redline | 916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1

Analysis

max time kernel
148s
max time network
118s
platform
windows10_x64
resource
win10-en-20211104
submitted
21-11-2021 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
Size

27KB
MD5

32c5d0e883cee334d6a8a59838b9c455
SHA1

fe2e414d8bee2f4b04c6e92e03a83d34a58ccf5f
SHA256

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1
SHA512

9466da69ead216b99cd91de0fe25208a47d32900657c2ca4263c187e5207a0669affbbfd964ab6511d4818bdb303de5812b72986535eaf1c94255042c16371f4

Score

10^/10

redline proliv discovery infostealer spyware stealer vmprotect

Malware Config

Extracted

Family

redline

Botnet

proliv

116.202.110.68:48426

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3668-124-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3668-125-0x0000000000418F06-mapping.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

microme.execlipper.exeMicrosoftMediaPlayer.exesihost32.exe

pid process

1432 microme.exe
1104 clipper.exe
904 MicrosoftMediaPlayer.exe
1780 sihost32.exe

pid	process
1432	microme.exe
1104	clipper.exe
904	MicrosoftMediaPlayer.exe
1780	sihost32.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\microme.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\microme.exe	vmprotect
behavioral1/memory/1432-154-0x0000000000400000-0x0000000000FC0000-memory.dmp	vmprotect
C:\Users\Admin\MicrosoftMediaPlayer.exe	vmprotect
C:\Users\Admin\MicrosoftMediaPlayer.exe	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe

pid	process
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe

description	pid	process	target process
PID 2628 set thread context of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

416 2628 WerFault.exe 916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

376 schtasks.exe

pid	pid_target	process	target process
416	2628	WerFault.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe

pid	process
376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exeWerFault.exe916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exemicrome.execonhost.exepowershell.exepowershell.exeMicrosoftMediaPlayer.execonhost.exepowershell.exepowershell.exe

pid	process
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
1432	microme.exe
1432	microme.exe
1752	conhost.exe
3368	powershell.exe
3368	powershell.exe
3368	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
904	MicrosoftMediaPlayer.exe
904	MicrosoftMediaPlayer.exe
1784	conhost.exe
1784	conhost.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exeWerFault.exe916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
Token: SeRestorePrivilege	416	WerFault.exe
Token: SeBackupPrivilege	416	WerFault.exe
Token: SeDebugPrivilege	416	WerFault.exe
Token: SeDebugPrivilege	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
Token: SeDebugPrivilege	1752	conhost.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeIncreaseQuotaPrivilege	3368	powershell.exe
Token: SeSecurityPrivilege	3368	powershell.exe
Token: SeTakeOwnershipPrivilege	3368	powershell.exe
Token: SeLoadDriverPrivilege	3368	powershell.exe
Token: SeSystemProfilePrivilege	3368	powershell.exe
Token: SeSystemtimePrivilege	3368	powershell.exe
Token: SeProfSingleProcessPrivilege	3368	powershell.exe
Token: SeIncBasePriorityPrivilege	3368	powershell.exe
Token: SeCreatePagefilePrivilege	3368	powershell.exe
Token: SeBackupPrivilege	3368	powershell.exe
Token: SeRestorePrivilege	3368	powershell.exe
Token: SeShutdownPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeSystemEnvironmentPrivilege	3368	powershell.exe
Token: SeRemoteShutdownPrivilege	3368	powershell.exe
Token: SeUndockPrivilege	3368	powershell.exe
Token: SeManageVolumePrivilege	3368	powershell.exe
Token: 33	3368	powershell.exe
Token: 34	3368	powershell.exe
Token: 35	3368	powershell.exe
Token: 36	3368	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeIncreaseQuotaPrivilege	3688	powershell.exe
Token: SeSecurityPrivilege	3688	powershell.exe
Token: SeTakeOwnershipPrivilege	3688	powershell.exe
Token: SeLoadDriverPrivilege	3688	powershell.exe
Token: SeSystemProfilePrivilege	3688	powershell.exe
Token: SeSystemtimePrivilege	3688	powershell.exe
Token: SeProfSingleProcessPrivilege	3688	powershell.exe
Token: SeIncBasePriorityPrivilege	3688	powershell.exe
Token: SeCreatePagefilePrivilege	3688	powershell.exe
Token: SeBackupPrivilege	3688	powershell.exe
Token: SeRestorePrivilege	3688	powershell.exe
Token: SeShutdownPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeSystemEnvironmentPrivilege	3688	powershell.exe
Token: SeRemoteShutdownPrivilege	3688	powershell.exe
Token: SeUndockPrivilege	3688	powershell.exe
Token: SeManageVolumePrivilege	3688	powershell.exe
Token: 33	3688	powershell.exe
Token: 34	3688	powershell.exe
Token: 35	3688	powershell.exe
Token: 36	3688	powershell.exe
Token: SeDebugPrivilege	1784	conhost.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeIncreaseQuotaPrivilege	1332	powershell.exe
Token: SeSecurityPrivilege	1332	powershell.exe
Token: SeTakeOwnershipPrivilege	1332	powershell.exe
Token: SeLoadDriverPrivilege	1332	powershell.exe
Token: SeSystemProfilePrivilege	1332	powershell.exe
Token: SeSystemtimePrivilege	1332	powershell.exe
Token: SeProfSingleProcessPrivilege	1332	powershell.exe
Token: SeIncBasePriorityPrivilege	1332	powershell.exe
Token: SeCreatePagefilePrivilege	1332	powershell.exe
Token: SeBackupPrivilege	1332	powershell.exe
Token: SeRestorePrivilege	1332	powershell.exe
Token: SeShutdownPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exemicrome.execonhost.execmd.execmd.execmd.exeMicrosoftMediaPlayer.execonhost.execmd.exesihost32.exe

description	pid	process	target process
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 2628 wrote to memory of 3668	2628	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
PID 3668 wrote to memory of 1432	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	microme.exe
PID 3668 wrote to memory of 1432	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	microme.exe
PID 3668 wrote to memory of 1104	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	clipper.exe
PID 3668 wrote to memory of 1104	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	clipper.exe
PID 3668 wrote to memory of 1104	3668	916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe	clipper.exe
PID 1432 wrote to memory of 1752	1432	microme.exe	conhost.exe
PID 1432 wrote to memory of 1752	1432	microme.exe	conhost.exe
PID 1432 wrote to memory of 1752	1432	microme.exe	conhost.exe
PID 1752 wrote to memory of 2116	1752	conhost.exe	cmd.exe
PID 1752 wrote to memory of 2116	1752	conhost.exe	cmd.exe
PID 2116 wrote to memory of 3368	2116	cmd.exe	powershell.exe
PID 2116 wrote to memory of 3368	2116	cmd.exe	powershell.exe
PID 1752 wrote to memory of 3272	1752	conhost.exe	cmd.exe
PID 1752 wrote to memory of 3272	1752	conhost.exe	cmd.exe
PID 3272 wrote to memory of 376	3272	cmd.exe	schtasks.exe
PID 3272 wrote to memory of 376	3272	cmd.exe	schtasks.exe
PID 2116 wrote to memory of 3688	2116	cmd.exe	powershell.exe
PID 2116 wrote to memory of 3688	2116	cmd.exe	powershell.exe
PID 1752 wrote to memory of 792	1752	conhost.exe	cmd.exe
PID 1752 wrote to memory of 792	1752	conhost.exe	cmd.exe
PID 792 wrote to memory of 904	792	cmd.exe	MicrosoftMediaPlayer.exe
PID 792 wrote to memory of 904	792	cmd.exe	MicrosoftMediaPlayer.exe
PID 904 wrote to memory of 1784	904	MicrosoftMediaPlayer.exe	conhost.exe
PID 904 wrote to memory of 1784	904	MicrosoftMediaPlayer.exe	conhost.exe
PID 904 wrote to memory of 1784	904	MicrosoftMediaPlayer.exe	conhost.exe
PID 1784 wrote to memory of 2456	1784	conhost.exe	cmd.exe
PID 1784 wrote to memory of 2456	1784	conhost.exe	cmd.exe
PID 2456 wrote to memory of 1332	2456	cmd.exe	powershell.exe
PID 2456 wrote to memory of 1332	2456	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1780	1784	conhost.exe	sihost32.exe
PID 1784 wrote to memory of 1780	1784	conhost.exe	sihost32.exe
PID 2456 wrote to memory of 1192	2456	cmd.exe	powershell.exe
PID 2456 wrote to memory of 1192	2456	cmd.exe	powershell.exe
PID 1780 wrote to memory of 3356	1780	sihost32.exe	conhost.exe
PID 1780 wrote to memory of 3356	1780	sihost32.exe	conhost.exe
PID 1780 wrote to memory of 3356	1780	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
"C:\Users\Admin\AppData\Local\Temp\916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe
"C:\Users\Admin\AppData\Local\Temp\916eab0f33683c4bbf663caf71a052eb0c51e8560eefa72ae41e206d9f0a58e1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\microme.exe
"C:\Users\Admin\AppData\Local\Temp\microme.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\microme.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftMediaPlayer" /tr "C:\Users\Admin\MicrosoftMediaPlayer.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftMediaPlayer" /tr "C:\Users\Admin\MicrosoftMediaPlayer.exe"
6⤵
- Creates scheduled task(s)
PID:376

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\MicrosoftMediaPlayer.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\MicrosoftMediaPlayer.exe
C:\Users\Admin\MicrosoftMediaPlayer.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\MicrosoftMediaPlayer.exe"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
9⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\clipper.exe
"C:\Users\Admin\AppData\Local\Temp\clipper.exe"
3⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1752
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d3dce32a99fb29afd428a9c4c61dfaf

SHA1
8bc00b2f6897a5058f6b87820bbd6cd35f76f852

SHA256
d7c78656fd588c39ab08790ca6c8be32b1d7e015444b6861f5df37a25c8fd4b5

SHA512
9555dec97426394c7fb1a15febf4819ed9a4cd97b83b68e34305e9451fe31a708b8c044097e78fc1772d04a0b05c42dfe30abf45a1ce5eeeb2b872005e7683dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce55a76304125074b5a73696b07e64d6

SHA1
733db36ae0bbd6c0aef9028b5e416f16d4b6bcf3

SHA256
8dd320f34becd1f470afc48596dc93a0c9cea0c9c237948257507e6fbb1eef16

SHA512
61f1e303653bfce1952d350536484ce9bd03c3910f1008687a5662bdf651c0f80926f34006a81d45049e0d906819924b2657e996f981b34f56595b0896612dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
74203278f2a541ab32c39656b7ea339f

SHA1
a9931916f2001f1417ea9033885579790a16fc7e

SHA256
f06e86107b22d0a4af27e1ab51906aa1db0f7842f932221772367be50f3a9cb7

SHA512
aeb9e659a2e1f05132664e9e83385dd7f83a6598b4310d728be676d5e800afff3a4d7fc8e5c6e4b7a5f4bf284c0b57e73237f79c2d796b06fd7d39f5b5f521a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\clipper.exe
MD5
75287b5959402296afe1b1b14f1307e1

SHA1
786bfcce19a18ff6dcf09e9e6e614c74b2623440

SHA256
dba108252db090c47ad8717102277c3b2a05ebf11fdab3458130a3ca811f6731

SHA512
cef8ebe8e521876663c5f5530d9b46f5a9c3bbccf36c3c73234e8a458f9d9be2eb163d5c1f77ef5baca71cab375d68a41b1216926780cb51efa44b7bf3d689c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\clipper.exe
MD5
75287b5959402296afe1b1b14f1307e1

SHA1
786bfcce19a18ff6dcf09e9e6e614c74b2623440

SHA256
dba108252db090c47ad8717102277c3b2a05ebf11fdab3458130a3ca811f6731

SHA512
cef8ebe8e521876663c5f5530d9b46f5a9c3bbccf36c3c73234e8a458f9d9be2eb163d5c1f77ef5baca71cab375d68a41b1216926780cb51efa44b7bf3d689c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\microme.exe
MD5
f323d367f38a8dee2e7c429a4e39fbda

SHA1
0f54fade53c3f9294a92b3a996d5c749d308523f

SHA256
db726c8066daffb27d0717f2b0026dadcb7417a8e56bb3d0efbc6a7bb80f0978

SHA512
d3c4f7d2d8860432963364396a1a745e784fdbf0abca0c6883dc69efe02f12145576d5dc2d5da55cfe2bd8aec603577df52f1eafe7e717c0567e40e7e1dde622

Download Submit
C:\Users\Admin\AppData\Local\Temp\microme.exe
MD5
f323d367f38a8dee2e7c429a4e39fbda

SHA1
0f54fade53c3f9294a92b3a996d5c749d308523f

SHA256
db726c8066daffb27d0717f2b0026dadcb7417a8e56bb3d0efbc6a7bb80f0978

SHA512
d3c4f7d2d8860432963364396a1a745e784fdbf0abca0c6883dc69efe02f12145576d5dc2d5da55cfe2bd8aec603577df52f1eafe7e717c0567e40e7e1dde622

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
db28679ac125e802886f2ae9f102c9f5

SHA1
37335339a09fb991f664ffdcd735be643508e22c

SHA256
76a15e433ed4a6aa7bc6b0dff7e7dda21f6bdd5c1b5e333ae919fcdb92b86495

SHA512
ee35170d955a0e46711ab8ee76c5c0c0d8c98756863a812ed5941c7f2777f1d5d171f45e5399ca7c3be06e38fc2045d3730f392daf3efdd8564dadd8976cb332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
db28679ac125e802886f2ae9f102c9f5

SHA1
37335339a09fb991f664ffdcd735be643508e22c

SHA256
76a15e433ed4a6aa7bc6b0dff7e7dda21f6bdd5c1b5e333ae919fcdb92b86495

SHA512
ee35170d955a0e46711ab8ee76c5c0c0d8c98756863a812ed5941c7f2777f1d5d171f45e5399ca7c3be06e38fc2045d3730f392daf3efdd8564dadd8976cb332

Download Submit
C:\Users\Admin\MicrosoftMediaPlayer.exe
MD5
f323d367f38a8dee2e7c429a4e39fbda

SHA1
0f54fade53c3f9294a92b3a996d5c749d308523f

SHA256
db726c8066daffb27d0717f2b0026dadcb7417a8e56bb3d0efbc6a7bb80f0978

SHA512
d3c4f7d2d8860432963364396a1a745e784fdbf0abca0c6883dc69efe02f12145576d5dc2d5da55cfe2bd8aec603577df52f1eafe7e717c0567e40e7e1dde622

Download Submit
C:\Users\Admin\MicrosoftMediaPlayer.exe
MD5
f323d367f38a8dee2e7c429a4e39fbda

SHA1
0f54fade53c3f9294a92b3a996d5c749d308523f

SHA256
db726c8066daffb27d0717f2b0026dadcb7417a8e56bb3d0efbc6a7bb80f0978

SHA512
d3c4f7d2d8860432963364396a1a745e784fdbf0abca0c6883dc69efe02f12145576d5dc2d5da55cfe2bd8aec603577df52f1eafe7e717c0567e40e7e1dde622

Download Submit
memory/376-176-0x0000000000000000-mapping.dmp

Download
memory/792-252-0x0000000000000000-mapping.dmp

Download
memory/904-255-0x0000000000000000-mapping.dmp

Download
memory/1104-153-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/1104-152-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1104-145-0x0000000000000000-mapping.dmp

Download
memory/1104-148-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1192-338-0x0000028524FF0000-0x0000028524FF2000-memory.dmp

Filesize
8KB

Download
memory/1192-363-0x0000028524FF8000-0x0000028524FF9000-memory.dmp

Filesize
4KB

Download
memory/1192-321-0x0000000000000000-mapping.dmp

Download
memory/1192-342-0x0000028524FF6000-0x0000028524FF8000-memory.dmp

Filesize
8KB

Download
memory/1192-340-0x0000028524FF3000-0x0000028524FF5000-memory.dmp

Filesize
8KB

Download
memory/1332-271-0x0000000000000000-mapping.dmp

Download
memory/1332-315-0x00000284B4380000-0x00000284B4382000-memory.dmp

Filesize
8KB

Download
memory/1332-316-0x00000284B4383000-0x00000284B4385000-memory.dmp

Filesize
8KB

Download
memory/1332-317-0x00000284B4386000-0x00000284B4388000-memory.dmp

Filesize
8KB

Download
memory/1332-336-0x00000284B4388000-0x00000284B4389000-memory.dmp

Filesize
4KB

Download
memory/1432-154-0x0000000000400000-0x0000000000FC0000-memory.dmp

Filesize
11.8MB

Download
memory/1432-156-0x00007FFF05270000-0x00007FFF05272000-memory.dmp

Filesize
8KB

Download
memory/1432-142-0x0000000000000000-mapping.dmp

Download
memory/1752-181-0x00000177610D3000-0x00000177610D5000-memory.dmp

Filesize
8KB

Download
memory/1752-158-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1752-161-0x0000017779A10000-0x0000017779BFD000-memory.dmp

Filesize
1.9MB

Download
memory/1752-163-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1752-164-0x000001775F300000-0x000001775F301000-memory.dmp

Filesize
4KB

Download
memory/1752-165-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1752-159-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1752-160-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1752-182-0x00000177610D6000-0x00000177610D7000-memory.dmp

Filesize
4KB

Download
memory/1752-178-0x000001775EE40000-0x000001775F031000-memory.dmp

Filesize
1.9MB

Download
memory/1752-180-0x00000177610D0000-0x00000177610D2000-memory.dmp

Filesize
8KB

Download
memory/1752-157-0x000001775F2A0000-0x000001775F2A2000-memory.dmp

Filesize
8KB

Download
memory/1780-286-0x0000000000000000-mapping.dmp

Download
memory/1784-312-0x0000028A6C300000-0x0000028A6C302000-memory.dmp

Filesize
8KB

Download
memory/1784-313-0x0000028A6C303000-0x0000028A6C305000-memory.dmp

Filesize
8KB

Download
memory/1784-314-0x0000028A6C306000-0x0000028A6C307000-memory.dmp

Filesize
4KB

Download
memory/2116-166-0x0000000000000000-mapping.dmp

Download
memory/2456-270-0x0000000000000000-mapping.dmp

Download
memory/2628-120-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/2628-123-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2628-121-0x0000000005520000-0x0000000005551000-memory.dmp

Filesize
196KB

Download
memory/2628-122-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/2628-118-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3272-173-0x0000000000000000-mapping.dmp

Download
memory/3356-373-0x0000014BCC420000-0x0000014BCC422000-memory.dmp

Filesize
8KB

Download
memory/3356-372-0x0000014BB1F40000-0x0000014BB1F47000-memory.dmp

Filesize
28KB

Download
memory/3356-375-0x0000014BCC426000-0x0000014BCC427000-memory.dmp

Filesize
4KB

Download
memory/3356-374-0x0000014BCC423000-0x0000014BCC425000-memory.dmp

Filesize
8KB

Download
memory/3368-175-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-171-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-167-0x0000000000000000-mapping.dmp

Download
memory/3368-168-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-227-0x000002457EBE8000-0x000002457EBE9000-memory.dmp

Filesize
4KB

Download
memory/3368-169-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-170-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-172-0x000002457EDD0000-0x000002457EDD1000-memory.dmp

Filesize
4KB

Download
memory/3368-174-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-177-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-207-0x000002457EBE6000-0x000002457EBE8000-memory.dmp

Filesize
8KB

Download
memory/3368-179-0x000002457F920000-0x000002457F921000-memory.dmp

Filesize
4KB

Download
memory/3368-185-0x0000024566690000-0x0000024566692000-memory.dmp

Filesize
8KB

Download
memory/3368-183-0x000002457EBE0000-0x000002457EBE2000-memory.dmp

Filesize
8KB

Download
memory/3368-184-0x000002457EBE3000-0x000002457EBE5000-memory.dmp

Filesize
8KB

Download
memory/3668-128-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3668-138-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/3668-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3668-125-0x0000000000418F06-mapping.dmp

Download
memory/3668-133-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3668-131-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3668-129-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3668-130-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3668-141-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/3668-136-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/3668-132-0x0000000004F70000-0x0000000005576000-memory.dmp

Filesize
6.0MB

Download
memory/3668-140-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/3668-139-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/3668-134-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3668-137-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/3688-232-0x000001A379286000-0x000001A379288000-memory.dmp

Filesize
8KB

Download
memory/3688-251-0x000001A379288000-0x000001A379289000-memory.dmp

Filesize
4KB

Download
memory/3688-228-0x000001A379280000-0x000001A379282000-memory.dmp

Filesize
8KB

Download
memory/3688-231-0x000001A379283000-0x000001A379285000-memory.dmp

Filesize
8KB

Download
memory/3688-211-0x0000000000000000-mapping.dmp

Download