Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2023, 13:52
Static task
static1
General
-
Target
ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe
-
Size
1.3MB
-
MD5
3a6fd5601b0d946883ff3b9f6a1d599c
-
SHA1
6338b955473d38d2b22be245bad50c81197efdd3
-
SHA256
ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128
-
SHA512
265fb8acbbf970736eeb9501055ff32f2834a5abeefbbfd69f07e7a054d893757cf975dc664ddefa937dde85144e66a269ecd2d39b8a2ee39e0913d2197b34f0
-
SSDEEP
24576:ayvMKgWA8D+++NAzIyVsWnG3UTIERoIZ3+loCoMGH/ZwN9COWr7hx:hBgW5Ahss8OULRoI5+ldGHWje/h
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iJJ59Io35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" rXA51Qh42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iJJ59Io35.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" rXA51Qh42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" rXA51Qh42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iJJ59Io35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iJJ59Io35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" rXA51Qh42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" rXA51Qh42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iJJ59Io35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iJJ59Io35.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/4836-186-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-187-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-189-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-193-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-191-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-197-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-201-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-203-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-199-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-195-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-207-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-205-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-213-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-215-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-211-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-217-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-209-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-219-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-221-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-231-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-233-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-241-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-243-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-239-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-237-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-249-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-247-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-245-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-235-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-229-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-227-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-225-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4836-223-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/4692-2065-0x0000000004C70000-0x0000000004C80000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation sf65YZ00BL02.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 15 IoCs
pid Process 4824 vmVu43tc49.exe 1964 vmPU67pf99.exe 3712 vmXC88pb93.exe 2280 vmTD63Rs25.exe 3812 vmqK30ol59.exe 2892 iJJ59Io35.exe 4836 kuz56Sc16.exe 4760 mZk45dt80.exe 4692 nHd44pg96.exe 3956 rXA51Qh42.exe 3436 sf65YZ00BL02.exe 3388 mnolyk.exe 4280 tv72pt39jt16.exe 852 mnolyk.exe 3260 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3092 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iJJ59Io35.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mZk45dt80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rXA51Qh42.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmVu43tc49.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmPU67pf99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmTD63Rs25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" vmqK30ol59.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmVu43tc49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmPU67pf99.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmXC88pb93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmXC88pb93.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmTD63Rs25.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmqK30ol59.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1316 4836 WerFault.exe 97 860 4760 WerFault.exe 101 3484 4692 WerFault.exe 113 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2892 iJJ59Io35.exe 2892 iJJ59Io35.exe 2892 iJJ59Io35.exe 4836 kuz56Sc16.exe 4836 kuz56Sc16.exe 4760 mZk45dt80.exe 4760 mZk45dt80.exe 4692 nHd44pg96.exe 4692 nHd44pg96.exe 3956 rXA51Qh42.exe 3956 rXA51Qh42.exe 4280 tv72pt39jt16.exe 4280 tv72pt39jt16.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2892 iJJ59Io35.exe Token: SeDebugPrivilege 4836 kuz56Sc16.exe Token: SeDebugPrivilege 4760 mZk45dt80.exe Token: SeDebugPrivilege 4692 nHd44pg96.exe Token: SeDebugPrivilege 3956 rXA51Qh42.exe Token: SeDebugPrivilege 4280 tv72pt39jt16.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 4824 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 88 PID 1940 wrote to memory of 4824 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 88 PID 1940 wrote to memory of 4824 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 88 PID 4824 wrote to memory of 1964 4824 vmVu43tc49.exe 89 PID 4824 wrote to memory of 1964 4824 vmVu43tc49.exe 89 PID 4824 wrote to memory of 1964 4824 vmVu43tc49.exe 89 PID 1964 wrote to memory of 3712 1964 vmPU67pf99.exe 90 PID 1964 wrote to memory of 3712 1964 vmPU67pf99.exe 90 PID 1964 wrote to memory of 3712 1964 vmPU67pf99.exe 90 PID 3712 wrote to memory of 2280 3712 vmXC88pb93.exe 91 PID 3712 wrote to memory of 2280 3712 vmXC88pb93.exe 91 PID 3712 wrote to memory of 2280 3712 vmXC88pb93.exe 91 PID 2280 wrote to memory of 3812 2280 vmTD63Rs25.exe 92 PID 2280 wrote to memory of 3812 2280 vmTD63Rs25.exe 92 PID 2280 wrote to memory of 3812 2280 vmTD63Rs25.exe 92 PID 3812 wrote to memory of 2892 3812 vmqK30ol59.exe 93 PID 3812 wrote to memory of 2892 3812 vmqK30ol59.exe 93 PID 3812 wrote to memory of 4836 3812 vmqK30ol59.exe 97 PID 3812 wrote to memory of 4836 3812 vmqK30ol59.exe 97 PID 3812 wrote to memory of 4836 3812 vmqK30ol59.exe 97 PID 2280 wrote to memory of 4760 2280 vmTD63Rs25.exe 101 PID 2280 wrote to memory of 4760 2280 vmTD63Rs25.exe 101 PID 2280 wrote to memory of 4760 2280 vmTD63Rs25.exe 101 PID 3712 wrote to memory of 4692 3712 vmXC88pb93.exe 113 PID 3712 wrote to memory of 4692 3712 vmXC88pb93.exe 113 PID 3712 wrote to memory of 4692 3712 vmXC88pb93.exe 113 PID 1964 wrote to memory of 3956 1964 vmPU67pf99.exe 116 PID 1964 wrote to memory of 3956 1964 vmPU67pf99.exe 116 PID 4824 wrote to memory of 3436 4824 vmVu43tc49.exe 117 PID 4824 wrote to memory of 3436 4824 vmVu43tc49.exe 117 PID 4824 wrote to memory of 3436 4824 vmVu43tc49.exe 117 PID 3436 wrote to memory of 3388 3436 sf65YZ00BL02.exe 118 PID 3436 wrote to memory of 3388 3436 sf65YZ00BL02.exe 118 PID 3436 wrote to memory of 3388 3436 sf65YZ00BL02.exe 118 PID 1940 wrote to memory of 4280 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 119 PID 1940 wrote to memory of 4280 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 119 PID 1940 wrote to memory of 4280 1940 ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe 119 PID 3388 wrote to memory of 4152 3388 mnolyk.exe 120 PID 3388 wrote to memory of 4152 3388 mnolyk.exe 120 PID 3388 wrote to memory of 4152 3388 mnolyk.exe 120 PID 3388 wrote to memory of 3692 3388 mnolyk.exe 122 PID 3388 wrote to memory of 3692 3388 mnolyk.exe 122 PID 3388 wrote to memory of 3692 3388 mnolyk.exe 122 PID 3692 wrote to memory of 624 3692 cmd.exe 124 PID 3692 wrote to memory of 624 3692 cmd.exe 124 PID 3692 wrote to memory of 624 3692 cmd.exe 124 PID 3692 wrote to memory of 1956 3692 cmd.exe 125 PID 3692 wrote to memory of 1956 3692 cmd.exe 125 PID 3692 wrote to memory of 1956 3692 cmd.exe 125 PID 3692 wrote to memory of 4716 3692 cmd.exe 126 PID 3692 wrote to memory of 4716 3692 cmd.exe 126 PID 3692 wrote to memory of 4716 3692 cmd.exe 126 PID 3692 wrote to memory of 2176 3692 cmd.exe 127 PID 3692 wrote to memory of 2176 3692 cmd.exe 127 PID 3692 wrote to memory of 2176 3692 cmd.exe 127 PID 3692 wrote to memory of 1924 3692 cmd.exe 128 PID 3692 wrote to memory of 1924 3692 cmd.exe 128 PID 3692 wrote to memory of 1924 3692 cmd.exe 128 PID 3692 wrote to memory of 1912 3692 cmd.exe 129 PID 3692 wrote to memory of 1912 3692 cmd.exe 129 PID 3692 wrote to memory of 1912 3692 cmd.exe 129 PID 3388 wrote to memory of 3092 3388 mnolyk.exe 132 PID 3388 wrote to memory of 3092 3388 mnolyk.exe 132 PID 3388 wrote to memory of 3092 3388 mnolyk.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe"C:\Users\Admin\AppData\Local\Temp\ec58c4e68be7f73b6e0212e0dc6a83dc2f6f13645e501adf10312091bae92128.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmVu43tc49.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmVu43tc49.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmPU67pf99.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmPU67pf99.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXC88pb93.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXC88pb93.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmTD63Rs25.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmTD63Rs25.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmqK30ol59.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmqK30ol59.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iJJ59Io35.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iJJ59Io35.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kuz56Sc16.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kuz56Sc16.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 13488⤵
- Program crash
PID:1316
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mZk45dt80.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mZk45dt80.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 10807⤵
- Program crash
PID:860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHd44pg96.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHd44pg96.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 13486⤵
- Program crash
PID:3484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rXA51Qh42.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rXA51Qh42.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf65YZ00BL02.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf65YZ00BL02.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:4152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:624
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:1956
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:4716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2176
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:N"6⤵PID:1924
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:R" /E6⤵PID:1912
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3092
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv72pt39jt16.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv72pt39jt16.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 48361⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 47601⤵PID:2100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4692 -ip 46921⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
PID:852
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
PID:3260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
177KB
MD528e991c7602a518c0b5e13dc1b9e6c88
SHA1e2a3130f495cd7bda77d4d683ce2f4759b91b555
SHA256c490129a552beef6ae573041115b6881d6c723ac0b58064e07cb73016ee5baba
SHA512d6741df512876a50467205cad7a8ebed1cebb9e18d6ae160429c1e9a83ea405f4c79269906e01a1814a644e8afafee9a871d433b6a5ccd7867b698a000ae17a6
-
Filesize
177KB
MD528e991c7602a518c0b5e13dc1b9e6c88
SHA1e2a3130f495cd7bda77d4d683ce2f4759b91b555
SHA256c490129a552beef6ae573041115b6881d6c723ac0b58064e07cb73016ee5baba
SHA512d6741df512876a50467205cad7a8ebed1cebb9e18d6ae160429c1e9a83ea405f4c79269906e01a1814a644e8afafee9a871d433b6a5ccd7867b698a000ae17a6
-
Filesize
1.1MB
MD5a1052a18c6994e31ee4c44bc599014a5
SHA18692a521238979d27e27ec2c7c860cd18399e74f
SHA2566d5461088f4a19e47986e07682ad719e594a4f4b7ee85f73f83eebdb5f40fdb1
SHA512661e67223bddf2cbdc4237548136c75a64b51a46978895178c87ce032546eaa3afb975fc13c4378635f6c3f604d086fe96ff59ac5a8a1318cf833a228df549e7
-
Filesize
1.1MB
MD5a1052a18c6994e31ee4c44bc599014a5
SHA18692a521238979d27e27ec2c7c860cd18399e74f
SHA2566d5461088f4a19e47986e07682ad719e594a4f4b7ee85f73f83eebdb5f40fdb1
SHA512661e67223bddf2cbdc4237548136c75a64b51a46978895178c87ce032546eaa3afb975fc13c4378635f6c3f604d086fe96ff59ac5a8a1318cf833a228df549e7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
240KB
MD52bc81db307fda9ff21fe1264c7f2cc73
SHA1be7502370f1180c31e7cf3b814743da06a6e21fd
SHA2567d72c6121703ef9d605fc15a96380e33956b7328f8487d6d4238e2d1029cdae6
SHA512695db8b905b5818a78663a0ad6d104f5f2420965b39dba5f815d33e370863c8baf78c39fb94282f7fe036ed92a4f33259631c9420e6db8623a85c951ba25d8c7
-
Filesize
986KB
MD542a376b9f650b505fff191eb71a077ba
SHA14bc5163c12460d1aef184fcb9dcf77103c23e9cb
SHA2563e43c6c37d3a86fa0d3d50b02f7aee4e0b2d72d621ebd9c04441bcdc337800e0
SHA5125001a599c012b3d9385332b7a79bbab328b3bdeda2a1598d2ec567154dac9557c43248338d803bfd2894eb74dfa47111f9c5648193389c047d0b1e6ef0a7773f
-
Filesize
986KB
MD542a376b9f650b505fff191eb71a077ba
SHA14bc5163c12460d1aef184fcb9dcf77103c23e9cb
SHA2563e43c6c37d3a86fa0d3d50b02f7aee4e0b2d72d621ebd9c04441bcdc337800e0
SHA5125001a599c012b3d9385332b7a79bbab328b3bdeda2a1598d2ec567154dac9557c43248338d803bfd2894eb74dfa47111f9c5648193389c047d0b1e6ef0a7773f
-
Filesize
17KB
MD5d50aef58906717824e03dd2d831839a9
SHA1e1bcd631e9a06a73373c011fcb6188acbc25aaec
SHA2561d94d4129e1d85f7246b99aaeb2b65f301f684d6b876e0d8ab68dd7664aec1f0
SHA5120d8be93dba113e11daf764b7891306690a4f2638425126bcae3a9de0260ae9d761af5d73abadf7ac399077752e8eb327b17c69c6efe7550647e7df99541222d1
-
Filesize
17KB
MD5d50aef58906717824e03dd2d831839a9
SHA1e1bcd631e9a06a73373c011fcb6188acbc25aaec
SHA2561d94d4129e1d85f7246b99aaeb2b65f301f684d6b876e0d8ab68dd7664aec1f0
SHA5120d8be93dba113e11daf764b7891306690a4f2638425126bcae3a9de0260ae9d761af5d73abadf7ac399077752e8eb327b17c69c6efe7550647e7df99541222d1
-
Filesize
893KB
MD5190196037974c7d3813fff9a641883b4
SHA11fd05bb07561940fd6ebf897bd678500641dbba7
SHA25648c6244c9e30fe78233bbe45eb72cbe446bf653d99a79ee5cc9d35d1445594ee
SHA51242a6d873555dc3a6e129c6ff91bc9410f65680b6f62424dde2d6291e3407d58f96341128458e43a126bb581d32f872d36588be5309afcddf9578527e26509fac
-
Filesize
893KB
MD5190196037974c7d3813fff9a641883b4
SHA11fd05bb07561940fd6ebf897bd678500641dbba7
SHA25648c6244c9e30fe78233bbe45eb72cbe446bf653d99a79ee5cc9d35d1445594ee
SHA51242a6d873555dc3a6e129c6ff91bc9410f65680b6f62424dde2d6291e3407d58f96341128458e43a126bb581d32f872d36588be5309afcddf9578527e26509fac
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
667KB
MD50cc3bc7b1d4c59b9e542c9534a45c1c7
SHA10f8c54a93b79631cc14deeadaa7058b1df19aaec
SHA256de8b6770d7febc9d3411d91f2b1cce9052f49647db8fd762d42cc444191774ef
SHA512a098d6a155e6d9c98d54a75b71b7da85dd981a2de33e841cdd6f0c6378e6260e04dc014aedff4f02e9219abf7dd50cca0f1d0c56c89c556ee3e2169ae360b34d
-
Filesize
667KB
MD50cc3bc7b1d4c59b9e542c9534a45c1c7
SHA10f8c54a93b79631cc14deeadaa7058b1df19aaec
SHA256de8b6770d7febc9d3411d91f2b1cce9052f49647db8fd762d42cc444191774ef
SHA512a098d6a155e6d9c98d54a75b71b7da85dd981a2de33e841cdd6f0c6378e6260e04dc014aedff4f02e9219abf7dd50cca0f1d0c56c89c556ee3e2169ae360b34d
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
391KB
MD5eaeb31e9ff99426d63ceacbb17e9c945
SHA17aa0a9ba6a144ac828e630a365e6aacb6bd5fa6b
SHA256581870947973cebba7da15372e53937962290bc905ff3678a0ee44f0b19e3627
SHA5126ffa972df9c3edd22233741079188e2e8bd4014dc8a24d497a7e20b3d7ebf476361b7b9e5a0fa8d33db671d242e01f47641e19a3430704cce99cbc8990030571
-
Filesize
391KB
MD5eaeb31e9ff99426d63ceacbb17e9c945
SHA17aa0a9ba6a144ac828e630a365e6aacb6bd5fa6b
SHA256581870947973cebba7da15372e53937962290bc905ff3678a0ee44f0b19e3627
SHA5126ffa972df9c3edd22233741079188e2e8bd4014dc8a24d497a7e20b3d7ebf476361b7b9e5a0fa8d33db671d242e01f47641e19a3430704cce99cbc8990030571
-
Filesize
17KB
MD563f44fc973589fb49e9ce2da38bf210d
SHA177d2d3792acf9f0a5118c69d34adb1726db66826
SHA25650fd5da8233aefd92de8ed0f6b4131742e90ee51326d65712dab015d31f36b8b
SHA51235c8782aa02998e2832eef30d2b8feebbe3e8c2e5f888b0f83696559a7429962e70c405630623d18da8976336177baa51ba7f8aa42c9f4463ba6bade6ad6352c
-
Filesize
17KB
MD563f44fc973589fb49e9ce2da38bf210d
SHA177d2d3792acf9f0a5118c69d34adb1726db66826
SHA25650fd5da8233aefd92de8ed0f6b4131742e90ee51326d65712dab015d31f36b8b
SHA51235c8782aa02998e2832eef30d2b8feebbe3e8c2e5f888b0f83696559a7429962e70c405630623d18da8976336177baa51ba7f8aa42c9f4463ba6bade6ad6352c
-
Filesize
17KB
MD563f44fc973589fb49e9ce2da38bf210d
SHA177d2d3792acf9f0a5118c69d34adb1726db66826
SHA25650fd5da8233aefd92de8ed0f6b4131742e90ee51326d65712dab015d31f36b8b
SHA51235c8782aa02998e2832eef30d2b8feebbe3e8c2e5f888b0f83696559a7429962e70c405630623d18da8976336177baa51ba7f8aa42c9f4463ba6bade6ad6352c
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5