redline | 8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Size

508KB
MD5

531cdd1ad3c8459531e4d4300b8df171
SHA1

5bb607a26c03b9ee81dd1f5036dfe4f7960ef9c9
SHA256

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895
SHA512

ff0c58321e87bea8e3e34c759b034548d6d8103cbc811707218af2a72d6eab07599d57838f4f415fc2861280e9d7ab472c145f39a89a2df334d361be2a6f3b05
SSDEEP

12288:L8H5wYCWeWncJn5nS9vPRnYdBz7zUY/Ag/jZ1ynMAVMpkR:gSYC0ImvPszcYXl8/M0

Score

10^/10

redline sectoprat hanna discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Hanna

185.216.70.15:65012

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-92-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2088-89-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2088-88-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2088-96-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2088-94-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-92-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2088-89-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2088-88-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2088-96-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2088-94-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2300 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2300	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

description	pid	process	target process
PID 2516 set thread context of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exepowershell.exe8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

pid	process
2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
2300	powershell.exe
2088	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
2088	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Token: SeDebugPrivilege	2088	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

description	pid	process	target process
PID 2516 wrote to memory of 2300	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	powershell.exe
PID 2516 wrote to memory of 2300	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	powershell.exe
PID 2516 wrote to memory of 2300	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	powershell.exe
PID 2516 wrote to memory of 2300	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	powershell.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
PID 2516 wrote to memory of 2088	2516	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe	8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe

C:\Users\Admin\AppData\Local\Temp\8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
"C:\Users\Admin\AppData\Local\Temp\8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe
"C:\Users\Admin\AppData\Local\Temp\8ae918087ca5f8a69dc2a4df7e1615c76d3dbc6c36f6813a0b86fa4a9c4cf895.exe"
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cd4e328ceeb4187d572f9d04b47ee2f5

SHA1
21fa866b876ebd44dbaf9e95374cc4ba7fb64d22

SHA256
7901519df8a527441eb8835d018f5d778fcce483ece3f91846cbf6f8413ca5ab

SHA512
01699fdee9a135fffe6c1e54f0016c6c2294120a64e1e167afc7d3551c100eb5c09ff8d89f061fb230de6f531c1d5546a8011e7600f8a0fc966ad9cea522a592

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8AA.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91E.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp537F.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5395.tmp
Filesize
92KB

MD5
3a2feb999ad792e015e25e8c38908eab

SHA1
c85cc871fa901f173c9a47219cd637af24580916

SHA256
f82d27cccefad6d38fe3943e61f6f5dd926348adf6bba720e58a1b1f9b66ca6b

SHA512
b34ce1bd162fc8e9c61dbb92f3d208d1236bfff7b53cecf62b2fc581d09ab8e544687de95aeff2de7ef9e8896353c57238725069c0b6ee979146dd0e497dce16

Download Submit
memory/2088-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-94-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-85-0x0000000004E50000-0x0000000004EB0000-memory.dmp

Filesize
384KB

Download
memory/2516-82-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2516-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2516-84-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2516-83-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2516-97-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-81-0x00000000056F0000-0x0000000005766000-memory.dmp

Filesize
472KB

Download
memory/2516-2-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-1-0x0000000000F90000-0x0000000001012000-memory.dmp

Filesize
520KB

Download