redline | 66fcfbb25cb0e50b4cd85852ef21ddbf36e4c19a36cffef9e5f3e22c04b4290f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47278783745b4d089155c06c75a660fb.exe
Size

505KB
MD5

47278783745b4d089155c06c75a660fb
SHA1

d79a6323b88953da2a794e76cb80c855f6bbedc9
SHA256

66fcfbb25cb0e50b4cd85852ef21ddbf36e4c19a36cffef9e5f3e22c04b4290f
SHA512

0d26598b717cac1b8de6432ed6c933b85b36da06cbaf2ddc06d52f7bb80dcb931850a18c6c87c02b173c024be60b4a9c83573c9368fea3ac482e2325f390c777
SSDEEP

12288:zhMnv8pgJhX7ZspQ6Izq08jG5iBk8BJAzlHJkR:S7H7zq1jGUFBepU

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

185.222.58.70:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2148-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2148-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2148-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2148-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2148-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2148-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2148-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2148-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2148-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2148-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2576 powershell.exe
2584 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

47278783745b4d089155c06c75a660fb.exe

description pid process target process

PID 3056 set thread context of 2148 3056 47278783745b4d089155c06c75a660fb.exe 47278783745b4d089155c06c75a660fb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2576	powershell.exe
2584	powershell.exe

description	pid	process	target process
PID 3056 set thread context of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

47278783745b4d089155c06c75a660fb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	47278783745b4d089155c06c75a660fb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	47278783745b4d089155c06c75a660fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	47278783745b4d089155c06c75a660fb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	47278783745b4d089155c06c75a660fb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	47278783745b4d089155c06c75a660fb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	47278783745b4d089155c06c75a660fb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2720 schtasks.exe

pid	process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

47278783745b4d089155c06c75a660fb.exepowershell.exepowershell.exe47278783745b4d089155c06c75a660fb.exe

pid	process
3056	47278783745b4d089155c06c75a660fb.exe
3056	47278783745b4d089155c06c75a660fb.exe
3056	47278783745b4d089155c06c75a660fb.exe
3056	47278783745b4d089155c06c75a660fb.exe
2584	powershell.exe
2576	powershell.exe
2148	47278783745b4d089155c06c75a660fb.exe
2148	47278783745b4d089155c06c75a660fb.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

47278783745b4d089155c06c75a660fb.exepowershell.exepowershell.exe47278783745b4d089155c06c75a660fb.exe

description	pid	process
Token: SeDebugPrivilege	3056	47278783745b4d089155c06c75a660fb.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2148	47278783745b4d089155c06c75a660fb.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

47278783745b4d089155c06c75a660fb.exe

description	pid	process	target process
PID 3056 wrote to memory of 2576	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2576	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2576	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2576	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2584	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2584	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2584	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2584	3056	47278783745b4d089155c06c75a660fb.exe	powershell.exe
PID 3056 wrote to memory of 2720	3056	47278783745b4d089155c06c75a660fb.exe	schtasks.exe
PID 3056 wrote to memory of 2720	3056	47278783745b4d089155c06c75a660fb.exe	schtasks.exe
PID 3056 wrote to memory of 2720	3056	47278783745b4d089155c06c75a660fb.exe	schtasks.exe
PID 3056 wrote to memory of 2720	3056	47278783745b4d089155c06c75a660fb.exe	schtasks.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe
PID 3056 wrote to memory of 2148	3056	47278783745b4d089155c06c75a660fb.exe	47278783745b4d089155c06c75a660fb.exe

C:\Users\Admin\AppData\Local\Temp\47278783745b4d089155c06c75a660fb.exe
"C:\Users\Admin\AppData\Local\Temp\47278783745b4d089155c06c75a660fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\47278783745b4d089155c06c75a660fb.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zrmQDTlZlh.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zrmQDTlZlh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Users\Admin\AppData\Local\Temp\47278783745b4d089155c06c75a660fb.exe
"C:\Users\Admin\AppData\Local\Temp\47278783745b4d089155c06c75a660fb.exe"
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B53.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C44.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp
Filesize
1KB

MD5
c84ab447f674a23f7648eca3de41064f

SHA1
6abab2a1eec88a0a0a8abf88f36f8052f34acaef

SHA256
d75503373166c17f13e90266d675cdc770d24a93f6940a13fd1a8f9c0e7f35ea

SHA512
f7d9035e612e2f3796712acdb1442832a6a620a68dc6fc18ed24d144bb68b905df0061e7f13853379d38180cd0cd22810f3445aa15879394ae5de3500611b292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EAD.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EC3.tmp
Filesize
92KB

MD5
18e04095708297d6889a6962f81e8d8f

SHA1
9a25645db1da0217092c06579599b04982192124

SHA256
4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7

SHA512
45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7J39WBXJ86NCC7T7JQZK.temp
Filesize
7KB

MD5
753ed4934335d98b6c359029b8dfa2ea

SHA1
dcac2d73385ad354a219064c9ce9197629d37e93

SHA256
37da80201f5f02624189c2abe1f948e1adbce32cec5bf3d76d254388b9b12f6d

SHA512
fabdad45a7c40fe78aef25ac69cd36e46f775b25ec799c7b018b7098e53fae136ed6dd81b338dea926a8e7907e9abde0b5194235a96623bcc51e21b7a9b864a1

Download Submit
memory/2148-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3056-6-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/3056-7-0x0000000005070000-0x00000000050D0000-memory.dmp

Filesize
384KB

Download
memory/3056-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3056-33-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-5-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/3056-4-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/3056-3-0x0000000000F60000-0x0000000000FD6000-memory.dmp

Filesize
472KB

Download
memory/3056-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-1-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download