Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2023, 05:01
Static task
static1
General
-
Target
ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe
-
Size
1.3MB
-
MD5
ad86a7cead4e451b4b39f872f7d6d1a6
-
SHA1
fea560c6c01692a1aae1f2aefd50f94b15c330bf
-
SHA256
ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5
-
SHA512
db3f4b259d026863964e87391af2ac153f0e69f8995b9f61117c7aa331584ef7184a3dacfc4929da3c78dfd1da866bf501cbd8c69d62638a023d6aee30aba03a
-
SSDEEP
24576:bydwV5FKwqin75FPIzaOVmaHDLZ3VV4FFOp6EMP0EVNedN9+P3WPUe2sz10:Odw7FKbinIvEaHDvVAFDEMP0EVNE9MH0
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.14/BR54nmB3/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" beEy98eS06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" beEy98eS06.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dsCz41pP96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection beEy98eS06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" beEy98eS06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" gnSl25dP32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" gnSl25dP32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" beEy98eS06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" gnSl25dP32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" gnSl25dP32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" beEy98eS06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" gnSl25dP32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/3896-184-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-185-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-187-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-189-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-191-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-193-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-195-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-197-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-199-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-201-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-203-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-205-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-207-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-209-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-211-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-213-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-215-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-218-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-221-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-223-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-225-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-227-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-229-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-231-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-233-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-235-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-237-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-239-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-241-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-243-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-245-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-247-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/3896-249-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/2796-2068-0x0000000002620000-0x0000000002630000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation hk78ZZ44Xe11.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 14 IoCs
pid Process 4244 ptqJ0354Ma.exe 1100 ptzg2402mE.exe 4936 ptFr8965fq.exe 4712 ptOc6165CI.exe 2800 ptrN3372Tr.exe 4788 beEy98eS06.exe 3896 cuzG97Lx76.exe 4544 dsCz41pP96.exe 2796 fr01IO8689iU.exe 4420 gnSl25dP32.exe 4640 hk78ZZ44Xe11.exe 2848 mnolyk.exe 2084 jxes33Ll21.exe 4436 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3772 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" beEy98eS06.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dsCz41pP96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" gnSl25dP32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptqJ0354Ma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptzg2402mE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptrN3372Tr.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptqJ0354Ma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptzg2402mE.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptFr8965fq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptFr8965fq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptOc6165CI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptOc6165CI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptrN3372Tr.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1424 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 816 3896 WerFault.exe 95 1600 4544 WerFault.exe 99 4976 2796 WerFault.exe 104 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4788 beEy98eS06.exe 4788 beEy98eS06.exe 3896 cuzG97Lx76.exe 3896 cuzG97Lx76.exe 4544 dsCz41pP96.exe 4544 dsCz41pP96.exe 2796 fr01IO8689iU.exe 2796 fr01IO8689iU.exe 4420 gnSl25dP32.exe 4420 gnSl25dP32.exe 2084 jxes33Ll21.exe 2084 jxes33Ll21.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4788 beEy98eS06.exe Token: SeDebugPrivilege 3896 cuzG97Lx76.exe Token: SeDebugPrivilege 4544 dsCz41pP96.exe Token: SeDebugPrivilege 2796 fr01IO8689iU.exe Token: SeDebugPrivilege 4420 gnSl25dP32.exe Token: SeDebugPrivilege 2084 jxes33Ll21.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4244 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 86 PID 5116 wrote to memory of 4244 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 86 PID 5116 wrote to memory of 4244 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 86 PID 4244 wrote to memory of 1100 4244 ptqJ0354Ma.exe 87 PID 4244 wrote to memory of 1100 4244 ptqJ0354Ma.exe 87 PID 4244 wrote to memory of 1100 4244 ptqJ0354Ma.exe 87 PID 1100 wrote to memory of 4936 1100 ptzg2402mE.exe 88 PID 1100 wrote to memory of 4936 1100 ptzg2402mE.exe 88 PID 1100 wrote to memory of 4936 1100 ptzg2402mE.exe 88 PID 4936 wrote to memory of 4712 4936 ptFr8965fq.exe 89 PID 4936 wrote to memory of 4712 4936 ptFr8965fq.exe 89 PID 4936 wrote to memory of 4712 4936 ptFr8965fq.exe 89 PID 4712 wrote to memory of 2800 4712 ptOc6165CI.exe 90 PID 4712 wrote to memory of 2800 4712 ptOc6165CI.exe 90 PID 4712 wrote to memory of 2800 4712 ptOc6165CI.exe 90 PID 2800 wrote to memory of 4788 2800 ptrN3372Tr.exe 91 PID 2800 wrote to memory of 4788 2800 ptrN3372Tr.exe 91 PID 2800 wrote to memory of 3896 2800 ptrN3372Tr.exe 95 PID 2800 wrote to memory of 3896 2800 ptrN3372Tr.exe 95 PID 2800 wrote to memory of 3896 2800 ptrN3372Tr.exe 95 PID 4712 wrote to memory of 4544 4712 ptOc6165CI.exe 99 PID 4712 wrote to memory of 4544 4712 ptOc6165CI.exe 99 PID 4712 wrote to memory of 4544 4712 ptOc6165CI.exe 99 PID 4936 wrote to memory of 2796 4936 ptFr8965fq.exe 104 PID 4936 wrote to memory of 2796 4936 ptFr8965fq.exe 104 PID 4936 wrote to memory of 2796 4936 ptFr8965fq.exe 104 PID 1100 wrote to memory of 4420 1100 ptzg2402mE.exe 116 PID 1100 wrote to memory of 4420 1100 ptzg2402mE.exe 116 PID 4244 wrote to memory of 4640 4244 ptqJ0354Ma.exe 117 PID 4244 wrote to memory of 4640 4244 ptqJ0354Ma.exe 117 PID 4244 wrote to memory of 4640 4244 ptqJ0354Ma.exe 117 PID 4640 wrote to memory of 2848 4640 hk78ZZ44Xe11.exe 118 PID 4640 wrote to memory of 2848 4640 hk78ZZ44Xe11.exe 118 PID 4640 wrote to memory of 2848 4640 hk78ZZ44Xe11.exe 118 PID 5116 wrote to memory of 2084 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 119 PID 5116 wrote to memory of 2084 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 119 PID 5116 wrote to memory of 2084 5116 ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe 119 PID 2848 wrote to memory of 3724 2848 mnolyk.exe 120 PID 2848 wrote to memory of 3724 2848 mnolyk.exe 120 PID 2848 wrote to memory of 3724 2848 mnolyk.exe 120 PID 2848 wrote to memory of 3676 2848 mnolyk.exe 122 PID 2848 wrote to memory of 3676 2848 mnolyk.exe 122 PID 2848 wrote to memory of 3676 2848 mnolyk.exe 122 PID 3676 wrote to memory of 2700 3676 cmd.exe 124 PID 3676 wrote to memory of 2700 3676 cmd.exe 124 PID 3676 wrote to memory of 2700 3676 cmd.exe 124 PID 3676 wrote to memory of 3796 3676 cmd.exe 125 PID 3676 wrote to memory of 3796 3676 cmd.exe 125 PID 3676 wrote to memory of 3796 3676 cmd.exe 125 PID 3676 wrote to memory of 2652 3676 cmd.exe 126 PID 3676 wrote to memory of 2652 3676 cmd.exe 126 PID 3676 wrote to memory of 2652 3676 cmd.exe 126 PID 3676 wrote to memory of 5012 3676 cmd.exe 128 PID 3676 wrote to memory of 5012 3676 cmd.exe 128 PID 3676 wrote to memory of 5012 3676 cmd.exe 128 PID 3676 wrote to memory of 4308 3676 cmd.exe 127 PID 3676 wrote to memory of 4308 3676 cmd.exe 127 PID 3676 wrote to memory of 4308 3676 cmd.exe 127 PID 3676 wrote to memory of 1824 3676 cmd.exe 129 PID 3676 wrote to memory of 1824 3676 cmd.exe 129 PID 3676 wrote to memory of 1824 3676 cmd.exe 129 PID 2848 wrote to memory of 3772 2848 mnolyk.exe 132 PID 2848 wrote to memory of 3772 2848 mnolyk.exe 132 PID 2848 wrote to memory of 3772 2848 mnolyk.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe"C:\Users\Admin\AppData\Local\Temp\ef995e0b352b07375694fc7c7e4d51c622870af0371b0f53ad78e56e85dae5b5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqJ0354Ma.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqJ0354Ma.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptzg2402mE.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptzg2402mE.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptFr8965fq.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptFr8965fq.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptOc6165CI.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptOc6165CI.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptrN3372Tr.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptrN3372Tr.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beEy98eS06.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beEy98eS06.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuzG97Lx76.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuzG97Lx76.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 13168⤵
- Program crash
PID:816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsCz41pP96.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsCz41pP96.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 10847⤵
- Program crash
PID:1600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr01IO8689iU.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr01IO8689iU.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 13326⤵
- Program crash
PID:4976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnSl25dP32.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnSl25dP32.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk78ZZ44Xe11.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk78ZZ44Xe11.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:3724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\465af4af92" /P "Admin:N"&&CACLS "..\465af4af92" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:3796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:2652
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:N"6⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:5012
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:R" /E6⤵PID:1824
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3772
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxes33Ll21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxes33Ll21.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3896 -ip 38961⤵PID:3120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4544 -ip 45441⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2796 -ip 27961⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:4436
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
176KB
MD540f838fd6227dc86e88b0527e8e4dd3f
SHA174ee4031b4273c11cbd2fc189e7e1806740176f8
SHA2567edeefc891e9974426b2ba6ce91669aa419bb6b83cf619a9ad1a62d72a8a1d5b
SHA512b4aeac6be621166b94cc72ffbee9cfaddbed494967d49d56d865dc19e76c91490fa92e33715427b39d3a5d7ac28cba4e4a8877e23ded89e3bf9ccf36ec4e2e7f
-
Filesize
176KB
MD540f838fd6227dc86e88b0527e8e4dd3f
SHA174ee4031b4273c11cbd2fc189e7e1806740176f8
SHA2567edeefc891e9974426b2ba6ce91669aa419bb6b83cf619a9ad1a62d72a8a1d5b
SHA512b4aeac6be621166b94cc72ffbee9cfaddbed494967d49d56d865dc19e76c91490fa92e33715427b39d3a5d7ac28cba4e4a8877e23ded89e3bf9ccf36ec4e2e7f
-
Filesize
1.2MB
MD55831ca410879940f8581471004d77942
SHA1557ed835eed1e41db63739f8f7016837e1b786b3
SHA25626a2b8f514e88fa25ffe56d30764a4f6881bbdd8e6c1930964e543429823b0b2
SHA5128a70e7ed170a4ac5d180c93bfdf5676a9e7455d4fe9a85a4d334057a028c7cca0cdd167dd10a03683d82b0f8d33dfb658d531624f6933f352b3c8b0ed2ef9799
-
Filesize
1.2MB
MD55831ca410879940f8581471004d77942
SHA1557ed835eed1e41db63739f8f7016837e1b786b3
SHA25626a2b8f514e88fa25ffe56d30764a4f6881bbdd8e6c1930964e543429823b0b2
SHA5128a70e7ed170a4ac5d180c93bfdf5676a9e7455d4fe9a85a4d334057a028c7cca0cdd167dd10a03683d82b0f8d33dfb658d531624f6933f352b3c8b0ed2ef9799
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
240KB
MD5298bdcae467b9330bb3db2fd874897c7
SHA1374088cb3cf1433c0c09af900e4eb89c4eb2f7b0
SHA256645e23103daacf6e7c01dd8b1335cdcc5ba7616b629cff30a701860a5b0f70d0
SHA512c90ae2866d232af02452a7bce8e15858f0dcf339237013884eb047ab93090b4820296dd884aa8bb84ca49ce19c097fc12ed9faad129568905508da4827914cca
-
Filesize
1.0MB
MD56c9c221829650db85384be12c3101e79
SHA1b7fc730c914037bbd1fa92e63070b27f73c9011b
SHA256d63455d4b3a2b1ba5975bdf94d23c2401e6a70dbd43602e171861d87ac6561cc
SHA5121c0707852cfefa45ed3f5e4b9d3768dbdddbce762d480e0edd970ccd6fd8b49196c9d0c765166ac0ba24cdd920dcea19e8950d607f3797fd7c237780ef4e3a3a
-
Filesize
1.0MB
MD56c9c221829650db85384be12c3101e79
SHA1b7fc730c914037bbd1fa92e63070b27f73c9011b
SHA256d63455d4b3a2b1ba5975bdf94d23c2401e6a70dbd43602e171861d87ac6561cc
SHA5121c0707852cfefa45ed3f5e4b9d3768dbdddbce762d480e0edd970ccd6fd8b49196c9d0c765166ac0ba24cdd920dcea19e8950d607f3797fd7c237780ef4e3a3a
-
Filesize
16KB
MD5901a1536ace9fb6ed8af4ac87b0fb1ef
SHA1ae967a4fa29a84fa22f5e90aa1e971bc41040812
SHA25665258e0416a390cb06c2f0c1408475e6935679146b5dbb95a1bdd663932adbbf
SHA5128426c4b7cb018a13be647ba30eca90fdc50e550cb6f7c54cde009ba8dff610807947e52d375068e6543833f601f1d5743fecd52d6b62671106aa4e70edb71564
-
Filesize
16KB
MD5901a1536ace9fb6ed8af4ac87b0fb1ef
SHA1ae967a4fa29a84fa22f5e90aa1e971bc41040812
SHA25665258e0416a390cb06c2f0c1408475e6935679146b5dbb95a1bdd663932adbbf
SHA5128426c4b7cb018a13be647ba30eca90fdc50e550cb6f7c54cde009ba8dff610807947e52d375068e6543833f601f1d5743fecd52d6b62671106aa4e70edb71564
-
Filesize
936KB
MD50ac6a5bc488114784bfc34d9c377dbef
SHA11a7bc6d88f0ff02589c008a35455881658710654
SHA256381ee96e1306aee2ee8cb7aa1afe995c17a64e0f28fb595b764697f63d8591fd
SHA512bd27264111ecbb198ed9bc34dc5b0848d7a6a8c9be026d01aaf9e81541804fbde927781d825f2e7f7b388089b3d8d1feba4cadac01a0861c7df5210fd307518c
-
Filesize
936KB
MD50ac6a5bc488114784bfc34d9c377dbef
SHA11a7bc6d88f0ff02589c008a35455881658710654
SHA256381ee96e1306aee2ee8cb7aa1afe995c17a64e0f28fb595b764697f63d8591fd
SHA512bd27264111ecbb198ed9bc34dc5b0848d7a6a8c9be026d01aaf9e81541804fbde927781d825f2e7f7b388089b3d8d1feba4cadac01a0861c7df5210fd307518c
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
667KB
MD54527ea7b4f6ec796934aaa7de1d5aa38
SHA120c678b8725603f5c44f06092bcd95c8ffc39d25
SHA256732f3da89d6f9e6c11459cc076404dd82d7399972401d1938014bda871baa696
SHA51286dc32d3453d0f3037b26585c4db79c526567879fbfd9206b371401de926e0a8858975cef1bc4f9c2b42e41c46c6a92829bf20dd7909ac41b6bb28989f945d42
-
Filesize
667KB
MD54527ea7b4f6ec796934aaa7de1d5aa38
SHA120c678b8725603f5c44f06092bcd95c8ffc39d25
SHA256732f3da89d6f9e6c11459cc076404dd82d7399972401d1938014bda871baa696
SHA51286dc32d3453d0f3037b26585c4db79c526567879fbfd9206b371401de926e0a8858975cef1bc4f9c2b42e41c46c6a92829bf20dd7909ac41b6bb28989f945d42
-
Filesize
244KB
MD5d29297337536c5530be57237fff85868
SHA16cd002f1b5309afffd620865b1ce72dd4a525caf
SHA256a9356eb37793414768c11340d0ef4f058cdc46d2f8ff73d8a3496b4a60912855
SHA51279e1bfa4eb744d852f8ce8305b5213482ca6d428ad98a2bca9013c1ad368623e6c4a395f21a071b000b5e891d6528776aea92722d45501a3fe0e8fbf14425045
-
Filesize
244KB
MD5d29297337536c5530be57237fff85868
SHA16cd002f1b5309afffd620865b1ce72dd4a525caf
SHA256a9356eb37793414768c11340d0ef4f058cdc46d2f8ff73d8a3496b4a60912855
SHA51279e1bfa4eb744d852f8ce8305b5213482ca6d428ad98a2bca9013c1ad368623e6c4a395f21a071b000b5e891d6528776aea92722d45501a3fe0e8fbf14425045
-
Filesize
392KB
MD59df2c535ee0146f855a17ac8123c68ba
SHA10b82a84681aed48e851d1a08d74fb51125a36dd0
SHA256b8b3a321784c667bb6e6d2889b9a96bdb3ec52f36371cc13157465d87c8dad1b
SHA51222192eb205e7692ee6ada71be1e9bb7e8e37f283e492756711a5532452d5cf2e6ffafc262ae5a9e419940d2383423ec931f1bee59dec806e856675765dbc7439
-
Filesize
392KB
MD59df2c535ee0146f855a17ac8123c68ba
SHA10b82a84681aed48e851d1a08d74fb51125a36dd0
SHA256b8b3a321784c667bb6e6d2889b9a96bdb3ec52f36371cc13157465d87c8dad1b
SHA51222192eb205e7692ee6ada71be1e9bb7e8e37f283e492756711a5532452d5cf2e6ffafc262ae5a9e419940d2383423ec931f1bee59dec806e856675765dbc7439
-
Filesize
16KB
MD5e5b53e76687126bfc84b665a212fcf52
SHA15b5e2c49636eabfa7af3d14a4e122ba637e932c7
SHA256241ceb523eaf8304540f4456f21e422364bfe72422cb7a2ff146fd10fa6a4492
SHA512631c9696d30efe882a6541d680c0c3bb560af860a2141678084617a204c94c312436ef5cc5d3cf9d400ba396bd415a302c52713d86f43f223b0e80790a3531d4
-
Filesize
16KB
MD5e5b53e76687126bfc84b665a212fcf52
SHA15b5e2c49636eabfa7af3d14a4e122ba637e932c7
SHA256241ceb523eaf8304540f4456f21e422364bfe72422cb7a2ff146fd10fa6a4492
SHA512631c9696d30efe882a6541d680c0c3bb560af860a2141678084617a204c94c312436ef5cc5d3cf9d400ba396bd415a302c52713d86f43f223b0e80790a3531d4
-
Filesize
16KB
MD5e5b53e76687126bfc84b665a212fcf52
SHA15b5e2c49636eabfa7af3d14a4e122ba637e932c7
SHA256241ceb523eaf8304540f4456f21e422364bfe72422cb7a2ff146fd10fa6a4492
SHA512631c9696d30efe882a6541d680c0c3bb560af860a2141678084617a204c94c312436ef5cc5d3cf9d400ba396bd415a302c52713d86f43f223b0e80790a3531d4
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5