redline | 445d39df326616cbfd206707370348697ee1ad8ffb5ce1edc330afe9bf49266e

Analysis

max time kernel
146s
max time network
186s
platform
windows7_x64
resource
win7v20210408
submitted
03-06-2021 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
Size

150KB
MD5

192157321ae17032b5edee8de07e0e86
SHA1

9252dbf16148b087129afb62a49dbbac278d19de
SHA256

445d39df326616cbfd206707370348697ee1ad8ffb5ce1edc330afe9bf49266e
SHA512

e995c6d0b1532d19dc2097adc1c18b61f0c547ba5db7be611957cabb9811dee779b250e339790bfae4af82366114416ac12533c3d929395a3b1fbcdf111e79ba

Score

10^/10

redline 1 1.1 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

brershrowal.xyz:80

Extracted

Family

redline

Botnet

1.1

brershrowal.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-111-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1588-112-0x0000000000416422-mapping.dmp	family_redline
behavioral1/memory/1588-114-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1164-120-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1164-121-0x0000000000416996-mapping.dmp	family_redline
behavioral1/memory/1164-123-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1948-104-0x00000000003C0000-0x00000000003C5000-memory.dmp	CustAttr

Executes dropped EXE 9 IoCs

Processes:

6976403.exe4498257.exe7907844.exe3370263.exeWinHoster.exe3370263.exe3370263.exe3370263.exe7907844.exe

pid process

892 6976403.exe
1104 4498257.exe
1948 7907844.exe
1744 3370263.exe
296 WinHoster.exe
720 3370263.exe
1152 3370263.exe
1588 3370263.exe
1164 7907844.exe
Loads dropped DLL 1 IoCs

Processes:

4498257.exe

pid process

1104 4498257.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
892	6976403.exe
1104	4498257.exe
1948	7907844.exe
1744	3370263.exe
296	WinHoster.exe
720	3370263.exe
1152	3370263.exe
1588	3370263.exe
1164	7907844.exe

pid	process
1104	4498257.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4498257.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	4498257.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

3370263.exe7907844.exe

description	pid	process	target process
PID 1744 set thread context of 1588	1744	3370263.exe	3370263.exe
PID 1948 set thread context of 1164	1948	7907844.exe	7907844.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

6976403.exe3370263.exe

pid process

892 6976403.exe
892 6976403.exe
1744 3370263.exe
1744 3370263.exe
1744 3370263.exe
1744 3370263.exe

pid	process
892	6976403.exe
892	6976403.exe
1744	3370263.exe
1744	3370263.exe
1744	3370263.exe
1744	3370263.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe7907844.exe3370263.exe6976403.exe3370263.exe7907844.exe

description	pid	process
Token: SeDebugPrivilege	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
Token: SeDebugPrivilege	1948	7907844.exe
Token: SeDebugPrivilege	1744	3370263.exe
Token: SeDebugPrivilege	892	6976403.exe
Token: SeDebugPrivilege	1588	3370263.exe
Token: SeDebugPrivilege	1164	7907844.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe4498257.exe3370263.exe7907844.exe

description	pid	process	target process
PID 1940 wrote to memory of 892	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	6976403.exe
PID 1940 wrote to memory of 892	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	6976403.exe
PID 1940 wrote to memory of 892	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	6976403.exe
PID 1940 wrote to memory of 892	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	6976403.exe
PID 1940 wrote to memory of 1104	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	4498257.exe
PID 1940 wrote to memory of 1104	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	4498257.exe
PID 1940 wrote to memory of 1104	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	4498257.exe
PID 1940 wrote to memory of 1104	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	4498257.exe
PID 1940 wrote to memory of 1948	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	7907844.exe
PID 1940 wrote to memory of 1948	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	7907844.exe
PID 1940 wrote to memory of 1948	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	7907844.exe
PID 1940 wrote to memory of 1948	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	7907844.exe
PID 1940 wrote to memory of 1744	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	3370263.exe
PID 1940 wrote to memory of 1744	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	3370263.exe
PID 1940 wrote to memory of 1744	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	3370263.exe
PID 1940 wrote to memory of 1744	1940	SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe	3370263.exe
PID 1104 wrote to memory of 296	1104	4498257.exe	WinHoster.exe
PID 1104 wrote to memory of 296	1104	4498257.exe	WinHoster.exe
PID 1104 wrote to memory of 296	1104	4498257.exe	WinHoster.exe
PID 1104 wrote to memory of 296	1104	4498257.exe	WinHoster.exe
PID 1744 wrote to memory of 720	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 720	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 720	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 720	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1152	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1152	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1152	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1152	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1744 wrote to memory of 1588	1744	3370263.exe	3370263.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe
PID 1948 wrote to memory of 1164	1948	7907844.exe	7907844.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.6900.14762.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\6976403.exe
"C:\Users\Admin\AppData\Roaming\6976403.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\AppData\Roaming\4498257.exe
"C:\Users\Admin\AppData\Roaming\4498257.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:296

C:\Users\Admin\AppData\Roaming\7907844.exe
"C:\Users\Admin\AppData\Roaming\7907844.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\7907844.exe
"C:\Users\Admin\AppData\Roaming\7907844.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Roaming\3370263.exe
"C:\Users\Admin\AppData\Roaming\3370263.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\3370263.exe
"{path}"
3⤵
- Executes dropped EXE
PID:720

C:\Users\Admin\AppData\Roaming\3370263.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1152

C:\Users\Admin\AppData\Roaming\3370263.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3370263.exe
MD5
46dac919dc4d566cb7615d597622bcbb

SHA1
0b2c188c380881d95a7da40b7b0f3c4406ec14b9

SHA256
354529ad250b9ecebc4f7f3519c9579ce0714975aaf344133ea44bb8ae3ca9c3

SHA512
bdd501723f5904f513b1bf732954e4975510b26ca132ba423bb89702680a4e5dab2b32ae7f39e45316ff0f4893a8807fd3c5c2e539babe92a11a7cf1ab2cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\3370263.exe
MD5
46dac919dc4d566cb7615d597622bcbb

SHA1
0b2c188c380881d95a7da40b7b0f3c4406ec14b9

SHA256
354529ad250b9ecebc4f7f3519c9579ce0714975aaf344133ea44bb8ae3ca9c3

SHA512
bdd501723f5904f513b1bf732954e4975510b26ca132ba423bb89702680a4e5dab2b32ae7f39e45316ff0f4893a8807fd3c5c2e539babe92a11a7cf1ab2cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\3370263.exe
MD5
46dac919dc4d566cb7615d597622bcbb

SHA1
0b2c188c380881d95a7da40b7b0f3c4406ec14b9

SHA256
354529ad250b9ecebc4f7f3519c9579ce0714975aaf344133ea44bb8ae3ca9c3

SHA512
bdd501723f5904f513b1bf732954e4975510b26ca132ba423bb89702680a4e5dab2b32ae7f39e45316ff0f4893a8807fd3c5c2e539babe92a11a7cf1ab2cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\3370263.exe
MD5
46dac919dc4d566cb7615d597622bcbb

SHA1
0b2c188c380881d95a7da40b7b0f3c4406ec14b9

SHA256
354529ad250b9ecebc4f7f3519c9579ce0714975aaf344133ea44bb8ae3ca9c3

SHA512
bdd501723f5904f513b1bf732954e4975510b26ca132ba423bb89702680a4e5dab2b32ae7f39e45316ff0f4893a8807fd3c5c2e539babe92a11a7cf1ab2cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\3370263.exe
MD5
46dac919dc4d566cb7615d597622bcbb

SHA1
0b2c188c380881d95a7da40b7b0f3c4406ec14b9

SHA256
354529ad250b9ecebc4f7f3519c9579ce0714975aaf344133ea44bb8ae3ca9c3

SHA512
bdd501723f5904f513b1bf732954e4975510b26ca132ba423bb89702680a4e5dab2b32ae7f39e45316ff0f4893a8807fd3c5c2e539babe92a11a7cf1ab2cb9d0

Download Submit
C:\Users\Admin\AppData\Roaming\4498257.exe
MD5
bcc25c08b993d97de75b279b19a8f644

SHA1
9ad3d93428e52022f3822d4bf86a0b49dd9c7b02

SHA256
6ed857fe106b8c6c34fd36f6db3c6da4ff587943486fe385a4738ee42d70812c

SHA512
f2e947de4269e08f1da57972e0c2face5167cf274d82098a516867528fe49aaa4cc890b9deb467ff09186aad2e56bea07e04049994860d31d9dca2fbac6bbd44

Download Submit
C:\Users\Admin\AppData\Roaming\4498257.exe
MD5
bcc25c08b993d97de75b279b19a8f644

SHA1
9ad3d93428e52022f3822d4bf86a0b49dd9c7b02

SHA256
6ed857fe106b8c6c34fd36f6db3c6da4ff587943486fe385a4738ee42d70812c

SHA512
f2e947de4269e08f1da57972e0c2face5167cf274d82098a516867528fe49aaa4cc890b9deb467ff09186aad2e56bea07e04049994860d31d9dca2fbac6bbd44

Download Submit
C:\Users\Admin\AppData\Roaming\6976403.exe
MD5
3f48e2eb59704784a319c07823a8fa0c

SHA1
ac0cbbc501690f8c63764c7b290a3bae547aecf0

SHA256
988873a7d802ad3f44108076fc0a884728c132a5d0b6a13b5ca8d38aa4ff9a5d

SHA512
06ccae0c54dc1ed31ed4dd36d419b52901bb53d6b69d514368c66ef4c0681c97f143013bcb53ae71c1cd2a377f3b60e53b7158e5ef0128db4d770b91615cef25

Download Submit
C:\Users\Admin\AppData\Roaming\6976403.exe
MD5
3f48e2eb59704784a319c07823a8fa0c

SHA1
ac0cbbc501690f8c63764c7b290a3bae547aecf0

SHA256
988873a7d802ad3f44108076fc0a884728c132a5d0b6a13b5ca8d38aa4ff9a5d

SHA512
06ccae0c54dc1ed31ed4dd36d419b52901bb53d6b69d514368c66ef4c0681c97f143013bcb53ae71c1cd2a377f3b60e53b7158e5ef0128db4d770b91615cef25

Download Submit
C:\Users\Admin\AppData\Roaming\7907844.exe
MD5
394ca690794c0f1c8c2ad66fe07ff363

SHA1
1479db2400737bd68f25b6c7bfc97e218bd9a0be

SHA256
17ec3826bdcea7183593f707c00bcb455820f28f5075b91ed45292e6a1a4acfa

SHA512
cadede8d4c24303f6f6623c4f8604b6740209ecd7522b8d118b111e2ebbee8a41a7a7e0ae267faacf8b2e782027a1714e74c1ff016674b708b66b9f322301108

Download Submit
C:\Users\Admin\AppData\Roaming\7907844.exe
MD5
394ca690794c0f1c8c2ad66fe07ff363

SHA1
1479db2400737bd68f25b6c7bfc97e218bd9a0be

SHA256
17ec3826bdcea7183593f707c00bcb455820f28f5075b91ed45292e6a1a4acfa

SHA512
cadede8d4c24303f6f6623c4f8604b6740209ecd7522b8d118b111e2ebbee8a41a7a7e0ae267faacf8b2e782027a1714e74c1ff016674b708b66b9f322301108

Download Submit
C:\Users\Admin\AppData\Roaming\7907844.exe
MD5
394ca690794c0f1c8c2ad66fe07ff363

SHA1
1479db2400737bd68f25b6c7bfc97e218bd9a0be

SHA256
17ec3826bdcea7183593f707c00bcb455820f28f5075b91ed45292e6a1a4acfa

SHA512
cadede8d4c24303f6f6623c4f8604b6740209ecd7522b8d118b111e2ebbee8a41a7a7e0ae267faacf8b2e782027a1714e74c1ff016674b708b66b9f322301108

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
bcc25c08b993d97de75b279b19a8f644

SHA1
9ad3d93428e52022f3822d4bf86a0b49dd9c7b02

SHA256
6ed857fe106b8c6c34fd36f6db3c6da4ff587943486fe385a4738ee42d70812c

SHA512
f2e947de4269e08f1da57972e0c2face5167cf274d82098a516867528fe49aaa4cc890b9deb467ff09186aad2e56bea07e04049994860d31d9dca2fbac6bbd44

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
bcc25c08b993d97de75b279b19a8f644

SHA1
9ad3d93428e52022f3822d4bf86a0b49dd9c7b02

SHA256
6ed857fe106b8c6c34fd36f6db3c6da4ff587943486fe385a4738ee42d70812c

SHA512
f2e947de4269e08f1da57972e0c2face5167cf274d82098a516867528fe49aaa4cc890b9deb467ff09186aad2e56bea07e04049994860d31d9dca2fbac6bbd44

Download Submit
\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
bcc25c08b993d97de75b279b19a8f644

SHA1
9ad3d93428e52022f3822d4bf86a0b49dd9c7b02

SHA256
6ed857fe106b8c6c34fd36f6db3c6da4ff587943486fe385a4738ee42d70812c

SHA512
f2e947de4269e08f1da57972e0c2face5167cf274d82098a516867528fe49aaa4cc890b9deb467ff09186aad2e56bea07e04049994860d31d9dca2fbac6bbd44

Download Submit
memory/296-103-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/296-94-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/296-91-0x0000000000000000-mapping.dmp

Download
memory/892-70-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/892-81-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/892-63-0x0000000000000000-mapping.dmp

Download
memory/892-84-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/892-82-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/892-73-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1104-80-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/1104-69-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1104-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1104-83-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1104-66-0x0000000000000000-mapping.dmp

Download
memory/1164-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1164-125-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1164-121-0x0000000000416996-mapping.dmp

Download
memory/1164-120-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1588-116-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1588-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1588-112-0x0000000000416422-mapping.dmp

Download
memory/1588-111-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-105-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/1744-107-0x00000000051B0000-0x000000000521C000-memory.dmp

Filesize
432KB

Download
memory/1744-108-0x0000000000D40000-0x0000000000D5E000-memory.dmp

Filesize
120KB

Download
memory/1744-85-0x0000000000000000-mapping.dmp

Download
memory/1744-101-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1744-88-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1744-106-0x0000000000AE0000-0x0000000000B25000-memory.dmp

Filesize
276KB

Download
memory/1744-100-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1940-61-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/1940-62-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download
memory/1940-59-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1948-99-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/1948-118-0x0000000005650000-0x00000000056E9000-memory.dmp

Filesize
612KB

Download
memory/1948-119-0x0000000001140000-0x0000000001195000-memory.dmp

Filesize
340KB

Download
memory/1948-117-0x00000000052A0000-0x0000000005334000-memory.dmp

Filesize
592KB

Download
memory/1948-78-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1948-102-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1948-75-0x0000000000000000-mapping.dmp

Download
memory/1948-104-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download