effef5a2b118ec099e6fb9d98a10e98ae2b6945fa4004dd444

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
Size

13.5MB
MD5

9f390e9ca00464a6f7e1ce321baceb22
SHA1

d5d813e0bad5c64cd95b23919eba1432778b7965
SHA256

255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7
SHA512

54b958487f40537c80374acb37d0cec27bb169fc5549768fb05a161de1a10546cea7c6be1d59df5fb615ed8285f0bf03f33203a1ec0a28fcc6694497e6a6ee2f
SSDEEP

393216:M1xsX4B8eD3F+oI9KtC9I5cfZLxsaZf4nT70mrsMYd:M1GI9FQmOfZLSP0Qc

Score

10^/10

redline 5350206221 discovery infostealer upx

Malware Config

Extracted

Family

redline

Botnet

5350206221

195.20.17.139:80

Attributes

auth_value
cf75908d75b4508135a38c8679c86f6e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2092-851-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2092-848-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2092-844-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2092-841-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/2092-839-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline

Redline family
redline

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2684-146-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2116-857-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 2 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poxuipluspoxui.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poxuipluspoxui.exe	vbc.exe

Executes dropped EXE 13 IoCs

Processes:

nig1r21312312.exeanimecool.exenig1r21312312.exenig1r21312312.exeanimecool2.exenig1r21312312.exeanimecool2.exenig1r21312312.exepoxuipluspoxui.exenig1r21312312.exenig1r21312312.exeMisakaMikoto213213.execockcreator.exe

pid	process
2764	nig1r21312312.exe
2520	animecool.exe
2684	nig1r21312312.exe
1424	nig1r21312312.exe
2152	animecool2.exe
1296	nig1r21312312.exe
2168	animecool2.exe
2940	nig1r21312312.exe
440	poxuipluspoxui.exe
2184	nig1r21312312.exe
2116	nig1r21312312.exe
472	MisakaMikoto213213.exe
2636	cockcreator.exe

Loads dropped DLL 39 IoCs

Processes:

255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exenig1r21312312.exenig1r21312312.exeanimecool2.execmd.exenig1r21312312.execmd.exenig1r21312312.execmd.exeWerFault.exe

pid	process
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
2764	nig1r21312312.exe
2764	nig1r21312312.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
2684	nig1r21312312.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
2684	nig1r21312312.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
2152	animecool2.exe
1748	cmd.exe
1748	cmd.exe
1424	nig1r21312312.exe
1424	nig1r21312312.exe
804	cmd.exe
804	cmd.exe
2184	nig1r21312312.exe
2164	cmd.exe
2164	cmd.exe
2164	cmd.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 4 IoCs

Processes:

animecool2.exepoxuipluspoxui.exeanimecool.exeMisakaMikoto213213.exe

description	pid	process	target process
PID 2152 set thread context of 2168	2152	animecool2.exe	animecool2.exe
PID 440 set thread context of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 2520 set thread context of 2092	2520	animecool.exe	vbc.exe
PID 472 set thread context of 1608	472	MisakaMikoto213213.exe	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/800-22-0x0000000003270000-0x000000000328C000-memory.dmp	upx
behavioral1/memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2684-146-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2116-857-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1864 2168 WerFault.exe animecool2.exe

pid	pid_target	process	target process
1864	2168	WerFault.exe	animecool2.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nig1r21312312.exevbc.execmd.execmd.exevbc.exenig1r21312312.exenig1r21312312.exenig1r21312312.exepoxuipluspoxui.exevbc.exenig1r21312312.exenig1r21312312.exeMisakaMikoto213213.exeanimecool2.execmd.execmd.exeanimecool2.exeanimecool.exe255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exenig1r21312312.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poxuipluspoxui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MisakaMikoto213213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	animecool2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	animecool2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	animecool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nig1r21312312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1324 timeout.exe

pid	process
1324	timeout.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exenig1r21312312.exenig1r21312312.exenig1r21312312.exeanimecool2.execmd.exenig1r21312312.exenig1r21312312.execmd.exepoxuipluspoxui.exeanimecool.exe

description	pid	process	target process
PID 800 wrote to memory of 2764	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2764	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2764	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2764	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2684	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2684	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2684	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 2684	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 2764 wrote to memory of 2520	2764	nig1r21312312.exe	animecool.exe
PID 2764 wrote to memory of 2520	2764	nig1r21312312.exe	animecool.exe
PID 2764 wrote to memory of 2520	2764	nig1r21312312.exe	animecool.exe
PID 2764 wrote to memory of 2520	2764	nig1r21312312.exe	animecool.exe
PID 800 wrote to memory of 1424	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 1424	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 1424	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 800 wrote to memory of 1424	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	nig1r21312312.exe
PID 2684 wrote to memory of 2152	2684	nig1r21312312.exe	animecool2.exe
PID 2684 wrote to memory of 2152	2684	nig1r21312312.exe	animecool2.exe
PID 2684 wrote to memory of 2152	2684	nig1r21312312.exe	animecool2.exe
PID 2684 wrote to memory of 2152	2684	nig1r21312312.exe	animecool2.exe
PID 800 wrote to memory of 1296	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	conhost.exe
PID 800 wrote to memory of 1296	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	conhost.exe
PID 800 wrote to memory of 1296	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	conhost.exe
PID 800 wrote to memory of 1296	800	255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe	conhost.exe
PID 1296 wrote to memory of 1748	1296	nig1r21312312.exe	cmd.exe
PID 1296 wrote to memory of 1748	1296	nig1r21312312.exe	cmd.exe
PID 1296 wrote to memory of 1748	1296	nig1r21312312.exe	cmd.exe
PID 1296 wrote to memory of 1748	1296	nig1r21312312.exe	cmd.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 2152 wrote to memory of 2168	2152	animecool2.exe	animecool2.exe
PID 1748 wrote to memory of 2940	1748	cmd.exe	nig1r21312312.exe
PID 1748 wrote to memory of 2940	1748	cmd.exe	nig1r21312312.exe
PID 1748 wrote to memory of 2940	1748	cmd.exe	nig1r21312312.exe
PID 1748 wrote to memory of 2940	1748	cmd.exe	nig1r21312312.exe
PID 2940 wrote to memory of 1104	2940	nig1r21312312.exe	cmd.exe
PID 2940 wrote to memory of 1104	2940	nig1r21312312.exe	cmd.exe
PID 2940 wrote to memory of 1104	2940	nig1r21312312.exe	cmd.exe
PID 2940 wrote to memory of 1104	2940	nig1r21312312.exe	cmd.exe
PID 1424 wrote to memory of 440	1424	nig1r21312312.exe	poxuipluspoxui.exe
PID 1424 wrote to memory of 440	1424	nig1r21312312.exe	poxuipluspoxui.exe
PID 1424 wrote to memory of 440	1424	nig1r21312312.exe	poxuipluspoxui.exe
PID 1424 wrote to memory of 440	1424	nig1r21312312.exe	poxuipluspoxui.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 440 wrote to memory of 3044	440	poxuipluspoxui.exe	vbc.exe
PID 2520 wrote to memory of 2092	2520	animecool.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe
"C:\Users\Admin\AppData\Local\Temp\255cb2aeeac6f7dd8359b29b0fbbb02122683894e061b6b305684e396fef85a7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\animecool.exe
    C:\Users\Admin\AppData\Local\Temp\animecool.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\animecool2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\animecool2.exe
    C:\Users\Admin\AppData\Local\Temp\animecool2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\animecool2.exe
      "C:\Users\Admin\AppData\Local\Temp\animecool2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 540
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1864
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sdfsfs3wefdsfsdfsd.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:804
      - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide nig1r21312312.exe exec hide cock123123444.bat
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
        
        nig1r21312312.exe exec hide cock123123444.bat
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cock123123444.bat
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\MisakaMikoto213213.exe
        
        MisakaMikoto213213.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\cockcreator.exe
        
        cockcreator.exe
        9⤵
        Executes dropped EXE
        
        PID:2636
- C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
  "C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe" exec hide C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
      nig1r21312312.exe exec hide fds333333333333333.bat
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c fds333333333333333.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "909509221-12063172731543274349-2680547231818945852-18534767099415263921403144162"
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fds333333333333333.bat

Filesize
55B

MD5
78d34993a3f671785ab9ad1097e6620e

SHA1
ff600ffda2d8661cba3f1352b6df9eeff39c3b10

SHA256
988bf35e06ed737cff745ce0b33df976634072586148fba37f8056b294c0404c

SHA512
d3491ca6825c5f0b9ed4d345cc7627a752b04ab5c1f638c9a921c7619e8c08029e4d56bf773012baa232d76964dc41af6d0f54712d5671b3bc9eabc10f710cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat

Filesize
64B

MD5
d930ae56d269e8cbf42a884838a1940f

SHA1
86b54cc38ea58a602a8418c256deac72ef7bda95

SHA256
4cab9b91745224c84bf43bd0702d6754f311f0a0c62669311d05038c3fc06d32

SHA512
db647a3a570981b5171d8b97c32ded9a01ec14dd96b79a483d794fa53c11373324a01e28565f67d27c89edace73435fe875f7462f52c57e207390adaec16ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
12B

MD5
9f89ead9681bd902bedf508772f61b46

SHA1
c49e5830eeb49e6559512ce7755d65c768c81bc0

SHA256
2337a99c58e3ef7525fcb04f2c9edf709b2073e8c9a079a24fbe5b4ebbd1c1d9

SHA512
d8c36b95be34d3e718af3ad041095bb53a19a9536b14950aad495c37f3f8fdfa7b734550602ddd4a913768208a4fa391c3cb719c1da2337b2002469eccac06d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
1KB

MD5
8518684e9b77a4f201a93a166fbeb741

SHA1
b54c5269b6452e7059d0311d6d880c4af3e770fd

SHA256
14e0a1c88a7b960ad2285dea9c899f27d35dcf345f04c5182b85bfd3025426d2

SHA512
a0fbb46d48dcb079f2dcb77da118e9df4de7695edce03db328dd53d1d942d40bf293b06f922c69e39773f60ed7f040e58364f53231f1e106c60d79c4173fa1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
1KB

MD5
cd6a978a74594ea357f0b813907666c6

SHA1
fcd0ba233ab35b964556922af1655d0fd5453cb6

SHA256
ffa053a3fe0509f1cfea1b490ba2b189382f3dcc6f66943940673be7867abd1e

SHA512
aaa11e488e6ce86db54f9e135d50cf30dcd3eb99bebe51caae3c990f8bfa692d9251e3fa87e2624b2af8ad43767cc314dc07e7770c08246a3e1a6ac936ab5816

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
1KB

MD5
ab9b9ade060025488c7e158628258442

SHA1
1fb160bd662e964e6186370748cf8503945b5808

SHA256
3d1a5044fb0ff1c8701a5117163ab75efd28c508f3ab4e089ccf7a84ed005512

SHA512
317b8ca2e7d87ffec817f154d189a7b091d3a19eb81f8757ee20e76e6256031f71a2a72e8a28f7284cbf695255ae4653a6b45bd497676cd8e03bcceac8560715

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
72B

MD5
198cfc200826223f06c3152d242ff647

SHA1
d74adddc0007a1a5b27fd0c2dfc0a2c76f791e33

SHA256
44f770ba4d30a361c303197d2d11dc37a2e39ed7c006e24a73dc796695071fd6

SHA512
12118af448af4766c8d2c6bc376d26408688e21ddcaed2c4df52b5eebf60f1a163af3e7fe0201dafc202f3403f178e37df6190f88b4a915a95aaa6ae919e063f

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
480B

MD5
2f5b4f86ff47f34daf33dc4dab1f06a4

SHA1
c0799dfe64fefdfc2315d585e4318ae8a9cae106

SHA256
8b2cc658f7d4509d9e05c0a70148182b9f3db1ec33b5affddafc09a8fd742f78

SHA512
3b21a05afaa6fc1ca68dd2c0e91d81a22e010d6c7a867306b9f753aab8811bc5b8962ba337f7cd876a8bf9ff0fb03361a4bb179dd0057ee737d7e0fbb260c84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
948B

MD5
74484bac64351dcfb8d8b8a177054a18

SHA1
84b0b3decb9124f50fcfc0e7e56008a0a2160956

SHA256
15e430ea4a47f7bdcd6680d136181f5ad8cb68f63b511cae48d8839090628cb9

SHA512
104d8776e6da1267738253f6104432dc1606a4c7ac00e81906916cc39fd6fa11f631c814063986cc8512ff2536227450fa425097b52a4e2afa379a9bff37b044

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
a513328c7340892495197f761a492784

SHA1
3203665a5f14341f36716bb9096186db1a95ebe4

SHA256
9f5c6c1de2cb4b97f3053a14285601a553cf2667a599eadf715f2fb048761308

SHA512
c3672a103952312af04a2e81dd1d730a0b30f33e82a82652e18b2302b6496ae36e1371e94e21b81126ec27b3fff5b02899fe8f51d592767c1795528f8ac34b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
264B

MD5
217e72c0c61116a7fc55153e212391b2

SHA1
3d659e2dc2169dfab245f75b755f667baeeabc37

SHA256
f9062ed3566b12940fc5ddb9b56cc935411c0566043fcdd959b535087337eba5

SHA512
b737874bbe2c97dd5340f30740ef53236321535e2f12bf8cbf6b22706e73b0c23e47230c2d72f63834a52599a58189bf4a61988375e66fff2c98d994c42094eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
1KB

MD5
0a93d571f78fb47e88a0f11c80554973

SHA1
e0f3c47b9ea2593749177bf8664a2fbbdfa3c65c

SHA256
a5df81fdeaea8edcb0ed8c838f5c44a44937904bee15840d9dd2211eb2422c14

SHA512
3e294eed9f5fa7b18d383850b4c9b3ea010023e2befae7b6dc1a186ad47bae343631a9eed874332dda595f8207f85b3b37e913a6336c9561db62b8240f3fc402

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
180B

MD5
1b6c7763999d347e9ea0b5d5d1b8f7c9

SHA1
e08fd85ba76b336e6f15e666c2e047f13bb25e29

SHA256
9b0d82a593b3848063ca005aaf08006c47e08e658e84c85f6f838cf42e31a40e

SHA512
db26cdda8428f14dc3f7a88900065025dd944a524a5cc18a4b8331e1ae2815564f0b2e2f6642b8b5ba1898bba76adcc1e4a6d5f9555f11e4e768f11f73d60d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
972B

MD5
7ea17629ec21fb7eafb7c386ea62cf15

SHA1
7d35312f2edd82af19b1a7d3d941177996cbcdfc

SHA256
01623ec9623df90615900ce2f06b52dadaad76a111d5765807cd864882b81b03

SHA512
227055edb0296a65df51811f340f59814ce270cc53f2f6843855c38529bc7f1de7538df55108335628aac93e4ca4a0d55ac8b6eaf11fa51f251240df0875b074

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
564B

MD5
f58e242cf8e8c9ad60cfd11d9c9fe843

SHA1
96c8ff0d96b2fdfbe083ee3c5feb1ecfd4c2adf3

SHA256
30ac6c218beece2d0791477cad9d1e1c091241d569d668b8a7334793244bbe8f

SHA512
dd10b88fcc3fc8390c2fce60fbaf53b03a2922a5dbb46ea113c0634df48023322725b3b89f63cbfac28058caa817d7864ef8019817dcd280c5a507a0f449dc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
888B

MD5
993be3fb01ab1917e1ab97357e2eb9d2

SHA1
f2e2f5b5e119ca0f6a3c84e16c47cdafc83b1ada

SHA256
ee3dbf79af0f5b47c898a08bba6f8a61e102fb37cdb388f4fbc2c26e2697b5bb

SHA512
e0646ebec02d79809744b4c04fd80bf7d584d26162fde745776c557cca44742092da11cea96d4840a0141a3656d030bf38d2566a97647905d461c85630a89398

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
972B

MD5
e3cd87d6fd1706c17b272a89369d3b66

SHA1
73baaf62d13d7602c5f61d3ed8fa25a3d52543c5

SHA256
12a7d803f99eb1f14722ff8013c03e8ee6c4d434fd4c244b0d3861109be563c1

SHA512
06a6a5f5b8e9986f8b81e7f46d5e9825d271305837cb4295cd64ce11552cd63d11a3f1d785c6f1367453b94237635f90e59094dafe1ea8085e95239987636dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
852B

MD5
5f8516f11d7f2644c07fd05814d23aca

SHA1
0bc918be38b3ec2a86fb6fffe5cf34fd11803d10

SHA256
91015a7cbe8851ad1230308069b45bba16f0841a2b4f9927ac83754a9182f565

SHA512
745398cadefc1249cb637ab614770410b250569f81a4293e2598fcacbffc62808c47c5143579312ed378e6f6b972c8f4d534b34ff39f4005cb2b40da9c4eb08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
792B

MD5
a7c932e57e63f2129e096ed62bea0911

SHA1
609f586fa0da34ab20bf898d5f3bc25943b260fe

SHA256
a93da60dd4bd648a2717e73775d3fe4a35b1457b530f96fbdad121d6348f0da3

SHA512
55f0bab648b99e048a12e6e6db0fbf49d5f053447ebfa90eac571a11584f6b6db3f37345ccd77b2711fb52b485054b7df6ca8ead3abc48ab22922e20839b3834

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
288B

MD5
78715975d79394a32621fe04c542a10e

SHA1
b54c592aecb367d0c4abd1f3b5e65f5f468f0192

SHA256
80366fc0453e26d5077e72cb2a2d89a82bc987c069f494e077bf5b7b2ef87da7

SHA512
47f471ad96049bc050e98b57a3264354820749964f82fc7dbfa134416e3ab1eca2082cda8044231f60e7faffdc4c639f144cd25a76ffdf731f4171c4603d388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
324B

MD5
38a60fa83b08aed33cdbb1e7fe39f83e

SHA1
6dde21b76e46212747f8efca475d57ace4203a3e

SHA256
d3cfdd3d271da74a3c7bd16e6cb5df778f6a7c2c109aa06f294d36029d90d85d

SHA512
56b9551126dfefc9decec9bbbe550b50625886e8b92a1b33f2d8ef62dfd7d9b6f3d0676677c3fdd6d53417f6df07dee017f0cb3453b773440502dca79060d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
408B

MD5
b853e9cd9b6f6689d3d1688872e8fb0c

SHA1
bbcec701770c4663f09d8ff4ad12d421b6fc50f2

SHA256
3dd96f8fb0aea545003b2d59910f8e91bc9c189f57e270c94f32ff3bfd544328

SHA512
ef07d8f41e3e7217f2c16c544b070689127c19bae773e468bb35132ec4b5558cce6b67315e8863f75fa01f4f69a0b6910684ba9cb691e9d150f7e28a4778f001

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
396B

MD5
06941b4cd7c583606c35c3907f55c0a7

SHA1
a74740e6e68ca4698f17d1af9243008a7871b64f

SHA256
75026672282e953d4b9b1c15cfa60b650af0979d492202943efb07aafd319c22

SHA512
9b522c3807074b48dd99cfcd534b63ab779432f6f493f2e83da404e0d92ca1241a19a46894164c1b7fab0d72e86105f4efc1af1b9a069ced6f22ce3da8f9bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
60B

MD5
5d3ccac8efb73de6f311ccf58e47d28d

SHA1
c13624206f0bae76ce67546a1cee876dbdddefda

SHA256
5559c1e6b80d9f25dbdeac47f265568571d093226fbdb7e0531dc9fcf8371a38

SHA512
7e6504d1055da68d0e37f72fe8d03069bdbf98157607177fa8406b294550d513a6a4584c2de87c09811a33ab3d1b9f0aaf265d75b43e1a250ab3035b04a8bc42

Download Submit
\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
1.8MB

MD5
96289e39f5ebfe7268735134d6ff1b98

SHA1
a84ea4b2f4ac506ccc1ab6d576c398685acc2a84

SHA256
2dd956b770de14caca1852de96886e69650cb22ca001cf3b8aa2362d9b40aa8c

SHA512
69edb2e6193561933ec7e13850af489b8ae917134e096d36d0e36f6156f28422bc39ffbc60e56e8332783fc0e10f7b8850fbe31d4560e0ee5ec3776b5d251ea0

Download Submit
memory/800-38-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-37-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-22-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-36-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-132-0x0000000003280000-0x000000000329C000-memory.dmp

Filesize
112KB

Download
memory/800-47-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-98-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-221-0x0000000003280000-0x000000000329C000-memory.dmp

Filesize
112KB

Download
memory/800-70-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/800-65-0x0000000003280000-0x000000000329C000-memory.dmp

Filesize
112KB

Download
memory/804-854-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/1608-1041-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1608-1032-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1608-1050-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1608-1034-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1608-1038-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/1608-1036-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/2092-851-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-848-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-852-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2092-835-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-839-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-837-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-841-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2092-843-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-844-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2116-857-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2168-263-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-272-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-267-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-275-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-261-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-271-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-269-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-265-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3044-814-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-813-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-805-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-818-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-807-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-809-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-821-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/3044-811-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download