Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
233s -
max time network
251s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
06/07/2023, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe
Resource
win10-20230703-en
General
-
Target
0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe
-
Size
3.9MB
-
MD5
94e1aab14bdabba9b6d674340689405c
-
SHA1
312d2ca04b9330f57d30756ca17f7511ceb62e88
-
SHA256
0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad
-
SHA512
c537f0972aa356d7d1d6b8b009ebc5a2865d921c5180c43b3f059fea852ccb6ff100ed882a2226e7f5ac4f4bae41596dcc08abb789b45d11ddc1fbee27467d1c
-
SSDEEP
49152:3RBTN3JIiW0QsudBoHY6Xp8TbHTb+vBeqgV3tZuigMYI6NLcDe4JHMSrnozGdj4d:FWxxap0R8igM1qcL/nQwMXzrc+
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Extracted
amadey
3.84
77.91.68.63/doma/net/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
resource yara_rule behavioral2/memory/4196-140-0x00000000001D0000-0x00000000001DA000-memory.dmp healer behavioral2/files/0x000600000001afa7-224.dat healer behavioral2/files/0x000600000001afa7-225.dat healer behavioral2/memory/4976-226-0x00000000002E0000-0x00000000002EA000-memory.dmp healer behavioral2/memory/4844-277-0x00000000001D0000-0x00000000001DA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k9633000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k9633000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k9633000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k9633000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k9633000.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
pid Process 5028 y8439966.exe 4196 k2956692.exe 220 l8646813.exe 3160 n9898987.exe 404 rugen.exe 1540 foto175.exe 4312 x6327775.exe 4608 f7353167.exe 4764 g6953334.exe 4976 i0785078.exe 2720 fotod45.exe 2076 y3046906.exe 4844 k9633000.exe 996 rama.exe 4100 l1512432.exe 4980 rugen.exe 2684 n5368815.exe -
Loads dropped DLL 2 IoCs
pid Process 2188 regsvr32.exe 224 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k2956692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" i0785078.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k9633000.exe -
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce foto175.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y3046906.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x6327775.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6327775.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fotod45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3046906.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8439966.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\foto175.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023051\\foto175.exe" rugen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8439966.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" foto175.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\fotod45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000024051\\fotod45.exe" rugen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fotod45.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\rama.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000025051\\rama.exe" rugen.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4196 k2956692.exe 4196 k2956692.exe 220 l8646813.exe 220 l8646813.exe 4608 f7353167.exe 4608 f7353167.exe 4976 i0785078.exe 4976 i0785078.exe 4844 k9633000.exe 4844 k9633000.exe 4100 l1512432.exe 4100 l1512432.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4196 k2956692.exe Token: SeDebugPrivilege 220 l8646813.exe Token: SeDebugPrivilege 4608 f7353167.exe Token: SeDebugPrivilege 4976 i0785078.exe Token: SeDebugPrivilege 4844 k9633000.exe Token: SeDebugPrivilege 4100 l1512432.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3160 n9898987.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3592 wrote to memory of 5028 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 71 PID 3592 wrote to memory of 5028 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 71 PID 3592 wrote to memory of 5028 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 71 PID 5028 wrote to memory of 4196 5028 y8439966.exe 72 PID 5028 wrote to memory of 4196 5028 y8439966.exe 72 PID 5028 wrote to memory of 4196 5028 y8439966.exe 72 PID 5028 wrote to memory of 220 5028 y8439966.exe 74 PID 5028 wrote to memory of 220 5028 y8439966.exe 74 PID 5028 wrote to memory of 220 5028 y8439966.exe 74 PID 3592 wrote to memory of 3160 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 77 PID 3592 wrote to memory of 3160 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 77 PID 3592 wrote to memory of 3160 3592 0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe 77 PID 3160 wrote to memory of 404 3160 n9898987.exe 78 PID 3160 wrote to memory of 404 3160 n9898987.exe 78 PID 3160 wrote to memory of 404 3160 n9898987.exe 78 PID 404 wrote to memory of 192 404 rugen.exe 79 PID 404 wrote to memory of 192 404 rugen.exe 79 PID 404 wrote to memory of 192 404 rugen.exe 79 PID 404 wrote to memory of 3164 404 rugen.exe 81 PID 404 wrote to memory of 3164 404 rugen.exe 81 PID 404 wrote to memory of 3164 404 rugen.exe 81 PID 3164 wrote to memory of 4768 3164 cmd.exe 83 PID 3164 wrote to memory of 4768 3164 cmd.exe 83 PID 3164 wrote to memory of 4768 3164 cmd.exe 83 PID 3164 wrote to memory of 2140 3164 cmd.exe 84 PID 3164 wrote to memory of 2140 3164 cmd.exe 84 PID 3164 wrote to memory of 2140 3164 cmd.exe 84 PID 3164 wrote to memory of 4284 3164 cmd.exe 85 PID 3164 wrote to memory of 4284 3164 cmd.exe 85 PID 3164 wrote to memory of 4284 3164 cmd.exe 85 PID 3164 wrote to memory of 1068 3164 cmd.exe 86 PID 3164 wrote to memory of 1068 3164 cmd.exe 86 PID 3164 wrote to memory of 1068 3164 cmd.exe 86 PID 3164 wrote to memory of 4392 3164 cmd.exe 87 PID 3164 wrote to memory of 4392 3164 cmd.exe 87 PID 3164 wrote to memory of 4392 3164 cmd.exe 87 PID 3164 wrote to memory of 4784 3164 cmd.exe 88 PID 3164 wrote to memory of 4784 3164 cmd.exe 88 PID 3164 wrote to memory of 4784 3164 cmd.exe 88 PID 404 wrote to memory of 1540 404 rugen.exe 89 PID 404 wrote to memory of 1540 404 rugen.exe 89 PID 404 wrote to memory of 1540 404 rugen.exe 89 PID 1540 wrote to memory of 4312 1540 foto175.exe 91 PID 1540 wrote to memory of 4312 1540 foto175.exe 91 PID 1540 wrote to memory of 4312 1540 foto175.exe 91 PID 4312 wrote to memory of 4608 4312 x6327775.exe 92 PID 4312 wrote to memory of 4608 4312 x6327775.exe 92 PID 4312 wrote to memory of 4608 4312 x6327775.exe 92 PID 4312 wrote to memory of 4764 4312 x6327775.exe 94 PID 4312 wrote to memory of 4764 4312 x6327775.exe 94 PID 4312 wrote to memory of 4764 4312 x6327775.exe 94 PID 1540 wrote to memory of 4976 1540 foto175.exe 95 PID 1540 wrote to memory of 4976 1540 foto175.exe 95 PID 404 wrote to memory of 2720 404 rugen.exe 96 PID 404 wrote to memory of 2720 404 rugen.exe 96 PID 404 wrote to memory of 2720 404 rugen.exe 96 PID 2720 wrote to memory of 2076 2720 fotod45.exe 98 PID 2720 wrote to memory of 2076 2720 fotod45.exe 98 PID 2720 wrote to memory of 2076 2720 fotod45.exe 98 PID 2076 wrote to memory of 4844 2076 y3046906.exe 100 PID 2076 wrote to memory of 4844 2076 y3046906.exe 100 PID 2076 wrote to memory of 4844 2076 y3046906.exe 100 PID 404 wrote to memory of 996 404 rugen.exe 101 PID 404 wrote to memory of 996 404 rugen.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe"C:\Users\Admin\AppData\Local\Temp\0f0eb06f46b815a0a91b226be8f7d71e02127acbe9f63fc370ebc7e440033dad.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439966.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439966.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2956692.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2956692.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8646813.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8646813.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9898987.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9898987.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F4⤵
- Creates scheduled task(s)
PID:192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:N"5⤵PID:2140
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:R" /E5⤵PID:4284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1068
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:N"5⤵PID:4392
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:R" /E5⤵PID:4784
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000023051\foto175.exe"C:\Users\Admin\AppData\Local\Temp\1000023051\foto175.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6327775.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6327775.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7353167.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7353167.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6953334.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6953334.exe6⤵
- Executes dropped EXE
PID:4764
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0785078.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0785078.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000024051\fotod45.exe"C:\Users\Admin\AppData\Local\Temp\1000024051\fotod45.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3046906.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3046906.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9633000.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9633000.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1512432.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1512432.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5368815.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5368815.exe5⤵
- Executes dropped EXE
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000025051\rama.exe"C:\Users\Admin\AppData\Local\Temp\1000025051\rama.exe"4⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U /S f47OA.nJ5⤵
- Loads dropped DLL
PID:2188
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
PID:4980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
3.6MB
MD5200d646803c19e20080049671f1e3204
SHA1d11e89ed032ba910fe5e520ae66da07462dfdf4f
SHA256fa7a198aaf6172d3cf202f12d55a2d4b40afce4fb38db835791fae919989439b
SHA51239d1f20ce1be4b38da6c7b27bb018d607158dddc8ec39cc414c20cae7e4bc30747ed2970185acba206dd7d19019130829d99ec88e22ebd5ede8d4205fe75802b
-
Filesize
3.6MB
MD5200d646803c19e20080049671f1e3204
SHA1d11e89ed032ba910fe5e520ae66da07462dfdf4f
SHA256fa7a198aaf6172d3cf202f12d55a2d4b40afce4fb38db835791fae919989439b
SHA51239d1f20ce1be4b38da6c7b27bb018d607158dddc8ec39cc414c20cae7e4bc30747ed2970185acba206dd7d19019130829d99ec88e22ebd5ede8d4205fe75802b
-
Filesize
3.6MB
MD5200d646803c19e20080049671f1e3204
SHA1d11e89ed032ba910fe5e520ae66da07462dfdf4f
SHA256fa7a198aaf6172d3cf202f12d55a2d4b40afce4fb38db835791fae919989439b
SHA51239d1f20ce1be4b38da6c7b27bb018d607158dddc8ec39cc414c20cae7e4bc30747ed2970185acba206dd7d19019130829d99ec88e22ebd5ede8d4205fe75802b
-
Filesize
3.9MB
MD5800bd3651d86e19151e9a40863e1369c
SHA1361bfd1af9e55224562482b428bd7579665d015e
SHA2565839b768896d0646688ff3d8df6a6f81809af2196cf6adde997745db4047791e
SHA5128a918c162fc11ecfd94da43aa6d20a417556022972545358193736f55e1fca3fd8542e306c1a94f05b31c663e2f2d3de978eaaa04bc2b17d9e20284c7c5c6c8f
-
Filesize
3.9MB
MD5800bd3651d86e19151e9a40863e1369c
SHA1361bfd1af9e55224562482b428bd7579665d015e
SHA2565839b768896d0646688ff3d8df6a6f81809af2196cf6adde997745db4047791e
SHA5128a918c162fc11ecfd94da43aa6d20a417556022972545358193736f55e1fca3fd8542e306c1a94f05b31c663e2f2d3de978eaaa04bc2b17d9e20284c7c5c6c8f
-
Filesize
3.9MB
MD5800bd3651d86e19151e9a40863e1369c
SHA1361bfd1af9e55224562482b428bd7579665d015e
SHA2565839b768896d0646688ff3d8df6a6f81809af2196cf6adde997745db4047791e
SHA5128a918c162fc11ecfd94da43aa6d20a417556022972545358193736f55e1fca3fd8542e306c1a94f05b31c663e2f2d3de978eaaa04bc2b17d9e20284c7c5c6c8f
-
Filesize
1.5MB
MD54d9a29c54c5833128428517ac4f1fba5
SHA149484016d5f39b80f6b218d31a7720c9c9dddbc4
SHA2561d2bcd33209705711214d8a8df47bce7737cf1dd43bccba4d3d8ef37f49f03ee
SHA512546cddc4ad90ce899704982ea01f8714c2b0636d2abca0118d778b0f3922e00a99ee97be1928dc86e3006ea321b75f3fe6264dcdff68b7782cb5e15b5ddb4ef0
-
Filesize
1.5MB
MD54d9a29c54c5833128428517ac4f1fba5
SHA149484016d5f39b80f6b218d31a7720c9c9dddbc4
SHA2561d2bcd33209705711214d8a8df47bce7737cf1dd43bccba4d3d8ef37f49f03ee
SHA512546cddc4ad90ce899704982ea01f8714c2b0636d2abca0118d778b0f3922e00a99ee97be1928dc86e3006ea321b75f3fe6264dcdff68b7782cb5e15b5ddb4ef0
-
Filesize
1.5MB
MD54d9a29c54c5833128428517ac4f1fba5
SHA149484016d5f39b80f6b218d31a7720c9c9dddbc4
SHA2561d2bcd33209705711214d8a8df47bce7737cf1dd43bccba4d3d8ef37f49f03ee
SHA512546cddc4ad90ce899704982ea01f8714c2b0636d2abca0118d778b0f3922e00a99ee97be1928dc86e3006ea321b75f3fe6264dcdff68b7782cb5e15b5ddb4ef0
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
434KB
MD521b16f813bbbe42cbec76e424285af28
SHA1bb77a6ef42bf698b590df2256f4d15339fed0d95
SHA2566789a897627cdcfb0041f0c9fde41a3f7ccb48704ff295913e006df26987a5b4
SHA512fff3983dacc16507ae7b2b26d052e011ca12cf1521aaa905b7f09f2c5f5ceb808b384c4672e2b7bdd3bd04196f812003d095af0ba115521dc3cc5f0aa2b0d55e
-
Filesize
434KB
MD521b16f813bbbe42cbec76e424285af28
SHA1bb77a6ef42bf698b590df2256f4d15339fed0d95
SHA2566789a897627cdcfb0041f0c9fde41a3f7ccb48704ff295913e006df26987a5b4
SHA512fff3983dacc16507ae7b2b26d052e011ca12cf1521aaa905b7f09f2c5f5ceb808b384c4672e2b7bdd3bd04196f812003d095af0ba115521dc3cc5f0aa2b0d55e
-
Filesize
410KB
MD523900beb2fdaba659e4f6e28ec4a75a3
SHA1fe4852dfb9014938b89df530b1183f6e3e8af827
SHA2560c905f754434aa3b0305cf7486f6d0f1e2a4f3ff4f74b288a0db3a1695f7c7bb
SHA512c806f5f74139dc40e85dbc28561776ea75f906c1191b73ae867c411c0a9c6e3863c6387387dbc6a8f00e9378f2ba852c2b7136cd088c7e383b641d88cf18db54
-
Filesize
410KB
MD523900beb2fdaba659e4f6e28ec4a75a3
SHA1fe4852dfb9014938b89df530b1183f6e3e8af827
SHA2560c905f754434aa3b0305cf7486f6d0f1e2a4f3ff4f74b288a0db3a1695f7c7bb
SHA512c806f5f74139dc40e85dbc28561776ea75f906c1191b73ae867c411c0a9c6e3863c6387387dbc6a8f00e9378f2ba852c2b7136cd088c7e383b641d88cf18db54
-
Filesize
1.3MB
MD578ca31f72a0c0b4baa5d5172468b2448
SHA1daaad4da1ca44635d78d49e2a5196ee4cfe6a66e
SHA25615cdd76f2f891e7d3dd79e00ccf0dd60ed33615cfb5255ef3993a1e670d5c6d1
SHA512b9f8740613f2a739a70649a1ff5a97cecd8e55669182445738ed848988aa628109b0549650c4e821656c10e3aa9a767f3f5d71ec7df5ace40b9b92d3af5bbe7d
-
Filesize
1.3MB
MD578ca31f72a0c0b4baa5d5172468b2448
SHA1daaad4da1ca44635d78d49e2a5196ee4cfe6a66e
SHA25615cdd76f2f891e7d3dd79e00ccf0dd60ed33615cfb5255ef3993a1e670d5c6d1
SHA512b9f8740613f2a739a70649a1ff5a97cecd8e55669182445738ed848988aa628109b0549650c4e821656c10e3aa9a767f3f5d71ec7df5ace40b9b92d3af5bbe7d
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
185KB
MD5060065eaa74019b689fb7f7133507aad
SHA141c6a2b26aecab39427b166bbfd23fad7563ba0d
SHA256d5b22db96a8588115b8ee422357795760619e5d25360aeff8f362b72f644028a
SHA512f0e4ed1ae7b8e59a9a3a3a66d42de397b1b3314383dc70f4112e4905d18675252614dd37b159484e6054333b8afa0c819a33a7942f0c595e3085d870d0638b2f
-
Filesize
185KB
MD5060065eaa74019b689fb7f7133507aad
SHA141c6a2b26aecab39427b166bbfd23fad7563ba0d
SHA256d5b22db96a8588115b8ee422357795760619e5d25360aeff8f362b72f644028a
SHA512f0e4ed1ae7b8e59a9a3a3a66d42de397b1b3314383dc70f4112e4905d18675252614dd37b159484e6054333b8afa0c819a33a7942f0c595e3085d870d0638b2f
-
Filesize
1.3MB
MD541e2a3356bfac9a986f796fa0f22e4b4
SHA13339977d323e03c9545486b659c270ee80bcaa1a
SHA2564c5dc25df5df11041e4876c9515de134123628083c6b2bbe7ad4af960da97bae
SHA512beb6508884a714e6101af935508e390ae3d90646f5738989cae2e782faf674e2b882862e4f49466e0caa8b14721c58724017e15ddb2a93d3a2ca428bff670e4f
-
Filesize
1.3MB
MD541e2a3356bfac9a986f796fa0f22e4b4
SHA13339977d323e03c9545486b659c270ee80bcaa1a
SHA2564c5dc25df5df11041e4876c9515de134123628083c6b2bbe7ad4af960da97bae
SHA512beb6508884a714e6101af935508e390ae3d90646f5738989cae2e782faf674e2b882862e4f49466e0caa8b14721c58724017e15ddb2a93d3a2ca428bff670e4f
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
402KB
MD5c0731eae096c77012fab2b5051bc6fb2
SHA10376abdb9097c27d703edf5eea194fc19b5d21b7
SHA256cbdba31274796e6d42a2bd3e69a584a38360691b7d489006d34fa608bd0c8b3b
SHA51262906df0d1b665be6361dcb8029e9b7ec742655263f50965813296549a5e22d331dfc6b29f557aa18a421304c5386a8097948c8826536b473355e2f63a6b1c53
-
Filesize
402KB
MD5c0731eae096c77012fab2b5051bc6fb2
SHA10376abdb9097c27d703edf5eea194fc19b5d21b7
SHA256cbdba31274796e6d42a2bd3e69a584a38360691b7d489006d34fa608bd0c8b3b
SHA51262906df0d1b665be6361dcb8029e9b7ec742655263f50965813296549a5e22d331dfc6b29f557aa18a421304c5386a8097948c8826536b473355e2f63a6b1c53
-
Filesize
185KB
MD52f65fddd7e63440ad25d3d8b84f5bc7e
SHA19bc880f0cc990769eb39deba36ef4a3490747ca7
SHA25664cb35132d75d37bb820d5f8ae0ed6a6c74e7f059112dcab20fa5c47999c994c
SHA5123c21b94781be15216eee0c86c44f646d1b3df84649a95941ce1652392abfc803a845cca60c20b8a18c89a517417ba1f22bfc82bafc9ce8d965c2a6b47727a8d3
-
Filesize
185KB
MD52f65fddd7e63440ad25d3d8b84f5bc7e
SHA19bc880f0cc990769eb39deba36ef4a3490747ca7
SHA25664cb35132d75d37bb820d5f8ae0ed6a6c74e7f059112dcab20fa5c47999c994c
SHA5123c21b94781be15216eee0c86c44f646d1b3df84649a95941ce1652392abfc803a845cca60c20b8a18c89a517417ba1f22bfc82bafc9ce8d965c2a6b47727a8d3
-
Filesize
1.3MB
MD59fd8457062e435a45fb90d5efc09b554
SHA1b0189eac4b1586550a98ea42dfe4ab617df5a802
SHA256a1174d7929920742a96cbbe44f5b49f412c17d8ad2e282981d32b909a3f739ec
SHA512d6d709a3aac448675ebc109d34ebf05819d243a0c53df8fa6176e1269754a3fdae54ac4265c855f8656f0c2843931aa41d68a74021b6a5d8027bb69bb0e6c777
-
Filesize
1.3MB
MD59fd8457062e435a45fb90d5efc09b554
SHA1b0189eac4b1586550a98ea42dfe4ab617df5a802
SHA256a1174d7929920742a96cbbe44f5b49f412c17d8ad2e282981d32b909a3f739ec
SHA512d6d709a3aac448675ebc109d34ebf05819d243a0c53df8fa6176e1269754a3fdae54ac4265c855f8656f0c2843931aa41d68a74021b6a5d8027bb69bb0e6c777
-
Filesize
1.3MB
MD59fd8457062e435a45fb90d5efc09b554
SHA1b0189eac4b1586550a98ea42dfe4ab617df5a802
SHA256a1174d7929920742a96cbbe44f5b49f412c17d8ad2e282981d32b909a3f739ec
SHA512d6d709a3aac448675ebc109d34ebf05819d243a0c53df8fa6176e1269754a3fdae54ac4265c855f8656f0c2843931aa41d68a74021b6a5d8027bb69bb0e6c777
-
Filesize
1.3MB
MD5dc5a9d39a44f3a3afeee68874479b4f6
SHA19daf8ecab8dfa2c4fb9f030e2197012afb574650
SHA256ed007cefb58fd4a9879106ef577844038fbf2bfe3ab66034532dfc8a263a375a
SHA5126642340150476334d79605adfbb87c91ac4af6b3212b52a08e74b1b9a5ecb05a150b93fc29549b8f896f6f8ac6db25bb56449c5fb3099c5e82c3990b27e51528
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
273B
MD504a943771990ab49147e63e8c2fbbed0
SHA1a2bde564bef4f63749716621693a3cfb7bd4d55e
SHA256587c2fb0cf025a255a077b24fe6433fd67bdfac451d74d321d86db96c369841e
SHA51240e325e6e50e2d7b6c9dd0c555e23c85c4a45bd1829a76efa0383dcc05ac5fd19a14804079a5d2523ded92b03b6e3051c3e8780053795be3359bf32dd3094a6d
-
Filesize
1.3MB
MD5dc5a9d39a44f3a3afeee68874479b4f6
SHA19daf8ecab8dfa2c4fb9f030e2197012afb574650
SHA256ed007cefb58fd4a9879106ef577844038fbf2bfe3ab66034532dfc8a263a375a
SHA5126642340150476334d79605adfbb87c91ac4af6b3212b52a08e74b1b9a5ecb05a150b93fc29549b8f896f6f8ac6db25bb56449c5fb3099c5e82c3990b27e51528
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf