Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2023, 01:20
Static task
static1
General
-
Target
50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe
-
Size
1.3MB
-
MD5
047990a0354124389939a0e5ba269ec2
-
SHA1
f8202ddd92ff4db038ad182b9c60aed15287b3c4
-
SHA256
50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96
-
SHA512
8a59437c2b0d6fda63127d4698370588728b962ae0bc803a51df86a281cf2a19ae5b3b2bfa46f3c58cb91c8f865d67e5e31e5a2485a4fabeee67a6acea79ee16
-
SSDEEP
24576:GyKOZV0YmMYoCA1CcS8GjhWlDhYhbXU7Z8ZYGJe0HK1oKDODEog+tA3Co:VrZyYmM2rbtWRhsEO2GA0qR+E6AS
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Extracted
amadey
3.67
193.233.20.14/BR54nmB3/index.php
Extracted
redline
fuba
193.56.146.11:4162
-
auth_value
43015841fc23c63b15ca6ffe1d278d5e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" gnFd48IM71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" gnFd48IM71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" beBo78uI30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" beBo78uI30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" beBo78uI30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" beBo78uI30.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" gnFd48IM71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dsFN20Jd98.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection beBo78uI30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" beBo78uI30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" gnFd48IM71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" gnFd48IM71.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
resource yara_rule behavioral1/memory/4312-183-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-184-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-186-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-188-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-190-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-192-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-194-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-196-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-198-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-200-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-202-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-204-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-206-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-208-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-210-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-212-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-214-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-215-0x0000000004D20000-0x0000000004D30000-memory.dmp family_redline behavioral1/memory/4312-218-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-221-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-223-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-225-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-227-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-229-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-231-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-233-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-235-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-237-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-239-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-241-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-243-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-245-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-247-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-249-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4312-1101-0x0000000004D20000-0x0000000004D30000-memory.dmp family_redline behavioral1/memory/4476-2065-0x0000000004C00000-0x0000000004C10000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation hk20nu24hF74.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 14 IoCs
pid Process 1580 ptij9201PS.exe 1360 ptJz2647jo.exe 1436 ptQD8872wC.exe 4416 ptwI6001xk.exe 3376 ptrH0178oE.exe 2920 beBo78uI30.exe 4312 cuez92rc12.exe 1012 dsFN20Jd98.exe 4476 fr07yk8036mv.exe 3292 gnFd48IM71.exe 396 hk20nu24hF74.exe 5068 mnolyk.exe 4940 jxCN48nY02.exe 4856 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 2936 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dsFN20Jd98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" gnFd48IM71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" beBo78uI30.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptij9201PS.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptJz2647jo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptwI6001xk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptrH0178oE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptij9201PS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptJz2647jo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptQD8872wC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptQD8872wC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptwI6001xk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptrH0178oE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2920 beBo78uI30.exe 2920 beBo78uI30.exe 4312 cuez92rc12.exe 4312 cuez92rc12.exe 1012 dsFN20Jd98.exe 1012 dsFN20Jd98.exe 4476 fr07yk8036mv.exe 4476 fr07yk8036mv.exe 3292 gnFd48IM71.exe 3292 gnFd48IM71.exe 4940 jxCN48nY02.exe 4940 jxCN48nY02.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2920 beBo78uI30.exe Token: SeDebugPrivilege 4312 cuez92rc12.exe Token: SeDebugPrivilege 1012 dsFN20Jd98.exe Token: SeDebugPrivilege 4476 fr07yk8036mv.exe Token: SeDebugPrivilege 3292 gnFd48IM71.exe Token: SeDebugPrivilege 4940 jxCN48nY02.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4212 wrote to memory of 1580 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 86 PID 4212 wrote to memory of 1580 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 86 PID 4212 wrote to memory of 1580 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 86 PID 1580 wrote to memory of 1360 1580 ptij9201PS.exe 87 PID 1580 wrote to memory of 1360 1580 ptij9201PS.exe 87 PID 1580 wrote to memory of 1360 1580 ptij9201PS.exe 87 PID 1360 wrote to memory of 1436 1360 ptJz2647jo.exe 88 PID 1360 wrote to memory of 1436 1360 ptJz2647jo.exe 88 PID 1360 wrote to memory of 1436 1360 ptJz2647jo.exe 88 PID 1436 wrote to memory of 4416 1436 ptQD8872wC.exe 89 PID 1436 wrote to memory of 4416 1436 ptQD8872wC.exe 89 PID 1436 wrote to memory of 4416 1436 ptQD8872wC.exe 89 PID 4416 wrote to memory of 3376 4416 ptwI6001xk.exe 90 PID 4416 wrote to memory of 3376 4416 ptwI6001xk.exe 90 PID 4416 wrote to memory of 3376 4416 ptwI6001xk.exe 90 PID 3376 wrote to memory of 2920 3376 ptrH0178oE.exe 91 PID 3376 wrote to memory of 2920 3376 ptrH0178oE.exe 91 PID 3376 wrote to memory of 4312 3376 ptrH0178oE.exe 92 PID 3376 wrote to memory of 4312 3376 ptrH0178oE.exe 92 PID 3376 wrote to memory of 4312 3376 ptrH0178oE.exe 92 PID 4416 wrote to memory of 1012 4416 ptwI6001xk.exe 94 PID 4416 wrote to memory of 1012 4416 ptwI6001xk.exe 94 PID 4416 wrote to memory of 1012 4416 ptwI6001xk.exe 94 PID 1436 wrote to memory of 4476 1436 ptQD8872wC.exe 95 PID 1436 wrote to memory of 4476 1436 ptQD8872wC.exe 95 PID 1436 wrote to memory of 4476 1436 ptQD8872wC.exe 95 PID 1360 wrote to memory of 3292 1360 ptJz2647jo.exe 104 PID 1360 wrote to memory of 3292 1360 ptJz2647jo.exe 104 PID 1580 wrote to memory of 396 1580 ptij9201PS.exe 105 PID 1580 wrote to memory of 396 1580 ptij9201PS.exe 105 PID 1580 wrote to memory of 396 1580 ptij9201PS.exe 105 PID 396 wrote to memory of 5068 396 hk20nu24hF74.exe 106 PID 396 wrote to memory of 5068 396 hk20nu24hF74.exe 106 PID 396 wrote to memory of 5068 396 hk20nu24hF74.exe 106 PID 4212 wrote to memory of 4940 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 107 PID 4212 wrote to memory of 4940 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 107 PID 4212 wrote to memory of 4940 4212 50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe 107 PID 5068 wrote to memory of 4960 5068 mnolyk.exe 108 PID 5068 wrote to memory of 4960 5068 mnolyk.exe 108 PID 5068 wrote to memory of 4960 5068 mnolyk.exe 108 PID 5068 wrote to memory of 4424 5068 mnolyk.exe 110 PID 5068 wrote to memory of 4424 5068 mnolyk.exe 110 PID 5068 wrote to memory of 4424 5068 mnolyk.exe 110 PID 4424 wrote to memory of 1148 4424 cmd.exe 112 PID 4424 wrote to memory of 1148 4424 cmd.exe 112 PID 4424 wrote to memory of 1148 4424 cmd.exe 112 PID 4424 wrote to memory of 5024 4424 cmd.exe 113 PID 4424 wrote to memory of 5024 4424 cmd.exe 113 PID 4424 wrote to memory of 5024 4424 cmd.exe 113 PID 4424 wrote to memory of 5060 4424 cmd.exe 114 PID 4424 wrote to memory of 5060 4424 cmd.exe 114 PID 4424 wrote to memory of 5060 4424 cmd.exe 114 PID 4424 wrote to memory of 2024 4424 cmd.exe 115 PID 4424 wrote to memory of 2024 4424 cmd.exe 115 PID 4424 wrote to memory of 2024 4424 cmd.exe 115 PID 4424 wrote to memory of 4496 4424 cmd.exe 116 PID 4424 wrote to memory of 4496 4424 cmd.exe 116 PID 4424 wrote to memory of 4496 4424 cmd.exe 116 PID 4424 wrote to memory of 1496 4424 cmd.exe 117 PID 4424 wrote to memory of 1496 4424 cmd.exe 117 PID 4424 wrote to memory of 1496 4424 cmd.exe 117 PID 5068 wrote to memory of 2936 5068 mnolyk.exe 120 PID 5068 wrote to memory of 2936 5068 mnolyk.exe 120 PID 5068 wrote to memory of 2936 5068 mnolyk.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe"C:\Users\Admin\AppData\Local\Temp\50a3b0ab793f769dc7a200438673bebe51e84a0d0367b6cce6cf87c998f1ca96.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptij9201PS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptij9201PS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJz2647jo.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJz2647jo.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptQD8872wC.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptQD8872wC.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptwI6001xk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptwI6001xk.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptrH0178oE.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptrH0178oE.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBo78uI30.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBo78uI30.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuez92rc12.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuez92rc12.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsFN20Jd98.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsFN20Jd98.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr07yk8036mv.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr07yk8036mv.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnFd48IM71.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnFd48IM71.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk20nu24hF74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk20nu24hF74.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:4960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\465af4af92" /P "Admin:N"&&CACLS "..\465af4af92" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1148
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:5024
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:5060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2024
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:N"6⤵PID:4496
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:R" /E6⤵PID:1496
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxCN48nY02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxCN48nY02.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:4856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
175KB
MD5080884d268a8a530deb2cc409edba022
SHA10b55c279cacd74feaeef4b31d8a896a9335fb2ac
SHA256e6fb951a0cd8593b73818cd6000009a37dc2592f27bd484a2c327981b21efab5
SHA512b0ebc3ea0220119f1495c81c9515e7f2ac47e3670c5f332a8e52915e759da6ae7aef88a0bf24f27e390fcda24f7664d5e9df3451238804284d9fd2f471647df1
-
Filesize
175KB
MD5080884d268a8a530deb2cc409edba022
SHA10b55c279cacd74feaeef4b31d8a896a9335fb2ac
SHA256e6fb951a0cd8593b73818cd6000009a37dc2592f27bd484a2c327981b21efab5
SHA512b0ebc3ea0220119f1495c81c9515e7f2ac47e3670c5f332a8e52915e759da6ae7aef88a0bf24f27e390fcda24f7664d5e9df3451238804284d9fd2f471647df1
-
Filesize
1.2MB
MD5cbe44fa5ee4abfaf984f55e363eac60c
SHA1f1ec08d435f82c5bf6302eb3f847715598996eda
SHA256050e6509e2e051f765ebe456f831e4b28ebaf1f9f133142d92f4d18fc290a431
SHA5128302225d6c4e4c0dea402c924b25601b22ef478b2e4ff1ed6d4650b7d559fbe10c5f7d95c79bc99c8691145d63ce686a8f68562baa7f909713cfa9f28dbece59
-
Filesize
1.2MB
MD5cbe44fa5ee4abfaf984f55e363eac60c
SHA1f1ec08d435f82c5bf6302eb3f847715598996eda
SHA256050e6509e2e051f765ebe456f831e4b28ebaf1f9f133142d92f4d18fc290a431
SHA5128302225d6c4e4c0dea402c924b25601b22ef478b2e4ff1ed6d4650b7d559fbe10c5f7d95c79bc99c8691145d63ce686a8f68562baa7f909713cfa9f28dbece59
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
239KB
MD5f1c820330031635c7d58716d3ac2d5a6
SHA1e48ba6646a089f7e8b026e099f1c3aa1537cc987
SHA256d9a2c485f3cd31223977de17ab0fa56a32ca03dff75dfdaa050d4c0744b47238
SHA5128f26bcbc030ceb1792ac13d665326bc853c35ce29a92b9fdcda18bf26f712a11f3ea03e3c5a02e1226a46a31c112d5b0a69af406b3fb269a67c323479da54bc8
-
Filesize
1.0MB
MD58974493ac6892db324a1c94b574c5166
SHA1062fca4ec53ea6655e6ff781976a52a3d227aa15
SHA256457554e3d505b636259ffcba1c5a95a007bc07cff5a0b845578446634812dd7a
SHA51297fb00a29dff1bbc71beba6818492078d29473e9956bafcb3105a10955dd1a4b9611857c3e0ae8126367c2645d0016ae2a1870c4be26c76251f1093d613271ab
-
Filesize
1.0MB
MD58974493ac6892db324a1c94b574c5166
SHA1062fca4ec53ea6655e6ff781976a52a3d227aa15
SHA256457554e3d505b636259ffcba1c5a95a007bc07cff5a0b845578446634812dd7a
SHA51297fb00a29dff1bbc71beba6818492078d29473e9956bafcb3105a10955dd1a4b9611857c3e0ae8126367c2645d0016ae2a1870c4be26c76251f1093d613271ab
-
Filesize
11KB
MD5e76ca17f4279ceca9c1dace0bbe76f3a
SHA189390212fd3a4f4ea6955ac20abb8dff6843580b
SHA25660a57584c7e46a90c98f78fd3331f058bcbafefce2070f5e1bd1c8835fc80bab
SHA5129de90e8e23e2d71318c12ca63d90d3c07de95c630a7b53ab05bad28c10218e07de5840fdde7f0bcfd833cc0f0556850f0a5fd34726ec60b9d4ffcab472ab72cc
-
Filesize
11KB
MD5e76ca17f4279ceca9c1dace0bbe76f3a
SHA189390212fd3a4f4ea6955ac20abb8dff6843580b
SHA25660a57584c7e46a90c98f78fd3331f058bcbafefce2070f5e1bd1c8835fc80bab
SHA5129de90e8e23e2d71318c12ca63d90d3c07de95c630a7b53ab05bad28c10218e07de5840fdde7f0bcfd833cc0f0556850f0a5fd34726ec60b9d4ffcab472ab72cc
-
Filesize
935KB
MD53ec99d7bcf9eb391e4034c9984ed0fc9
SHA1a4efc045216c5451d152bdfd172d11296a523571
SHA256334fd55f08a31204e5c17a7b5f5d392415f430a492c8b964f32f5c4c776d04f4
SHA512251eed14072a9a97e190c10e23790370ffb78ca58866aacba7579b8c7dcabdd9d9e25596d5d13374c0307090ffde30a35faba4566f4fd623f4a1642f13fd9b23
-
Filesize
935KB
MD53ec99d7bcf9eb391e4034c9984ed0fc9
SHA1a4efc045216c5451d152bdfd172d11296a523571
SHA256334fd55f08a31204e5c17a7b5f5d392415f430a492c8b964f32f5c4c776d04f4
SHA512251eed14072a9a97e190c10e23790370ffb78ca58866aacba7579b8c7dcabdd9d9e25596d5d13374c0307090ffde30a35faba4566f4fd623f4a1642f13fd9b23
-
Filesize
304KB
MD5fc9d1d13726797f824009a1594b5a9c3
SHA1447b53284c76edef32a942621ad7fdfd0f3ce704
SHA256872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276
SHA512e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729
-
Filesize
304KB
MD5fc9d1d13726797f824009a1594b5a9c3
SHA1447b53284c76edef32a942621ad7fdfd0f3ce704
SHA256872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276
SHA512e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729
-
Filesize
666KB
MD5cc0e65373b522afdfb3a0c7a6c53b9cb
SHA194b530403e48f17915b3de326200c62d61e539a6
SHA256fa54354b06205e25de32955bc3d84fc6e607675153ce38a02957a9fc3d44be70
SHA5129d2b73c8b181f2a2c8dee9ac254b913b943b98f946fa1ce46259b08e0873fc09b05570a130507aa6386e79ea4906c8955cc68ce94d258bb60a7828e4b920fd52
-
Filesize
666KB
MD5cc0e65373b522afdfb3a0c7a6c53b9cb
SHA194b530403e48f17915b3de326200c62d61e539a6
SHA256fa54354b06205e25de32955bc3d84fc6e607675153ce38a02957a9fc3d44be70
SHA5129d2b73c8b181f2a2c8dee9ac254b913b943b98f946fa1ce46259b08e0873fc09b05570a130507aa6386e79ea4906c8955cc68ce94d258bb60a7828e4b920fd52
-
Filesize
246KB
MD5fca7bb7fa17349bcd1e9cbcbbf9a69bd
SHA11f373b9a657e213d7b12f50f4c91a38b6ca6fdab
SHA25660871084d40a6621437ee47f61d1d50c293b72062fcab966b47c67c47f8b96ad
SHA512ffe4a400a692c1bd76288855a0c7de8c64ac7740bbc5c7ec8a8e5edf60d29b636221cbdfda7bdf4f2cfb26464a8199bec33adde663cbed4664962eb0df20698d
-
Filesize
246KB
MD5fca7bb7fa17349bcd1e9cbcbbf9a69bd
SHA11f373b9a657e213d7b12f50f4c91a38b6ca6fdab
SHA25660871084d40a6621437ee47f61d1d50c293b72062fcab966b47c67c47f8b96ad
SHA512ffe4a400a692c1bd76288855a0c7de8c64ac7740bbc5c7ec8a8e5edf60d29b636221cbdfda7bdf4f2cfb26464a8199bec33adde663cbed4664962eb0df20698d
-
Filesize
391KB
MD536c966b075a8531b3607cc84ad2a0723
SHA1b65220794338188b12781f7688e3bd73750cf1e5
SHA2569c0609df1fad846d0a992c917c321cea7b5d7c8dab83d92ff1c5f51105a2044f
SHA51212d275a4e77aced7330017db1db6145d1b8d1e8dda1899ee32eb09756ea6b607704018ae6eb0eccd51bbb715c98c6e887498c7fc667ac9bfa10dd02c77f0a063
-
Filesize
391KB
MD536c966b075a8531b3607cc84ad2a0723
SHA1b65220794338188b12781f7688e3bd73750cf1e5
SHA2569c0609df1fad846d0a992c917c321cea7b5d7c8dab83d92ff1c5f51105a2044f
SHA51212d275a4e77aced7330017db1db6145d1b8d1e8dda1899ee32eb09756ea6b607704018ae6eb0eccd51bbb715c98c6e887498c7fc667ac9bfa10dd02c77f0a063
-
Filesize
11KB
MD50923771b7c7ddd0c9c29aac1697be926
SHA1730d2a277bef087e976d53af05e85b1641c56d93
SHA2561fc2e0f6b1f00332d51aa9eedb58bd22b387e6a7fb60fd47d86c0ef5873f9027
SHA512fdce41ab949b54b8921c12f06688f4cb40a28203e23dbdb674a82a95f03e3779adf429f49f187e531ac32b0c170e607582a393f28b1e1b17737e2958a2d76898
-
Filesize
11KB
MD50923771b7c7ddd0c9c29aac1697be926
SHA1730d2a277bef087e976d53af05e85b1641c56d93
SHA2561fc2e0f6b1f00332d51aa9eedb58bd22b387e6a7fb60fd47d86c0ef5873f9027
SHA512fdce41ab949b54b8921c12f06688f4cb40a28203e23dbdb674a82a95f03e3779adf429f49f187e531ac32b0c170e607582a393f28b1e1b17737e2958a2d76898
-
Filesize
11KB
MD50923771b7c7ddd0c9c29aac1697be926
SHA1730d2a277bef087e976d53af05e85b1641c56d93
SHA2561fc2e0f6b1f00332d51aa9eedb58bd22b387e6a7fb60fd47d86c0ef5873f9027
SHA512fdce41ab949b54b8921c12f06688f4cb40a28203e23dbdb674a82a95f03e3779adf429f49f187e531ac32b0c170e607582a393f28b1e1b17737e2958a2d76898
-
Filesize
304KB
MD5fc9d1d13726797f824009a1594b5a9c3
SHA1447b53284c76edef32a942621ad7fdfd0f3ce704
SHA256872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276
SHA512e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729
-
Filesize
304KB
MD5fc9d1d13726797f824009a1594b5a9c3
SHA1447b53284c76edef32a942621ad7fdfd0f3ce704
SHA256872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276
SHA512e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729
-
Filesize
304KB
MD5fc9d1d13726797f824009a1594b5a9c3
SHA1447b53284c76edef32a942621ad7fdfd0f3ce704
SHA256872ecd8396e50afecfef2ee302850acfcf722f27323f6a10417061c8045c6276
SHA512e152fe5fd78221773fb50203a7d48216dac92a5d1df3bbd65d6150d681f4e1ef4a0ab78ddc038bf3c6cbe85d57ccedab901911b4b5fa9489ed4e9435d5021729
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5