Analysis
-
max time kernel
127s -
max time network
60s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 22:37
Static task
static1
Behavioral task
behavioral1
Sample
41c114e52de616504df1cd4137de1ce8.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
41c114e52de616504df1cd4137de1ce8.exe
Resource
win10v20210410
General
-
Target
41c114e52de616504df1cd4137de1ce8.exe
-
Size
187KB
-
MD5
41c114e52de616504df1cd4137de1ce8
-
SHA1
0579cc93cf8e6dd57e878da1f520499e4a77cf5a
-
SHA256
556c6ec49b714eb7bf9b3d816fd18a8962fb6be756224aa4cf8614e5bd7f0738
-
SHA512
4dd0a49f9e5481cb3d3644604e896bc338021968fbae72d426ec67643759b644cba0f4dac81c7c3fef9a05aeca58171f11d790dc5ef76797bbe99a2e57900634
Malware Config
Extracted
redline
20_4_net
Sthellete.xyz:80
Extracted
redline
tor1
45.67.228.131:9603
Extracted
redline
sup
23.83.133.165:12639
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-124-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1608-125-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1608-127-0x0000000000416226-mapping.dmp family_redline behavioral1/memory/1052-126-0x0000000000416232-mapping.dmp family_redline behavioral1/memory/1052-129-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1608-128-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1108-151-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1108-152-0x00000000004163CA-mapping.dmp family_redline behavioral1/memory/1108-154-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Executes dropped EXE 8 IoCs
Processes:
7493316.exe5512506.exe5202194.exe6385361.exe2386482.exe619950.exeWindows Host.exe6385361.exepid process 336 7493316.exe 560 5512506.exe 1644 5202194.exe 424 6385361.exe 616 2386482.exe 2044 619950.exe 1016 Windows Host.exe 1108 6385361.exe -
Loads dropped DLL 7 IoCs
Processes:
5512506.exeWerFault.exepid process 560 5512506.exe 560 5512506.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5512506.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 5512506.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
5202194.exe2386482.exe6385361.exedescription pid process target process PID 1644 set thread context of 1052 1644 5202194.exe AddInProcess32.exe PID 616 set thread context of 1608 616 2386482.exe AddInProcess32.exe PID 424 set thread context of 1108 424 6385361.exe 6385361.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1132 336 WerFault.exe 7493316.exe -
Processes:
5202194.exe2386482.exe7493316.exe619950.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c51900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 5202194.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 2386482.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7493316.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 619950.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 2386482.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3490f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2386482.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 5202194.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3490f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7493316.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 7493316.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 619950.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 5202194.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 5202194.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 5202194.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2386482.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2386482.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 619950.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
619950.exe7493316.exeWerFault.exeAddInProcess32.exeAddInProcess32.exe6385361.exepid process 2044 619950.exe 336 7493316.exe 336 7493316.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1132 WerFault.exe 1608 AddInProcess32.exe 1052 AddInProcess32.exe 1108 6385361.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1132 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
41c114e52de616504df1cd4137de1ce8.exe5202194.exe2386482.exe7493316.exe619950.exeWerFault.exeAddInProcess32.exeAddInProcess32.exe6385361.exedescription pid process Token: SeDebugPrivilege 484 41c114e52de616504df1cd4137de1ce8.exe Token: SeDebugPrivilege 1644 5202194.exe Token: SeDebugPrivilege 616 2386482.exe Token: SeDebugPrivilege 336 7493316.exe Token: SeDebugPrivilege 2044 619950.exe Token: SeDebugPrivilege 1132 WerFault.exe Token: SeDebugPrivilege 1608 AddInProcess32.exe Token: SeDebugPrivilege 1052 AddInProcess32.exe Token: SeDebugPrivilege 1108 6385361.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
41c114e52de616504df1cd4137de1ce8.exe5512506.exe5202194.exe2386482.exe7493316.exe6385361.exedescription pid process target process PID 484 wrote to memory of 336 484 41c114e52de616504df1cd4137de1ce8.exe 7493316.exe PID 484 wrote to memory of 336 484 41c114e52de616504df1cd4137de1ce8.exe 7493316.exe PID 484 wrote to memory of 336 484 41c114e52de616504df1cd4137de1ce8.exe 7493316.exe PID 484 wrote to memory of 336 484 41c114e52de616504df1cd4137de1ce8.exe 7493316.exe PID 484 wrote to memory of 560 484 41c114e52de616504df1cd4137de1ce8.exe 5512506.exe PID 484 wrote to memory of 560 484 41c114e52de616504df1cd4137de1ce8.exe 5512506.exe PID 484 wrote to memory of 560 484 41c114e52de616504df1cd4137de1ce8.exe 5512506.exe PID 484 wrote to memory of 560 484 41c114e52de616504df1cd4137de1ce8.exe 5512506.exe PID 484 wrote to memory of 1644 484 41c114e52de616504df1cd4137de1ce8.exe 5202194.exe PID 484 wrote to memory of 1644 484 41c114e52de616504df1cd4137de1ce8.exe 5202194.exe PID 484 wrote to memory of 1644 484 41c114e52de616504df1cd4137de1ce8.exe 5202194.exe PID 484 wrote to memory of 1644 484 41c114e52de616504df1cd4137de1ce8.exe 5202194.exe PID 484 wrote to memory of 424 484 41c114e52de616504df1cd4137de1ce8.exe 6385361.exe PID 484 wrote to memory of 424 484 41c114e52de616504df1cd4137de1ce8.exe 6385361.exe PID 484 wrote to memory of 424 484 41c114e52de616504df1cd4137de1ce8.exe 6385361.exe PID 484 wrote to memory of 424 484 41c114e52de616504df1cd4137de1ce8.exe 6385361.exe PID 484 wrote to memory of 616 484 41c114e52de616504df1cd4137de1ce8.exe 2386482.exe PID 484 wrote to memory of 616 484 41c114e52de616504df1cd4137de1ce8.exe 2386482.exe PID 484 wrote to memory of 616 484 41c114e52de616504df1cd4137de1ce8.exe 2386482.exe PID 484 wrote to memory of 616 484 41c114e52de616504df1cd4137de1ce8.exe 2386482.exe PID 484 wrote to memory of 2044 484 41c114e52de616504df1cd4137de1ce8.exe 619950.exe PID 484 wrote to memory of 2044 484 41c114e52de616504df1cd4137de1ce8.exe 619950.exe PID 484 wrote to memory of 2044 484 41c114e52de616504df1cd4137de1ce8.exe 619950.exe PID 484 wrote to memory of 2044 484 41c114e52de616504df1cd4137de1ce8.exe 619950.exe PID 560 wrote to memory of 1016 560 5512506.exe Windows Host.exe PID 560 wrote to memory of 1016 560 5512506.exe Windows Host.exe PID 560 wrote to memory of 1016 560 5512506.exe Windows Host.exe PID 560 wrote to memory of 1016 560 5512506.exe Windows Host.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 1644 wrote to memory of 1052 1644 5202194.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 616 wrote to memory of 1608 616 2386482.exe AddInProcess32.exe PID 336 wrote to memory of 1132 336 7493316.exe WerFault.exe PID 336 wrote to memory of 1132 336 7493316.exe WerFault.exe PID 336 wrote to memory of 1132 336 7493316.exe WerFault.exe PID 336 wrote to memory of 1132 336 7493316.exe WerFault.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe PID 424 wrote to memory of 1108 424 6385361.exe 6385361.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c114e52de616504df1cd4137de1ce8.exe"C:\Users\Admin\AppData\Local\Temp\41c114e52de616504df1cd4137de1ce8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\7493316.exe"C:\ProgramData\7493316.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 17163⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5512506.exe"C:\ProgramData\5512506.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\5202194.exe"C:\ProgramData\5202194.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6385361.exe"C:\ProgramData\6385361.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\6385361.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\2386482.exe"C:\ProgramData\2386482.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\619950.exe"C:\ProgramData\619950.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\2386482.exeMD5
ba369b7fb0f0a293fb08d2c1ba3e1594
SHA1814fd4e2db519e07cf4e70d68289164c82fddc56
SHA256ee2c4a9912ea0d6aaa7451da03e30904318cbccfd70f1ec83727cf2ea6b5b6cb
SHA512ac418f360b0b6243aeb61c27d62b395b8cb9c8cd1488c345af62575ad2c3cced8f96d70720c5650acb71ce886a9463894c4d9fed0e9f722da498136e8a72f787
-
C:\ProgramData\2386482.exeMD5
ba369b7fb0f0a293fb08d2c1ba3e1594
SHA1814fd4e2db519e07cf4e70d68289164c82fddc56
SHA256ee2c4a9912ea0d6aaa7451da03e30904318cbccfd70f1ec83727cf2ea6b5b6cb
SHA512ac418f360b0b6243aeb61c27d62b395b8cb9c8cd1488c345af62575ad2c3cced8f96d70720c5650acb71ce886a9463894c4d9fed0e9f722da498136e8a72f787
-
C:\ProgramData\5202194.exeMD5
9854ca00ad1b2075d74bf30d2c76977d
SHA1380e032d03252462c997bfe2269653d45d5a4e0d
SHA25620c15773122e08a5b82c0cdc8ec9ce25b67f672b14f2dfa1a2d4125854e79775
SHA5121ece7bf9e43aae4a1aad995660e253ddea691e15dd9d1a585db8b51e06001b094236edf49fb8fa15cc66789107c98f69c4c3e4f1e833fdd2e14660b1719bc475
-
C:\ProgramData\5202194.exeMD5
9854ca00ad1b2075d74bf30d2c76977d
SHA1380e032d03252462c997bfe2269653d45d5a4e0d
SHA25620c15773122e08a5b82c0cdc8ec9ce25b67f672b14f2dfa1a2d4125854e79775
SHA5121ece7bf9e43aae4a1aad995660e253ddea691e15dd9d1a585db8b51e06001b094236edf49fb8fa15cc66789107c98f69c4c3e4f1e833fdd2e14660b1719bc475
-
C:\ProgramData\5512506.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
C:\ProgramData\5512506.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
C:\ProgramData\619950.exeMD5
1dbb51d5ec8804cc1308b77b04a229b8
SHA191f4da1d2df24f674d3d5f69701fe271bf98a336
SHA25656c0531f03a74cc126dce5b73b05492218bb527cfe2a9b9187e123617b89bffe
SHA51263a80b5e5f992dceeccb691f6bd0ab8214f8ae11835e63bc071c4ede39cf01c9ac82b6395dcebd150a6074918e40e5894ea23e78deb7d5ef7929a86b096604ca
-
C:\ProgramData\619950.exeMD5
1dbb51d5ec8804cc1308b77b04a229b8
SHA191f4da1d2df24f674d3d5f69701fe271bf98a336
SHA25656c0531f03a74cc126dce5b73b05492218bb527cfe2a9b9187e123617b89bffe
SHA51263a80b5e5f992dceeccb691f6bd0ab8214f8ae11835e63bc071c4ede39cf01c9ac82b6395dcebd150a6074918e40e5894ea23e78deb7d5ef7929a86b096604ca
-
C:\ProgramData\6385361.exeMD5
c2b6d1d75ba91acc3f25c06870b343f1
SHA1da261bb52507fb6a603be05190fac3a2ffec8ea9
SHA256f96bb87342a24dfdcce5db4fb1c06a4d4fcdf727b3e3c649a56bf20c0996cd2f
SHA5123764a2e5bfb9b93969433edaee2164ff112868314a63a2c34fceda89a0472ee03ae1aa37ac9b5ab9b714b326da9811b64ee44df69a852bab2e985e835a97495c
-
C:\ProgramData\6385361.exeMD5
c2b6d1d75ba91acc3f25c06870b343f1
SHA1da261bb52507fb6a603be05190fac3a2ffec8ea9
SHA256f96bb87342a24dfdcce5db4fb1c06a4d4fcdf727b3e3c649a56bf20c0996cd2f
SHA5123764a2e5bfb9b93969433edaee2164ff112868314a63a2c34fceda89a0472ee03ae1aa37ac9b5ab9b714b326da9811b64ee44df69a852bab2e985e835a97495c
-
C:\ProgramData\6385361.exeMD5
c2b6d1d75ba91acc3f25c06870b343f1
SHA1da261bb52507fb6a603be05190fac3a2ffec8ea9
SHA256f96bb87342a24dfdcce5db4fb1c06a4d4fcdf727b3e3c649a56bf20c0996cd2f
SHA5123764a2e5bfb9b93969433edaee2164ff112868314a63a2c34fceda89a0472ee03ae1aa37ac9b5ab9b714b326da9811b64ee44df69a852bab2e985e835a97495c
-
C:\ProgramData\7187MD5
ef64f9930e6d75985a8017651361a979
SHA114950364623a2e9ccdd6b9cab8929a89c0ca058f
SHA256745fb5cdb7785a916e2e2d28bffae4a3cad7e2e8e467c74c7dfb768c6900ef35
SHA51251d33a64f48f5e836c7921852b000ea9b439bc66e8acea7dd5d8a431a6a32470e2e1d7d9d74bdcfcf2f67261de300859960e01cf3beba42f155d30b4af60223b
-
C:\ProgramData\7187MD5
ef64f9930e6d75985a8017651361a979
SHA114950364623a2e9ccdd6b9cab8929a89c0ca058f
SHA256745fb5cdb7785a916e2e2d28bffae4a3cad7e2e8e467c74c7dfb768c6900ef35
SHA51251d33a64f48f5e836c7921852b000ea9b439bc66e8acea7dd5d8a431a6a32470e2e1d7d9d74bdcfcf2f67261de300859960e01cf3beba42f155d30b4af60223b
-
C:\ProgramData\71\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\71\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\71\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\71\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\71\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\71\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
C:\ProgramData\71\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
C:\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
\ProgramData\7493316.exeMD5
9dee976b0c93a6c26b45e98506cedaa1
SHA14bd929747e3d3017db86c4b2b606e4c47e7009d5
SHA25605fd1c0d49f43fd26ac3cbdb5f0486fd0a88381330bd77d9ed935b4e0ab6ccb2
SHA5121c915c861ae67bf493fd53125dbcdf56220474769a23af1c41cb448db84493d77b08adfb34f84f1125585d7e771b24906e9057cc3712114c7c527ee1eb444956
-
\ProgramData\Windows Host\Windows Host.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
\ProgramData\Windows Host\Windows Host.exeMD5
afb7dc87e6208b5747af8e7ab95f28bf
SHA1af2e35b042efcc0c47d31e1747baca34e24a68c1
SHA256a58c95de92eefb42ccff366ae9381c638d425673bd2860256b8263ef7a5609f1
SHA5128448cbcdcc35ee0676a709e01ab0f87c6e11a1718b767f7f220ed559c0f30867b7cb8f82a9d0c3b3279cf00c35619189edac265e724d83811f49e2bea7daa1d0
-
memory/336-88-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/336-119-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/336-65-0x0000000000000000-mapping.dmp
-
memory/336-83-0x0000000000320000-0x0000000000352000-memory.dmpFilesize
200KB
-
memory/336-80-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/336-71-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/424-85-0x0000000000000000-mapping.dmp
-
memory/424-150-0x0000000000930000-0x000000000097B000-memory.dmpFilesize
300KB
-
memory/424-149-0x0000000008260000-0x00000000082F9000-memory.dmpFilesize
612KB
-
memory/424-89-0x00000000012C0000-0x00000000012C1000-memory.dmpFilesize
4KB
-
memory/424-134-0x00000000004C0000-0x00000000004C5000-memory.dmpFilesize
20KB
-
memory/424-117-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/484-59-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/484-61-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/484-62-0x0000000000680000-0x00000000006A1000-memory.dmpFilesize
132KB
-
memory/484-63-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/484-64-0x0000000000920000-0x0000000000922000-memory.dmpFilesize
8KB
-
memory/560-72-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/560-82-0x0000000000540000-0x0000000000552000-memory.dmpFilesize
72KB
-
memory/560-84-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/560-81-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/560-68-0x0000000000000000-mapping.dmp
-
memory/560-91-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/616-92-0x0000000000000000-mapping.dmp
-
memory/616-96-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/616-118-0x0000000004390000-0x0000000004391000-memory.dmpFilesize
4KB
-
memory/616-98-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1016-121-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/1016-109-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/1016-103-0x0000000000000000-mapping.dmp
-
memory/1052-129-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1052-124-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1052-133-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/1052-126-0x0000000000416232-mapping.dmp
-
memory/1108-151-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1108-152-0x00000000004163CA-mapping.dmp
-
memory/1108-154-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1108-156-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1132-148-0x0000000000B60000-0x0000000000B8E000-memory.dmpFilesize
184KB
-
memory/1132-142-0x0000000000000000-mapping.dmp
-
memory/1608-125-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1608-127-0x0000000000416226-mapping.dmp
-
memory/1608-128-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1608-132-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1644-93-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/1644-78-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1644-74-0x0000000000000000-mapping.dmp
-
memory/2044-106-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/2044-120-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2044-111-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/2044-100-0x0000000000000000-mapping.dmp
-
memory/2044-115-0x0000000000480000-0x00000000004BB000-memory.dmpFilesize
236KB
-
memory/2044-116-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB