redline | 4c08a8f3c94eb025877f8cb8ae3018578183d5b5e829280fee70fb700f04e428

Analysis

max time kernel
339s
max time network
351s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
30-07-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Hack v1.17/AutoUpdate v2/update.exe
Size

504KB
MD5

b989834fe117f763a5b08223d839f4e9
SHA1

06798c3a87b1ca1ca62f5571c36e44433eb92f5c
SHA256

4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
SHA512

73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129

Score

10^/10

redline @fast1q discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@fast1q

101.99.93.104:80

Attributes

auth_value
1508fee58f3b525a1013607ab0323781

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1316-56-0x0000000000780000-0x00000000007A0000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

conhost.exesvhost.exeMoUSO.exe

pid process

1056 conhost.exe
1468 svhost.exe
2032 MoUSO.exe
Loads dropped DLL 6 IoCs

Processes:

update.execonhost.exesvhost.exe

pid process

1316 update.exe
1056 conhost.exe
1056 conhost.exe
1316 update.exe
1468 svhost.exe
1468 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe

pid	process
1056	conhost.exe
1468	svhost.exe
2032	MoUSO.exe

pid	process
1740	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exepowershell.exepowershell.exepowershell.exeMoUSO.exe

pid	process
1316	update.exe
1804	powershell.exe
1948	powershell.exe
1748	powershell.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe
2032	MoUSO.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

update.execonhost.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1316	update.exe
Token: SeRestorePrivilege	1316	update.exe
Token: SeBackupPrivilege	1316	update.exe
Token: SeDebugPrivilege	1056	conhost.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

update.execonhost.execmd.exesvhost.exetaskeng.exe

description	pid	process	target process
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1056	1316	update.exe	conhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1316 wrote to memory of 1468	1316	update.exe	svhost.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	conhost.exe	cmd.exe
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1572	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1804	1720	cmd.exe	powershell.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1468 wrote to memory of 1740	1468	svhost.exe	schtasks.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1948	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1748	1720	cmd.exe	powershell.exe
PID 564 wrote to memory of 2032	564	taskeng.exe	MoUSO.exe
PID 564 wrote to memory of 2032	564	taskeng.exe	MoUSO.exe
PID 564 wrote to memory of 2032	564	taskeng.exe	MoUSO.exe
PID 564 wrote to memory of 2032	564	taskeng.exe	MoUSO.exe

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
3⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
3⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {0CCE80E8-E5AD-48A1-87E1-7E9E039AC29E} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
34dbc233011790f6f4434732efc01630

SHA1
d32be587f90206ad24a22b919f56160c31c3666d

SHA256
f7a5bbc360a421cea3842817754ffdc394b4795879804bfae110c6869d47cbd5

SHA512
e5b0352ee5d0a4b87d340e2eb2e4fcd8d372c0b33e7756b776bd57755c72967ce4345d8bce3af1b997907c5f9f5c889c10d7613d5cf2ceab0595190b23eb6137

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e2b7695e8c164f8771613d63c3fe74a4

SHA1
626ffd348cf7324b4c852f8aa900f5a90a955694

SHA256
7ad9093f6742d994fdb6dcdfa7a49937ac0699d95681990b9d3cf49378f51a21

SHA512
5aaf01714d57d6eacc156d170a68f6d7d2d2b521f1c310659d0e48deb8f4c26b0d4b70554a7336cd4f3a86baf3196949d93bc4690558987b8e834e1a5c2de8a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9341f842f71bc1595d04367105dc8ed0

SHA1
712b0fb83605383cdaa16014abf83baa2584841b

SHA256
fc5140c510209da80109f802528120ac99b0c50abc9c9522cfbd85633b0f21fe

SHA512
b68e753106a372142d21a6b43a6860eecc36964498eb0e676213ac79db2a14371cbda721434abde49640128059c170b6168602f6bb7dd5060a5b12b97b9adb37

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
memory/1056-58-0x0000000000000000-mapping.dmp

Download
memory/1056-64-0x00000000010F0000-0x000000000110E000-memory.dmp

Filesize
120KB

Download
memory/1316-54-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1316-55-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1316-56-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1572-75-0x0000000000000000-mapping.dmp

Download
memory/1720-72-0x0000000000000000-mapping.dmp

Download
memory/1740-79-0x0000000000000000-mapping.dmp

Download
memory/1748-87-0x0000000000000000-mapping.dmp

Download
memory/1748-90-0x0000000072E00000-0x00000000733AB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-91-0x0000000072E00000-0x00000000733AB000-memory.dmp

Filesize
5.7MB

Download
memory/1804-82-0x00000000697E0000-0x0000000069D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-81-0x00000000697E0000-0x0000000069D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-77-0x0000000000000000-mapping.dmp

Download
memory/1948-83-0x0000000000000000-mapping.dmp

Download
memory/1948-86-0x00000000733B0000-0x000000007395B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-93-0x0000000000000000-mapping.dmp

Download