Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2023, 13:38
Static task
static1
General
-
Target
7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe
-
Size
1.3MB
-
MD5
517a093ee73e16d12ec7d1c748917f55
-
SHA1
0060368b376b438855a3c02f89bd049a6c72c0f1
-
SHA256
7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2
-
SHA512
3997a6725f26dbc45a68e4b2371c9a9575990e6af07b12556bec5153baa06d076d6ebc800cb51564c3704daeba858398e84f576d7df2e562a224e1d6e12fdcd5
-
SSDEEP
24576:lyBVVcf38jY9drNoID/dFBreYSKx2IIatJicfQr8M1ntw:ABVqfQad5fdDiYjx7bJEwM1
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iUS27cS42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iUS27cS42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iUS27cS42.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" rCR06CC27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" rCR06CC27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" rCR06CC27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iUS27cS42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" rCR06CC27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iUS27cS42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iUS27cS42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" rCR06CC27.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/868-185-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-188-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-186-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-190-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-192-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-194-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-196-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-198-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-200-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-202-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-204-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-206-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-208-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-210-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-214-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-212-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-216-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-218-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-220-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-222-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-224-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-226-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-228-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-230-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-232-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-234-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-236-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-238-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-240-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-242-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-244-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-246-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/868-248-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3216-2066-0x0000000004AD0000-0x0000000004AE0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation sf02rX88TJ50.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 14 IoCs
pid Process 2912 vmxM44KB04.exe 1896 vmOx14qC29.exe 2904 vmNP55bB49.exe 2436 vmdn69mt90.exe 1364 vmYY59Oi27.exe 220 iUS27cS42.exe 868 kzC70pA51.exe 3996 mBt76Uj08.exe 3216 nIx62RP45.exe 372 rCR06CC27.exe 4484 sf02rX88TJ50.exe 4584 mnolyk.exe 4768 tv92tp74bD16.exe 4628 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 2648 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iUS27cS42.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mBt76Uj08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rCR06CC27.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmOx14qC29.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmNP55bB49.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmdn69mt90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" vmYY59Oi27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmdn69mt90.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmYY59Oi27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmxM44KB04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmxM44KB04.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmOx14qC29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmNP55bB49.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 4616 868 WerFault.exe 94 4512 3996 WerFault.exe 99 1648 3216 WerFault.exe 111 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 220 iUS27cS42.exe 220 iUS27cS42.exe 868 kzC70pA51.exe 868 kzC70pA51.exe 3996 mBt76Uj08.exe 3996 mBt76Uj08.exe 3216 nIx62RP45.exe 3216 nIx62RP45.exe 372 rCR06CC27.exe 372 rCR06CC27.exe 4768 tv92tp74bD16.exe 4768 tv92tp74bD16.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 220 iUS27cS42.exe Token: SeDebugPrivilege 868 kzC70pA51.exe Token: SeDebugPrivilege 3996 mBt76Uj08.exe Token: SeDebugPrivilege 3216 nIx62RP45.exe Token: SeDebugPrivilege 372 rCR06CC27.exe Token: SeDebugPrivilege 4768 tv92tp74bD16.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 972 wrote to memory of 2912 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 85 PID 972 wrote to memory of 2912 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 85 PID 972 wrote to memory of 2912 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 85 PID 2912 wrote to memory of 1896 2912 vmxM44KB04.exe 86 PID 2912 wrote to memory of 1896 2912 vmxM44KB04.exe 86 PID 2912 wrote to memory of 1896 2912 vmxM44KB04.exe 86 PID 1896 wrote to memory of 2904 1896 vmOx14qC29.exe 87 PID 1896 wrote to memory of 2904 1896 vmOx14qC29.exe 87 PID 1896 wrote to memory of 2904 1896 vmOx14qC29.exe 87 PID 2904 wrote to memory of 2436 2904 vmNP55bB49.exe 88 PID 2904 wrote to memory of 2436 2904 vmNP55bB49.exe 88 PID 2904 wrote to memory of 2436 2904 vmNP55bB49.exe 88 PID 2436 wrote to memory of 1364 2436 vmdn69mt90.exe 89 PID 2436 wrote to memory of 1364 2436 vmdn69mt90.exe 89 PID 2436 wrote to memory of 1364 2436 vmdn69mt90.exe 89 PID 1364 wrote to memory of 220 1364 vmYY59Oi27.exe 90 PID 1364 wrote to memory of 220 1364 vmYY59Oi27.exe 90 PID 1364 wrote to memory of 868 1364 vmYY59Oi27.exe 94 PID 1364 wrote to memory of 868 1364 vmYY59Oi27.exe 94 PID 1364 wrote to memory of 868 1364 vmYY59Oi27.exe 94 PID 2436 wrote to memory of 3996 2436 vmdn69mt90.exe 99 PID 2436 wrote to memory of 3996 2436 vmdn69mt90.exe 99 PID 2436 wrote to memory of 3996 2436 vmdn69mt90.exe 99 PID 2904 wrote to memory of 3216 2904 vmNP55bB49.exe 111 PID 2904 wrote to memory of 3216 2904 vmNP55bB49.exe 111 PID 2904 wrote to memory of 3216 2904 vmNP55bB49.exe 111 PID 1896 wrote to memory of 372 1896 vmOx14qC29.exe 114 PID 1896 wrote to memory of 372 1896 vmOx14qC29.exe 114 PID 2912 wrote to memory of 4484 2912 vmxM44KB04.exe 115 PID 2912 wrote to memory of 4484 2912 vmxM44KB04.exe 115 PID 2912 wrote to memory of 4484 2912 vmxM44KB04.exe 115 PID 4484 wrote to memory of 4584 4484 sf02rX88TJ50.exe 116 PID 4484 wrote to memory of 4584 4484 sf02rX88TJ50.exe 116 PID 4484 wrote to memory of 4584 4484 sf02rX88TJ50.exe 116 PID 972 wrote to memory of 4768 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 117 PID 972 wrote to memory of 4768 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 117 PID 972 wrote to memory of 4768 972 7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe 117 PID 4584 wrote to memory of 4024 4584 mnolyk.exe 118 PID 4584 wrote to memory of 4024 4584 mnolyk.exe 118 PID 4584 wrote to memory of 4024 4584 mnolyk.exe 118 PID 4584 wrote to memory of 2744 4584 mnolyk.exe 120 PID 4584 wrote to memory of 2744 4584 mnolyk.exe 120 PID 4584 wrote to memory of 2744 4584 mnolyk.exe 120 PID 2744 wrote to memory of 4028 2744 cmd.exe 122 PID 2744 wrote to memory of 4028 2744 cmd.exe 122 PID 2744 wrote to memory of 4028 2744 cmd.exe 122 PID 2744 wrote to memory of 4328 2744 cmd.exe 123 PID 2744 wrote to memory of 4328 2744 cmd.exe 123 PID 2744 wrote to memory of 4328 2744 cmd.exe 123 PID 2744 wrote to memory of 4884 2744 cmd.exe 124 PID 2744 wrote to memory of 4884 2744 cmd.exe 124 PID 2744 wrote to memory of 4884 2744 cmd.exe 124 PID 2744 wrote to memory of 4672 2744 cmd.exe 125 PID 2744 wrote to memory of 4672 2744 cmd.exe 125 PID 2744 wrote to memory of 4672 2744 cmd.exe 125 PID 2744 wrote to memory of 1428 2744 cmd.exe 126 PID 2744 wrote to memory of 1428 2744 cmd.exe 126 PID 2744 wrote to memory of 1428 2744 cmd.exe 126 PID 2744 wrote to memory of 4740 2744 cmd.exe 127 PID 2744 wrote to memory of 4740 2744 cmd.exe 127 PID 2744 wrote to memory of 4740 2744 cmd.exe 127 PID 4584 wrote to memory of 2648 4584 mnolyk.exe 130 PID 4584 wrote to memory of 2648 4584 mnolyk.exe 130 PID 4584 wrote to memory of 2648 4584 mnolyk.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe"C:\Users\Admin\AppData\Local\Temp\7f849a6eb60140dc10278b9baec0027ee22ffb0befbfef993fbf30b79ec92dc2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxM44KB04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxM44KB04.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmOx14qC29.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmOx14qC29.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNP55bB49.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNP55bB49.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdn69mt90.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdn69mt90.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmYY59Oi27.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmYY59Oi27.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iUS27cS42.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iUS27cS42.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kzC70pA51.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kzC70pA51.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 13488⤵
- Program crash
PID:4616
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mBt76Uj08.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mBt76Uj08.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 10847⤵
- Program crash
PID:4512
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nIx62RP45.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nIx62RP45.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 13486⤵
- Program crash
PID:1648
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rCR06CC27.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rCR06CC27.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02rX88TJ50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf02rX88TJ50.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:4024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:4328
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:4884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4672
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:N"6⤵PID:1428
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:R" /E6⤵PID:4740
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv92tp74bD16.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv92tp74bD16.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 868 -ip 8681⤵PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3996 -ip 39961⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3216 -ip 32161⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
PID:4628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
177KB
MD50e46927f5a0cbcc7b85c30ac5ed61556
SHA1aeac4f9254780fbf25c1f66afd5e2d3e3d381974
SHA2565582704590367b136d5e37bc4e366d77a8d04fa60eda3d431894f5e8f1ca2b56
SHA512aaa4669ce1298c5cb87f2440895e4aaacf86d264cb6ad75a1af2c0d5d091475bbc969393bad6f28e9fc4b6ef7f47617bf9b089df76fbad323ce13c4dce56d563
-
Filesize
177KB
MD50e46927f5a0cbcc7b85c30ac5ed61556
SHA1aeac4f9254780fbf25c1f66afd5e2d3e3d381974
SHA2565582704590367b136d5e37bc4e366d77a8d04fa60eda3d431894f5e8f1ca2b56
SHA512aaa4669ce1298c5cb87f2440895e4aaacf86d264cb6ad75a1af2c0d5d091475bbc969393bad6f28e9fc4b6ef7f47617bf9b089df76fbad323ce13c4dce56d563
-
Filesize
1.1MB
MD5b6301160ebb7ea67e609f3f686e9bace
SHA151b7265b0cd223fc5871ebdfee889cc658c21f5c
SHA256d58f399d6ed6803890d84e0c0aff3ec07bdbdc6f4f5416286f7234e08117ba00
SHA512e97891a6c55d9e3239ab6535d75214a3bbc1aa54a2464c5e4a45a702674fd2819f1958512f854a893dd7690131fdf28a945529b94f1ed4d1f29199ccd6fdf0dd
-
Filesize
1.1MB
MD5b6301160ebb7ea67e609f3f686e9bace
SHA151b7265b0cd223fc5871ebdfee889cc658c21f5c
SHA256d58f399d6ed6803890d84e0c0aff3ec07bdbdc6f4f5416286f7234e08117ba00
SHA512e97891a6c55d9e3239ab6535d75214a3bbc1aa54a2464c5e4a45a702674fd2819f1958512f854a893dd7690131fdf28a945529b94f1ed4d1f29199ccd6fdf0dd
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
240KB
MD568a49dfafa88fa954364bb83cafb5b86
SHA16c95ebce3ad65aa64db3efb9313522c986c8acc3
SHA256e717bd8a7f11f81349b1f740913ad5c18c05068940493dfbf97c4df699bf0198
SHA512e8b61e020c6d87fd8a7ab8d7615e6a5f5c9571bbfe9e812d522d9f4c1bbe3543198dc990ef7e9f7d0a4522b650dbdf7c485d1acf14b87358f92f8a72f1b715ee
-
Filesize
996KB
MD57a012967425f84811fdcc7ad3ae6db3f
SHA1dae3f1c3ebe317751ab35e324c98dd4312417f48
SHA256ae4104fbe5d2af0e6442eaad466dfb3b003d0194f5682a35f6697f5eaf735250
SHA512e81d262cb332c86740128e31c52fe9b6d9556630f589e97c9f62aea8ea0bd2611913f0445b0068094dc16058877dac7e22ca533ed98b4ee932aad01778d10564
-
Filesize
996KB
MD57a012967425f84811fdcc7ad3ae6db3f
SHA1dae3f1c3ebe317751ab35e324c98dd4312417f48
SHA256ae4104fbe5d2af0e6442eaad466dfb3b003d0194f5682a35f6697f5eaf735250
SHA512e81d262cb332c86740128e31c52fe9b6d9556630f589e97c9f62aea8ea0bd2611913f0445b0068094dc16058877dac7e22ca533ed98b4ee932aad01778d10564
-
Filesize
17KB
MD5fdf0165d5db3809a7ead1f7b11dc5b19
SHA18c66c98051b2b9365094bcf599ac94df4ae721a2
SHA2569749fb302c5eea2e67655c0e7b0425853094a36864a99fe20f0482f3d70dfb15
SHA5120a6d25a8fec35ade7b9bfb7a12e55923023b33c1b42ff51b08ce2bc88f0adbc817033d51c58ab1ac2dded09b4bfeed2223f4832bcd1652df140fdea64a4a93ba
-
Filesize
17KB
MD5fdf0165d5db3809a7ead1f7b11dc5b19
SHA18c66c98051b2b9365094bcf599ac94df4ae721a2
SHA2569749fb302c5eea2e67655c0e7b0425853094a36864a99fe20f0482f3d70dfb15
SHA5120a6d25a8fec35ade7b9bfb7a12e55923023b33c1b42ff51b08ce2bc88f0adbc817033d51c58ab1ac2dded09b4bfeed2223f4832bcd1652df140fdea64a4a93ba
-
Filesize
893KB
MD5e7bea6a3dffb1178807eabd3024714f0
SHA1180380738e0c3332b9eb15cd580812309ed10dad
SHA2564faa6aa30f03b9a10fb415d29fdb4cb0b1e9d84dbdbcb3863ace7b8143868a30
SHA51217495446ad94f41b437a1ceeb83d23c46acdffbfe9d48994dbe9b9881e5c6b4199dfb27adbdba633f1ff0f72b2393f1c46efe4e2d02e527d77ff2dff6b6c88e6
-
Filesize
893KB
MD5e7bea6a3dffb1178807eabd3024714f0
SHA1180380738e0c3332b9eb15cd580812309ed10dad
SHA2564faa6aa30f03b9a10fb415d29fdb4cb0b1e9d84dbdbcb3863ace7b8143868a30
SHA51217495446ad94f41b437a1ceeb83d23c46acdffbfe9d48994dbe9b9881e5c6b4199dfb27adbdba633f1ff0f72b2393f1c46efe4e2d02e527d77ff2dff6b6c88e6
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
667KB
MD587aad90f631666af8fb8d352c0a45a93
SHA11b37ac8bd53b8a4ccd710c678702f79bed8fbc93
SHA25642400af4156e42ec803cdb95e29b3529b978cac778ff261a4ad2ddab677eb6d4
SHA512cd06900146a3129bc568ebbe172b0e37ae8c110f15916499f92f6d0a877a140fdb7aa6e8843ecb18ecfd1675573785cd9f6ee274f29257f33010c7fbed97544d
-
Filesize
667KB
MD587aad90f631666af8fb8d352c0a45a93
SHA11b37ac8bd53b8a4ccd710c678702f79bed8fbc93
SHA25642400af4156e42ec803cdb95e29b3529b978cac778ff261a4ad2ddab677eb6d4
SHA512cd06900146a3129bc568ebbe172b0e37ae8c110f15916499f92f6d0a877a140fdb7aa6e8843ecb18ecfd1675573785cd9f6ee274f29257f33010c7fbed97544d
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
391KB
MD5ab1fa99fcc1ebaa992d94b6101fb4d4d
SHA1fbb14d774dba61c9d2c1e096c77ed9863ebe45d9
SHA256e0fe1c3d40c6907509717321c673edbd2bb32d75322e1634f7494f1528123929
SHA512775db050e8a94c0665430b849523f2ad643bbd0855fcafa8e381ff13ce6d7321d9f647357b6b4e033977af04ae4f6103e8a36d8764a895684357e9b26708ba7b
-
Filesize
391KB
MD5ab1fa99fcc1ebaa992d94b6101fb4d4d
SHA1fbb14d774dba61c9d2c1e096c77ed9863ebe45d9
SHA256e0fe1c3d40c6907509717321c673edbd2bb32d75322e1634f7494f1528123929
SHA512775db050e8a94c0665430b849523f2ad643bbd0855fcafa8e381ff13ce6d7321d9f647357b6b4e033977af04ae4f6103e8a36d8764a895684357e9b26708ba7b
-
Filesize
17KB
MD5e54f11be5a5f2b2dde02e63b3852fba6
SHA1c48d6fa1dad83ca0aa22f0cab2a5a51f33f2df82
SHA256db874a8d2b1331d735847e1d5183a4469d954a2d663530ba4f39b2b1a01cb094
SHA512584e4884b634740d68e34cf6db866329595d21c6ed9b04310df0f3894669faed5d17fadaf9f2266119749dfa0e7b5d21ee4db0a9881569144845f05f2625a8e3
-
Filesize
17KB
MD5e54f11be5a5f2b2dde02e63b3852fba6
SHA1c48d6fa1dad83ca0aa22f0cab2a5a51f33f2df82
SHA256db874a8d2b1331d735847e1d5183a4469d954a2d663530ba4f39b2b1a01cb094
SHA512584e4884b634740d68e34cf6db866329595d21c6ed9b04310df0f3894669faed5d17fadaf9f2266119749dfa0e7b5d21ee4db0a9881569144845f05f2625a8e3
-
Filesize
17KB
MD5e54f11be5a5f2b2dde02e63b3852fba6
SHA1c48d6fa1dad83ca0aa22f0cab2a5a51f33f2df82
SHA256db874a8d2b1331d735847e1d5183a4469d954a2d663530ba4f39b2b1a01cb094
SHA512584e4884b634740d68e34cf6db866329595d21c6ed9b04310df0f3894669faed5d17fadaf9f2266119749dfa0e7b5d21ee4db0a9881569144845f05f2625a8e3
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5