redline | bb1d3df26a6c9f8b1ec1608e1d177a2407ddc0efa7455ba7a68ab2f50f5381f6

Analysis

max time kernel
737s
max time network
1247s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/09/2022, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad (2).js
Size

16.9MB
MD5

0a1eb91d290587e3f154e85a83d1b222
SHA1

417386e69759d61b9b3db947ffacc2dd192c7740
SHA256

bb1d3df26a6c9f8b1ec1608e1d177a2407ddc0efa7455ba7a68ab2f50f5381f6
SHA512

cad902e0d8bd106707247197907d72eb9a2cf19ed6a99ccb3a41af5fbc9569fedfe2f228b5d2a39e6f551a1eccca01d1bf8a00f1c2583ee70b90c8e5d77d0820
SSDEEP

49152:vvMl5ImrlOdPoXywnePgUfhZIc0fRGlMtz2nexWlgMrZiQGP:i

Score

10^/10

redline discovery infostealer persistence spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1076-56-0x0000000037F30000-0x0000000037FEC000-memory.dmp	family_redline

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1076	wscript.exe
7	1076	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad99733 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad22582 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\44427bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad44427 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\66066bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))\""	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad46399 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))\""	cscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\39529bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad66066 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))\""	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\46399bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))\""	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\99733bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcceabcbfefcad39529 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\22582bcceabcbfefcad = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	cscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1076	wscript.exe
2056	powershell.exe
2188	powershell.exe
2116	powershell.exe
2532	powershell.exe
2520	powershell.exe
2504	powershell.exe
2156	powershell.exe
1000	powershell.exe
2080	powershell.exe
2472	powershell.exe
2452	powershell.exe
2436	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	wscript.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 748	1076	wscript.exe	29
PID 1076 wrote to memory of 748	1076	wscript.exe	29
PID 1076 wrote to memory of 748	1076	wscript.exe	29
PID 1076 wrote to memory of 2016	1076	wscript.exe	30
PID 1076 wrote to memory of 2016	1076	wscript.exe	30
PID 1076 wrote to memory of 2016	1076	wscript.exe	30
PID 1076 wrote to memory of 1592	1076	wscript.exe	31
PID 1076 wrote to memory of 1592	1076	wscript.exe	31
PID 1076 wrote to memory of 1592	1076	wscript.exe	31
PID 1076 wrote to memory of 688	1076	wscript.exe	32
PID 1076 wrote to memory of 688	1076	wscript.exe	32
PID 1076 wrote to memory of 688	1076	wscript.exe	32
PID 1076 wrote to memory of 1708	1076	wscript.exe	33
PID 1076 wrote to memory of 1708	1076	wscript.exe	33
PID 1076 wrote to memory of 1708	1076	wscript.exe	33
PID 1076 wrote to memory of 1680	1076	wscript.exe	34
PID 1076 wrote to memory of 1680	1076	wscript.exe	34
PID 1076 wrote to memory of 1680	1076	wscript.exe	34
PID 1076 wrote to memory of 1200	1076	wscript.exe	35
PID 1076 wrote to memory of 1200	1076	wscript.exe	35
PID 1076 wrote to memory of 1200	1076	wscript.exe	35
PID 1076 wrote to memory of 1372	1076	wscript.exe	36
PID 1076 wrote to memory of 1372	1076	wscript.exe	36
PID 1076 wrote to memory of 1372	1076	wscript.exe	36
PID 1076 wrote to memory of 624	1076	wscript.exe	37
PID 1076 wrote to memory of 624	1076	wscript.exe	37
PID 1076 wrote to memory of 624	1076	wscript.exe	37
PID 1076 wrote to memory of 892	1076	wscript.exe	38
PID 1076 wrote to memory of 892	1076	wscript.exe	38
PID 1076 wrote to memory of 892	1076	wscript.exe	38
PID 1076 wrote to memory of 1600	1076	wscript.exe	39
PID 1076 wrote to memory of 1600	1076	wscript.exe	39
PID 1076 wrote to memory of 1600	1076	wscript.exe	39
PID 1076 wrote to memory of 768	1076	wscript.exe	40
PID 1076 wrote to memory of 768	1076	wscript.exe	40
PID 1076 wrote to memory of 768	1076	wscript.exe	40
PID 1076 wrote to memory of 1096	1076	wscript.exe	41
PID 1076 wrote to memory of 1096	1076	wscript.exe	41
PID 1076 wrote to memory of 1096	1076	wscript.exe	41
PID 1076 wrote to memory of 108	1076	wscript.exe	42
PID 1076 wrote to memory of 108	1076	wscript.exe	42
PID 1076 wrote to memory of 108	1076	wscript.exe	42
PID 688 wrote to memory of 1684	688	WScript.exe	43
PID 688 wrote to memory of 1684	688	WScript.exe	43
PID 688 wrote to memory of 1684	688	WScript.exe	43
PID 1592 wrote to memory of 972	1592	WScript.exe	44
PID 1592 wrote to memory of 972	1592	WScript.exe	44
PID 1592 wrote to memory of 972	1592	WScript.exe	44
PID 108 wrote to memory of 1000	108	WScript.exe	47
PID 108 wrote to memory of 1000	108	WScript.exe	47
PID 108 wrote to memory of 1000	108	WScript.exe	47
PID 108 wrote to memory of 1000	108	WScript.exe	47
PID 108 wrote to memory of 2056	108	WScript.exe	49
PID 108 wrote to memory of 2056	108	WScript.exe	49
PID 108 wrote to memory of 2056	108	WScript.exe	49
PID 1600 wrote to memory of 2080	1600	WScript.exe	58
PID 1600 wrote to memory of 2080	1600	WScript.exe	58
PID 1600 wrote to memory of 2080	1600	WScript.exe	58
PID 1600 wrote to memory of 2080	1600	WScript.exe	58
PID 1600 wrote to memory of 2116	1600	WScript.exe	50
PID 1600 wrote to memory of 2116	1600	WScript.exe	50
PID 1600 wrote to memory of 2116	1600	WScript.exe	50
PID 768 wrote to memory of 2156	768	WScript.exe	55
PID 768 wrote to memory of 2156	768	WScript.exe	55

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\bad (2).js"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern.js"
  2⤵
  PID:748
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern2.js"
  2⤵
  PID:2016
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js
    3⤵
    - Adds Run key to start application
    PID:972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('66066bcceabcbfefcad', 'User'))"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js
    3⤵
    - Adds Run key to start application
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46399bcceabcbfefcad', 'User'))"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\By0HWwdJuVCpJZLGG6K0.js"
  2⤵
  PID:1708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fyTBNtRD86e7YxN8Bg6Z.js"
  2⤵
  PID:1680
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\v8UTQInQ4riGEfymPOY1.js"
  2⤵
  PID:1200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y6hq6beYYNKAKtLs9nWi.js"
  2⤵
  PID:1372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S6XogndmP4wJ0Y8A5mWI.js"
  2⤵
  PID:624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\j5XLkEMI6Ab4MCTMsiUJ.js"
  2⤵
  PID:892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\q2EoIIRtkGyoNzBV67pp.js"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39529bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JeW9i6W4h48g7O8SFLO4.js"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('22582bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gMCQWlAtqIVyVUSXns2r.js"
  2⤵
  - Adds Run key to start application
  PID:1096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('44427bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QH5Jj9d3Q8if2PHKUeOg.js"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('99733bcceabcbfefcad', 'User'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\By0HWwdJuVCpJZLGG6K0.js

Filesize
16.5MB

MD5
d447e3dcdac667ada7145c58fb42b0dc

SHA1
2c1b54997822a92fdd81c1091f779dfe41aa8d51

SHA256
a1d213d51ebba599f3f3b86c63f8bc0ac3ef1fba052acaba3e141f7cab34d07c

SHA512
b9595fda19ae47ed396cae76bc45abf1cb332032710f1ab2e6e3bb85e32fd8cd561680ba6a6e6f879fae54da88b36e2369c81b257a6daa0d5a728b2d62bb7f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeW9i6W4h48g7O8SFLO4.js

Filesize
211KB

MD5
748d757540bca88f79aa391291c3133d

SHA1
6d3c40adeb42ff2c9acb900911c66729e40a12a7

SHA256
17033f49578eb20c10cd492ff72b05bdd7eab17b8caa04d00e0777ade93ffcc3

SHA512
94201037ed8d254966577a4b7180c7023823a5d6a25172288bf8ffcefb543ad3f29102bc092e1f169b81a4ee9eede4fc380800fb4dbbf64377c78e42a2d0205c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QH5Jj9d3Q8if2PHKUeOg.js

Filesize
214KB

MD5
67ae3798c0e6a512c3dd0d202b2bfa17

SHA1
ac9ea30ccb51e486635abe57ef4d00628a13dea7

SHA256
1dd705f06b3ecb7528d6fc15a3ddef17fa89c3a44f24b46f62bb4e55f7132d88

SHA512
d32114d5a0d261e1d119adf5ef406759516102192e4ce81a5791ad027903c55a74f110a80b1002332a5bc22509f68f89b34f3b38d02049e160169b5229458eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6XogndmP4wJ0Y8A5mWI.js

Filesize
9.2MB

MD5
edc6877808b8532ec36dd967c57b31de

SHA1
852a5a91e0c9a3472a5c89aae2c421d920a8acde

SHA256
ca52043bdf4904b34e2a69aed0be4d77fa1b24c7caa2f4265292ef0677e0d49c

SHA512
3e7af7fe93f25ba95661ac0ddd7b278009ca44c6934707b9073a96f19693f12d5883eddcff0717c1a17fb4b58283e0770f7d581b1bc4143f1a0857d05a82c20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y6hq6beYYNKAKtLs9nWi.js

Filesize
9.2MB

MD5
63ad6f493f5c59783bc47316ef3b92af

SHA1
c305e179439a10794fdf2f268fe1e3ab645d5983

SHA256
67cbe3781f6f76624b4aa0190e5291be65126c254879bc301727d4407326a32a

SHA512
bde7492e1a50f685158545557e978691055c83152fd6b72f32ac0bf393c727ceba24f6fe705fff632524ef9cd24a7e0f32e9f307387b43d214047b7e0a04f993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js

Filesize
206KB

MD5
721271c51c6611c82c7d1d335c01b92c

SHA1
e0021c9fe85517ae724f4584bca19e6e392c5197

SHA256
f09227bb0197b6b20409c4a7e6dacb5662d594b6e54a12421bb90cb9ac9680cb

SHA512
a800aa46ea268cea016b53054baedf46371da3db3443669d06d30d2ea20c99a21f1130fddc03499815fa14a6a1082bb22fb9d557d70b18751eb1fd890f9771b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js

Filesize
205KB

MD5
1631086ce2efffca6ffab9ae97b8f3ff

SHA1
75ca403dd06a741af86b109c0b720d33c0af4b71

SHA256
5bfdb3c2a9763232dde5f3fce4646d7688fe1f70598ca94fa13c29a1c7273510

SHA512
ced54d2e3d99218e3b3024dce627e495a6f688a41580cd1bfcb14bb9ea5c1614a3516fbb27bac284bc2fd618cd912a859326f3e839ddeceb2ebbe7cab8511254

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyTBNtRD86e7YxN8Bg6Z.js

Filesize
12.5MB

MD5
93da6927a8d751ee017242a470d9b7da

SHA1
30aaa5686e10174b7925c3f1db372f006b771c58

SHA256
1003bdb0c719dd600468cf91fceea53f110830fa8888f48755efcdd6b0b08ccc

SHA512
89731aeda0dd6c0c05a98b4291b731dff60f182f6651a3ddcb01b4187f0b76dc0472999f270daa68393be32441338a8734a25eb9a31974386761f809d31b1666

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMCQWlAtqIVyVUSXns2r.js

Filesize
208KB

MD5
724aac2641b067d08e6cf9370d86273e

SHA1
2dc6fd3d9433f6ff2cfb1e25ee7b4543db8a1529

SHA256
8a8e43a32b5f80a79b2352afa9eac07dfd49d55cb6263538212e6cbe41d7db0f

SHA512
49b7b588b2acd2416c5a6aabec583b88e683ec1f66ee4b5bd3ae51720756eb5a91d33e0f266e4b823aa87f01804245807577b26c31ae92705f810d10fc83ef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5XLkEMI6Ab4MCTMsiUJ.js

Filesize
9.2MB

MD5
a7a3245cb1379140e6d83c3935098a13

SHA1
a19b46abe6e48f80806dfd84e59b9eece8d1de82

SHA256
aa5d60235c292f3935ffa7ed8c18d7583c79363b1f72ca4fd2ba2d394a1367d5

SHA512
063f5a15c06d4a681ca47dbd781fc851fd703ab8a5c4df0993732be3c2ceecd69bee2104917cdd6572750d1fe48d281a462274acf80e22489d42a23e714522c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2EoIIRtkGyoNzBV67pp.js

Filesize
208KB

MD5
8ac34eab182f9ff242fa0fa7f141b6a2

SHA1
864c2bcc37392141fe520bf825a7003ba1056eb4

SHA256
d5b3e3d59ce04590d5a621288b8615a2d26acc73bdbccde347af9e88115796fc

SHA512
bb81fc9b75875251a44747ea358b48a1d5c22ec173b3f31aaaf3dd5cf0a620aeae0b99ed52f7c37f7c69c1b128a4451ad512d94a2dfc7d3d3dd86da8685edbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\unimcumbern.js

Filesize
16.2MB

MD5
c0f2e303dd3ed98a3c87db633daf3c3b

SHA1
2d0b1123bf586cc6e2e5ca69603224c7f6a74825

SHA256
ab607c2f6794fde7454be02b77627c3e4c68831c7f31c0925cb165c97ea32231

SHA512
ff4ef8d079aa9eaa225b864ad4924d52db3e6a9a0bd02a07f4ff0cbf304e8c342d70e589ec818090890347c0dad68fe9e15a10b78c7f24c82671a882e951ca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\unimcumbern2.js

Filesize
14.3MB

MD5
fe4ff2491a8e61f9d64b583a6fecba7a

SHA1
040cf16a2ddb6deb561406507d35f7a5f3fae51a

SHA256
4736b0dd694e384230f6385f920a76d40da44af8f8e047c9c75cb41f0be5a897

SHA512
620c8c85c75b6b8131cf2afad712b9e00b3767a35025372100e848acfd6601da30fcd12375099d85e0aa2262d7eea103e24a5f07cac3ef31c988fd734792f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8UTQInQ4riGEfymPOY1.js

Filesize
10.7MB

MD5
4cfc15db60ca867669359829c71cbd07

SHA1
850697050b30f28c86888e1613a331852642c55f

SHA256
701402fd306b645e0e4cf9b49eba5c921cbfbe38416a8d29c2085166205f57f1

SHA512
b67e357812e5f5668fc393c5d2694f77570bcf8a7145e77164f36273a706b59d8d634c8d730beed0d398e9beb7ceaf5787403e6674341ee415f266acbb3bf497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c77a1b8dcd2f2ac240937566596b943a

SHA1
c16a1b1d9a82678a1c4662a2386baba8fc72896a

SHA256
473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26

SHA512
14b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c77a1b8dcd2f2ac240937566596b943a

SHA1
c16a1b1d9a82678a1c4662a2386baba8fc72896a

SHA256
473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26

SHA512
14b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c77a1b8dcd2f2ac240937566596b943a

SHA1
c16a1b1d9a82678a1c4662a2386baba8fc72896a

SHA256
473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26

SHA512
14b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c77a1b8dcd2f2ac240937566596b943a

SHA1
c16a1b1d9a82678a1c4662a2386baba8fc72896a

SHA256
473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26

SHA512
14b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c77a1b8dcd2f2ac240937566596b943a

SHA1
c16a1b1d9a82678a1c4662a2386baba8fc72896a

SHA256
473aaf1b8b65fdae6dde9ba769f084d2e4722c960ec1d1e5ab640b4730207d26

SHA512
14b8639cf9b3e7e48c699ddf443f6b40154275b9be465d53f80a9260cc0ffb8aface3c61ffccf2c7a783722185cc37b040d39bca242dcce28166ad8051e74c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
19d313196703e7b710f9c34a2046b094

SHA1
31f957d1d14befa1fcb166cff3c8c65b4e782f5a

SHA256
3d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed

SHA512
3aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
19d313196703e7b710f9c34a2046b094

SHA1
31f957d1d14befa1fcb166cff3c8c65b4e782f5a

SHA256
3d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed

SHA512
3aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
19d313196703e7b710f9c34a2046b094

SHA1
31f957d1d14befa1fcb166cff3c8c65b4e782f5a

SHA256
3d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed

SHA512
3aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
19d313196703e7b710f9c34a2046b094

SHA1
31f957d1d14befa1fcb166cff3c8c65b4e782f5a

SHA256
3d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed

SHA512
3aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
19d313196703e7b710f9c34a2046b094

SHA1
31f957d1d14befa1fcb166cff3c8c65b4e782f5a

SHA256
3d52db1f66a92200b42c2ca0a5b97d524ced51d7c15aa91bbec88baaa0de72ed

SHA512
3aa1c8a9f5e1677c7a96dea0df5a19810b253d7b2aa1d454c65ff30546dd4437fc51e6b679bbda1d9a9d4f4dfa5b0f77c3cc113acced4072f8420aaa399cef89

Download Submit
memory/1000-139-0x0000000002540000-0x000000000258A000-memory.dmp

Filesize
296KB

Download
memory/1000-130-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download
memory/1000-135-0x0000000002300000-0x000000000231C000-memory.dmp

Filesize
112KB

Download
memory/1076-90-0x000000003C9B9000-0x000000003C9D8000-memory.dmp

Filesize
124KB

Download
memory/1076-64-0x000000003C9B9000-0x000000003C9D8000-memory.dmp

Filesize
124KB

Download
memory/1076-55-0x000000003F7C0000-0x000000003F9AE000-memory.dmp

Filesize
1.9MB

Download
memory/1076-54-0x0000000037E30000-0x0000000037F26000-memory.dmp

Filesize
984KB

Download
memory/1076-56-0x0000000037F30000-0x0000000037FEC000-memory.dmp

Filesize
752KB

Download
memory/1076-57-0x000000003C9B9000-0x000000003C9D8000-memory.dmp

Filesize
124KB

Download
memory/1592-86-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/2056-105-0x0000000002370000-0x00000000023A4000-memory.dmp

Filesize
208KB

Download
memory/2080-100-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/2116-106-0x000000001AC10000-0x000000001AEF2000-memory.dmp

Filesize
2.9MB

Download
memory/2156-136-0x0000000002490000-0x00000000024D8000-memory.dmp

Filesize
288KB

Download
memory/2188-129-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2188-111-0x0000000001E30000-0x0000000001E4C000-memory.dmp

Filesize
112KB

Download
memory/2452-140-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/2452-131-0x0000000004990000-0x0000000004C72000-memory.dmp

Filesize
2.9MB

Download
memory/2452-138-0x0000000005060000-0x0000000005106000-memory.dmp

Filesize
664KB

Download
memory/2472-137-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2504-133-0x000000001B280000-0x000000001B2CA000-memory.dmp

Filesize
296KB

Download
memory/2504-125-0x0000000002780000-0x00000000027C8000-memory.dmp

Filesize
288KB

Download
memory/2520-134-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/2532-132-0x000000001B360000-0x000000001B406000-memory.dmp

Filesize
664KB

Download