Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe
Resource
win7-20230220-en
General
-
Target
fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe
-
Size
730KB
-
MD5
fb0fa6d37a6f1fa1d7643bc8cfde5cc9
-
SHA1
b84458e32dbad5a210225f2bab91043632053515
-
SHA256
3e9f80572c387f795a42a40bf120921706926aea28c7b81a49f86ecacb63a612
-
SHA512
39ba2f5d07395ae1598768d358f77e95f4b2148e3303d5bce489ab018d1e5cc8552f9d97ef0af720996c811d17530f124ac7a6ddbc7547c93b7eb76e3e027886
-
SSDEEP
12288:NMrmy90Yw9DIQ5ocH0GCF9XeUs898OfwlpbJvgmyzM9qWohYlirZjQ1rAo:PyFmBucHdCF9Xk89RfSIto9ChYGTo
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Extracted
redline
dunm
193.233.20.12:4132
-
auth_value
352959e3707029296ec94306d74e2334
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f8841jw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f8841jw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f8841jw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f8841jw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f8841jw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f8841jw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h14th87.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral2/memory/4604-262-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-263-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-266-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-269-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-273-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-275-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-277-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-279-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-281-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-283-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-285-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-287-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-289-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-291-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-293-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-295-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-297-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-299-0x0000000002B10000-0x0000000002B4E000-memory.dmp family_redline behavioral2/memory/4604-1177-0x0000000000C50000-0x0000000000C60000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation aYL50lZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 14 IoCs
pid Process 3376 fAd41xy.exe 3908 fYp16kk.exe 3672 aYL50lZ.exe 3948 mnolyk.exe 4024 bkQ58NF.exe 5104 siga30.exe 948 niba5611.exe 3292 niba4478.exe 2496 f8841jw.exe 2420 h14th87.exe 4604 iAMnK92.exe 2420 l36oh67.exe 1388 mnolyk.exe 1304 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3280 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f8841jw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h14th87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h14th87.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\siga30.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028051\\siga30.exe" mnolyk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fAd41xy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fAd41xy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" fYp16kk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce siga30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" siga30.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba5611.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fYp16kk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" niba5611.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba4478.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" niba4478.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3360 2420 WerFault.exe 109 2180 4604 WerFault.exe 113 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2496 f8841jw.exe 2496 f8841jw.exe 2420 h14th87.exe 2420 h14th87.exe 4604 iAMnK92.exe 4604 iAMnK92.exe 2420 l36oh67.exe 2420 l36oh67.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2496 f8841jw.exe Token: SeDebugPrivilege 2420 h14th87.exe Token: SeDebugPrivilege 4604 iAMnK92.exe Token: SeDebugPrivilege 2420 l36oh67.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3376 2936 fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe 87 PID 2936 wrote to memory of 3376 2936 fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe 87 PID 2936 wrote to memory of 3376 2936 fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe 87 PID 3376 wrote to memory of 3908 3376 fAd41xy.exe 88 PID 3376 wrote to memory of 3908 3376 fAd41xy.exe 88 PID 3376 wrote to memory of 3908 3376 fAd41xy.exe 88 PID 3908 wrote to memory of 3672 3908 fYp16kk.exe 89 PID 3908 wrote to memory of 3672 3908 fYp16kk.exe 89 PID 3908 wrote to memory of 3672 3908 fYp16kk.exe 89 PID 3672 wrote to memory of 3948 3672 aYL50lZ.exe 90 PID 3672 wrote to memory of 3948 3672 aYL50lZ.exe 90 PID 3672 wrote to memory of 3948 3672 aYL50lZ.exe 90 PID 3908 wrote to memory of 4024 3908 fYp16kk.exe 91 PID 3908 wrote to memory of 4024 3908 fYp16kk.exe 91 PID 3908 wrote to memory of 4024 3908 fYp16kk.exe 91 PID 3948 wrote to memory of 1372 3948 mnolyk.exe 92 PID 3948 wrote to memory of 1372 3948 mnolyk.exe 92 PID 3948 wrote to memory of 1372 3948 mnolyk.exe 92 PID 3948 wrote to memory of 4984 3948 mnolyk.exe 94 PID 3948 wrote to memory of 4984 3948 mnolyk.exe 94 PID 3948 wrote to memory of 4984 3948 mnolyk.exe 94 PID 4984 wrote to memory of 1868 4984 cmd.exe 96 PID 4984 wrote to memory of 1868 4984 cmd.exe 96 PID 4984 wrote to memory of 1868 4984 cmd.exe 96 PID 4984 wrote to memory of 3992 4984 cmd.exe 97 PID 4984 wrote to memory of 3992 4984 cmd.exe 97 PID 4984 wrote to memory of 3992 4984 cmd.exe 97 PID 4984 wrote to memory of 3252 4984 cmd.exe 98 PID 4984 wrote to memory of 3252 4984 cmd.exe 98 PID 4984 wrote to memory of 3252 4984 cmd.exe 98 PID 4984 wrote to memory of 2092 4984 cmd.exe 99 PID 4984 wrote to memory of 2092 4984 cmd.exe 99 PID 4984 wrote to memory of 2092 4984 cmd.exe 99 PID 4984 wrote to memory of 1920 4984 cmd.exe 100 PID 4984 wrote to memory of 1920 4984 cmd.exe 100 PID 4984 wrote to memory of 1920 4984 cmd.exe 100 PID 4984 wrote to memory of 5036 4984 cmd.exe 101 PID 4984 wrote to memory of 5036 4984 cmd.exe 101 PID 4984 wrote to memory of 5036 4984 cmd.exe 101 PID 3948 wrote to memory of 5104 3948 mnolyk.exe 102 PID 3948 wrote to memory of 5104 3948 mnolyk.exe 102 PID 3948 wrote to memory of 5104 3948 mnolyk.exe 102 PID 5104 wrote to memory of 948 5104 siga30.exe 103 PID 5104 wrote to memory of 948 5104 siga30.exe 103 PID 5104 wrote to memory of 948 5104 siga30.exe 103 PID 948 wrote to memory of 3292 948 niba5611.exe 104 PID 948 wrote to memory of 3292 948 niba5611.exe 104 PID 948 wrote to memory of 3292 948 niba5611.exe 104 PID 3292 wrote to memory of 2496 3292 niba4478.exe 105 PID 3292 wrote to memory of 2496 3292 niba4478.exe 105 PID 3292 wrote to memory of 2420 3292 niba4478.exe 109 PID 3292 wrote to memory of 2420 3292 niba4478.exe 109 PID 3292 wrote to memory of 2420 3292 niba4478.exe 109 PID 948 wrote to memory of 4604 948 niba5611.exe 113 PID 948 wrote to memory of 4604 948 niba5611.exe 113 PID 948 wrote to memory of 4604 948 niba5611.exe 113 PID 5104 wrote to memory of 2420 5104 siga30.exe 121 PID 5104 wrote to memory of 2420 5104 siga30.exe 121 PID 5104 wrote to memory of 2420 5104 siga30.exe 121 PID 3948 wrote to memory of 3280 3948 mnolyk.exe 122 PID 3948 wrote to memory of 3280 3948 mnolyk.exe 122 PID 3948 wrote to memory of 3280 3948 mnolyk.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe"C:\Users\Admin\AppData\Local\Temp\fb0fa6d37a6f1fa1d7643bc8cfde5cc9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fAd41xy.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fAd41xy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fYp16kk.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fYp16kk.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aYL50lZ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aYL50lZ.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:1372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:3992
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:3252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2092
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"7⤵PID:1920
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E7⤵PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000028051\siga30.exe"C:\Users\Admin\AppData\Local\Temp\1000028051\siga30.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\niba5611.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\niba5611.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\niba4478.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\niba4478.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8841jw.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8841jw.exe9⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\h14th87.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\h14th87.exe9⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 104410⤵
- Program crash
PID:3360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iAMnK92.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iAMnK92.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 16009⤵
- Program crash
PID:2180
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l36oh67.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l36oh67.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main6⤵
- Loads dropped DLL
PID:3280
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bkQ58NF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bkQ58NF.exe4⤵
- Executes dropped EXE
PID:4024
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2420 -ip 24201⤵PID:1660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4604 -ip 46041⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:1388
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:1304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
835KB
MD5fea72d0f534fcc98b0f72240268b9321
SHA10976c3bf548cc5aebef67c51e3fee667176a71eb
SHA256dcd9cc633b04c83bfbb4bd0acebb731380b79e8857f65e72bd6490e7f46e01d9
SHA5126d0268f8776c18bf3d496b4430da62f612a803a2b4a063f654089a6d4d06f94f90175013c5f5ea79b9a1a6083d596b6289f2d28a4e63d074c3fff8d235256c5a
-
Filesize
835KB
MD5fea72d0f534fcc98b0f72240268b9321
SHA10976c3bf548cc5aebef67c51e3fee667176a71eb
SHA256dcd9cc633b04c83bfbb4bd0acebb731380b79e8857f65e72bd6490e7f46e01d9
SHA5126d0268f8776c18bf3d496b4430da62f612a803a2b4a063f654089a6d4d06f94f90175013c5f5ea79b9a1a6083d596b6289f2d28a4e63d074c3fff8d235256c5a
-
Filesize
835KB
MD5fea72d0f534fcc98b0f72240268b9321
SHA10976c3bf548cc5aebef67c51e3fee667176a71eb
SHA256dcd9cc633b04c83bfbb4bd0acebb731380b79e8857f65e72bd6490e7f46e01d9
SHA5126d0268f8776c18bf3d496b4430da62f612a803a2b4a063f654089a6d4d06f94f90175013c5f5ea79b9a1a6083d596b6289f2d28a4e63d074c3fff8d235256c5a
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
626KB
MD5ca3769cf731813cc9935ec19536b2d2d
SHA1383c7b18a71182c999ed3d0326d13b6549f3e745
SHA256c21903454794e0f56b29286789ac29047481dde60d6f341ade5117eab5975233
SHA512bcfcd80aff3e0dcc3e33ccd35977d23e3570643d4baa0ce9660b7f13964cc70452f1322715347cd1876e4b81045d4fdf6ea56e3912dbe42fa3f1af78f3c2fc74
-
Filesize
626KB
MD5ca3769cf731813cc9935ec19536b2d2d
SHA1383c7b18a71182c999ed3d0326d13b6549f3e745
SHA256c21903454794e0f56b29286789ac29047481dde60d6f341ade5117eab5975233
SHA512bcfcd80aff3e0dcc3e33ccd35977d23e3570643d4baa0ce9660b7f13964cc70452f1322715347cd1876e4b81045d4fdf6ea56e3912dbe42fa3f1af78f3c2fc74
-
Filesize
286KB
MD55a8ea19c9bdf4522aa0c49eaf5405595
SHA1f0be5b1d4aa8312ac4100f34473e5eeb3c97016c
SHA2563414400a3651a1615b2c41a790d330d77d779e48a2b7bdc6b7d67782e5173d3d
SHA5126ac36b9a3ea1323e5d5b2416782208a33f872b1bfc4ae4750921c61e4a02272645f95abcde5c8437e66d494d94c031e8bf604c6f56400faea73d797b24b302a5
-
Filesize
286KB
MD55a8ea19c9bdf4522aa0c49eaf5405595
SHA1f0be5b1d4aa8312ac4100f34473e5eeb3c97016c
SHA2563414400a3651a1615b2c41a790d330d77d779e48a2b7bdc6b7d67782e5173d3d
SHA5126ac36b9a3ea1323e5d5b2416782208a33f872b1bfc4ae4750921c61e4a02272645f95abcde5c8437e66d494d94c031e8bf604c6f56400faea73d797b24b302a5
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
175KB
MD569f79e05d0c83aee310d9adfe5aa7f2b
SHA1485c490180380051a14316564fbda07723be11b1
SHA256c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2
SHA512f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42
-
Filesize
175KB
MD569f79e05d0c83aee310d9adfe5aa7f2b
SHA1485c490180380051a14316564fbda07723be11b1
SHA256c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2
SHA512f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
693KB
MD58063521beb1178b79dec66b33dbf94f0
SHA1f4142739fb2e16270185e4fd46426f6df087e685
SHA25649b747e31ad23c5e259a25d204bc08e9a852cb85bf06153c134c0240648a9bce
SHA51233ed61bc31d27d35af2d8c0f442dc6ffa944feed633579a8aa58c9f90a4816a09ff54942bb662e15a1400edf432187d8d6c04aeb45dd02b3f6e9264d8417ba05
-
Filesize
693KB
MD58063521beb1178b79dec66b33dbf94f0
SHA1f4142739fb2e16270185e4fd46426f6df087e685
SHA25649b747e31ad23c5e259a25d204bc08e9a852cb85bf06153c134c0240648a9bce
SHA51233ed61bc31d27d35af2d8c0f442dc6ffa944feed633579a8aa58c9f90a4816a09ff54942bb662e15a1400edf432187d8d6c04aeb45dd02b3f6e9264d8417ba05
-
Filesize
361KB
MD5267ec6c840ebb1308f8d1bd1008a01ae
SHA15c1f16bc5b56353ee40a6292fa48e460d97c36c0
SHA2561b0766f11ed8129da8dd70f716c64eb2dd2469c179a4f6875b7aa58b386afc5e
SHA51258e348a7b1a7b2081f7388ab76ce70a81feaf9cd392223c0b1c94dabfcebffaca9fdc698ea6d7a5cddc2ab83a1a81edda67d9763503ad19c5971292242966ac3
-
Filesize
361KB
MD5267ec6c840ebb1308f8d1bd1008a01ae
SHA15c1f16bc5b56353ee40a6292fa48e460d97c36c0
SHA2561b0766f11ed8129da8dd70f716c64eb2dd2469c179a4f6875b7aa58b386afc5e
SHA51258e348a7b1a7b2081f7388ab76ce70a81feaf9cd392223c0b1c94dabfcebffaca9fdc698ea6d7a5cddc2ab83a1a81edda67d9763503ad19c5971292242966ac3
-
Filesize
344KB
MD569f2fbc0729ad24165348912c72525d3
SHA1da197a52a983665855626cb371876f12fb4b3113
SHA256ff72721a3df194ae35e21c4e88e771983030a428a1065dd7ca9a31e4c6d030d7
SHA5125f7004e339d7d96c9af2e1b1bf980c9b684d27da36f356692a5e09767b8ac75aa749a74581b20350a070f3e15c6399ab9a5bfc2154f3e62c432621abb4b9ec9e
-
Filesize
344KB
MD569f2fbc0729ad24165348912c72525d3
SHA1da197a52a983665855626cb371876f12fb4b3113
SHA256ff72721a3df194ae35e21c4e88e771983030a428a1065dd7ca9a31e4c6d030d7
SHA5125f7004e339d7d96c9af2e1b1bf980c9b684d27da36f356692a5e09767b8ac75aa749a74581b20350a070f3e15c6399ab9a5bfc2154f3e62c432621abb4b9ec9e
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
304KB
MD5dacdc0af259d2494cdcf730c30573101
SHA13cd5a25f99844fdcbf31bea4af3a32b2f0cab122
SHA2566f968bd1607867e941b3000440150175f7fa24efd679af9ba8e8961d2d43c662
SHA512c96b915c73f5b0a04b5f010fe3720b25aeea6913834e9f137bf83e135d5036384132d191b946307402f5e202e143976099c672b46ae6945a571b4dc741480c8e
-
Filesize
304KB
MD5dacdc0af259d2494cdcf730c30573101
SHA13cd5a25f99844fdcbf31bea4af3a32b2f0cab122
SHA2566f968bd1607867e941b3000440150175f7fa24efd679af9ba8e8961d2d43c662
SHA512c96b915c73f5b0a04b5f010fe3720b25aeea6913834e9f137bf83e135d5036384132d191b946307402f5e202e143976099c672b46ae6945a571b4dc741480c8e
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5