redline | 35bc174139612d416a683cb302b450d21b1eb2a8cc23d0fb22d0152b35d585c6

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568967433c84d1fd3068fae82d24d750.exe
Size

504KB
MD5

568967433c84d1fd3068fae82d24d750
SHA1

030204e478cd66d7234850d9ef95f9b52a2dc476
SHA256

35bc174139612d416a683cb302b450d21b1eb2a8cc23d0fb22d0152b35d585c6
SHA512

13481aee6d2fdc5666f4febfa33a370c8590bb712be6f75bf7d212e4041f0c625b2068aad1f265254a62c4408c04070f911d378a5014061aaccf9f8c9114db75
SSDEEP

12288:VX0AXmuz7sdJoJmrTNj/RQI1UrYNw9KlRVjd1z+n/Xfu+XHTmyDLNkR:ZIXx/RQIq1olRVBcRXhD0

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

185.222.58.79:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-29-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-24-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-30-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2684 powershell.exe
2740 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

568967433c84d1fd3068fae82d24d750.exe

description pid process target process

PID 1492 set thread context of 2492 1492 568967433c84d1fd3068fae82d24d750.exe 568967433c84d1fd3068fae82d24d750.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2684	powershell.exe
2740	powershell.exe

description	pid	process	target process
PID 1492 set thread context of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

568967433c84d1fd3068fae82d24d750.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	568967433c84d1fd3068fae82d24d750.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	568967433c84d1fd3068fae82d24d750.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	568967433c84d1fd3068fae82d24d750.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	568967433c84d1fd3068fae82d24d750.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	568967433c84d1fd3068fae82d24d750.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	568967433c84d1fd3068fae82d24d750.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2732 schtasks.exe

pid	process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

568967433c84d1fd3068fae82d24d750.exepowershell.exepowershell.exe568967433c84d1fd3068fae82d24d750.exe

pid	process
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
1492	568967433c84d1fd3068fae82d24d750.exe
2684	powershell.exe
2740	powershell.exe
2492	568967433c84d1fd3068fae82d24d750.exe
2492	568967433c84d1fd3068fae82d24d750.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

568967433c84d1fd3068fae82d24d750.exepowershell.exepowershell.exe568967433c84d1fd3068fae82d24d750.exe

description	pid	process
Token: SeDebugPrivilege	1492	568967433c84d1fd3068fae82d24d750.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2492	568967433c84d1fd3068fae82d24d750.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

568967433c84d1fd3068fae82d24d750.exe

description	pid	process	target process
PID 1492 wrote to memory of 2684	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2684	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2684	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2684	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2740	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2740	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2740	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2740	1492	568967433c84d1fd3068fae82d24d750.exe	powershell.exe
PID 1492 wrote to memory of 2732	1492	568967433c84d1fd3068fae82d24d750.exe	schtasks.exe
PID 1492 wrote to memory of 2732	1492	568967433c84d1fd3068fae82d24d750.exe	schtasks.exe
PID 1492 wrote to memory of 2732	1492	568967433c84d1fd3068fae82d24d750.exe	schtasks.exe
PID 1492 wrote to memory of 2732	1492	568967433c84d1fd3068fae82d24d750.exe	schtasks.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe
PID 1492 wrote to memory of 2492	1492	568967433c84d1fd3068fae82d24d750.exe	568967433c84d1fd3068fae82d24d750.exe

C:\Users\Admin\AppData\Local\Temp\568967433c84d1fd3068fae82d24d750.exe
"C:\Users\Admin\AppData\Local\Temp\568967433c84d1fd3068fae82d24d750.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\568967433c84d1fd3068fae82d24d750.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rPXxwx.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rPXxwx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6519.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Users\Admin\AppData\Local\Temp\568967433c84d1fd3068fae82d24d750.exe
"C:\Users\Admin\AppData\Local\Temp\568967433c84d1fd3068fae82d24d750.exe"
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dd0ff8bb420c536002c9befb83039f11

SHA1
5eb9821c8854f76bd1d3225dde612ae912509e1d

SHA256
eff1e3fce23224e0bff77241eed4c31714221deecbbb18bc64e47a90f9860d1c

SHA512
3bff17d63b65e674208f157bc1c0c5577a9ed441b2feae6d8332d5aec451045dbbd52fe64fc0ee970839e37fa1f743cd0faf993d036b9033db7786694e5a89b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8893.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8916.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6519.tmp
Filesize
1KB

MD5
634a2376f7637a0fcef84b03c509ad08

SHA1
9a8bda834bc73a77ee9007f369f307dd904ce79b

SHA256
1bdcb0910fcbfe6797946de04ed3e49febe4631311b0a87d4db2f422b277311d

SHA512
f3b31e94793865d09cf4c6bf15499ee64858192c1ed2d4c25ae6a5b90e523018445ded65e5baa581f5c27a05e185d110328864a9936d0faee13678e93e698264

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90D3.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90D9.tmp
Filesize
92KB

MD5
5f914a013176785e26d70d07234c605c

SHA1
5336e9ed6aeb682b46a0472f4f80ec24c4504210

SHA256
72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b

SHA512
103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
510e2ca405396c2914b0976fa2d6381d

SHA1
4b077193fdb95a1f62cee03e6442a2b0c2577dd6

SHA256
1ee29af118d53c2fa1002509f80edfc85b325a82a63b6e6a0af062f9431f0523

SHA512
7fa5320b79b2610e820aa66f1bfe6e9c2370cfe90c71b55a3e2c809f153d14ba903ba0d69c5892ab416bff3ea46ab9b280282867b2221edf21435333b64978a6

Download Submit
memory/1492-33-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/1492-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1492-1-0x0000000000140000-0x00000000001C0000-memory.dmp

Filesize
512KB

Download
memory/1492-2-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/1492-3-0x0000000004E00000-0x0000000004E76000-memory.dmp

Filesize
472KB

Download
memory/1492-7-0x0000000005130000-0x0000000005190000-memory.dmp

Filesize
384KB

Download
memory/1492-4-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1492-5-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1492-6-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2492-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download