Malware Analysis Report

2025-01-18 09:20

Sample ID 230808-g3w33sba25
Target 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.dmp
SHA256 9c7b4f71c5a32da120b8fc3ab5e29facb953196351e2f6f58cf5030f0aa09568
Tags
logsdiller cloud (tg: @logsdillabot) redline xmrig evasion infostealer miner spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c7b4f71c5a32da120b8fc3ab5e29facb953196351e2f6f58cf5030f0aa09568

Threat Level: Known bad

The file 2588-61-0x0000000003E70000-0x0000000003EA4000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline xmrig evasion infostealer miner spyware stealer themida

Redline family

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

XMRig Miner payload

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 06:20

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 06:20

Reported

2023-08-08 06:22

Platform

win7-20230712-en

Max time kernel

135s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1284 set thread context of 2316 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1284 set thread context of 2816 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 707d338dc0c9d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2600 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2600 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2600 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2720 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2720 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2720 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2720 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1228 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1228 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3024 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3024 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1676 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1984 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1984 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1984 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1216 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 1908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1216 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2060 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2060 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {0B40C90E-EDC3-43D9-952E-CCC9B7DF66D7} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp

Files

memory/2600-53-0x0000000000A10000-0x0000000000A44000-memory.dmp

memory/2600-54-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2600-55-0x0000000000230000-0x0000000000236000-memory.dmp

memory/2600-56-0x0000000004880000-0x00000000048C0000-memory.dmp

memory/2600-57-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2600-58-0x0000000004880000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF93F.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarF9A0.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cc9943fd06e9a92050887259a4e3abd
SHA1 ba8de942c1a4c1a2d73b8e60e17c573029f6582d
SHA256 48d3a16fe3dcb8805a4076a2e6e30bd065f898cbbf87a4648414c08486613fb9
SHA512 4a8fd1dc6044e1220e94f6f31276e316ff749d93664288492ebee9c66e2e7fd088a80da9a593ba284be170e1055fa8f4d9e0e186c421676326d423fb02d6f6bb

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

memory/2600-127-0x0000000073E50000-0x000000007453E000-memory.dmp

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2720-137-0x00000000044E0000-0x0000000005706000-memory.dmp

memory/1840-138-0x0000000076E30000-0x0000000076FD9000-memory.dmp

memory/1840-136-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-139-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-140-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-141-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-142-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-143-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/2720-144-0x00000000044E0000-0x0000000005706000-memory.dmp

memory/1840-145-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-146-0x0000000076E30000-0x0000000076FD9000-memory.dmp

memory/788-151-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/788-152-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/788-153-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/788-154-0x000000001B180000-0x000000001B462000-memory.dmp

memory/788-155-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/788-156-0x00000000021E0000-0x00000000021E8000-memory.dmp

memory/788-157-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/788-158-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0bc7b4b4f4ffe0ec4c24f028675b9470
SHA1 1af4518b0bc179ea15f8a9140cb2191230b7d1ea
SHA256 41f6075998a62c186388d98c805ab7c889befeb85d069367738756cd2b341d06
SHA512 ef24ec6b46f113dc12faa71d842d824abee5d1c51f34274c43f435232ae480d732b8acf7c83a6c550e635909cb329c7ffad03a49bd4ee0210e30fdcc516c6fb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NRXI7IT8VTPR1E46ZB87.temp

MD5 0bc7b4b4f4ffe0ec4c24f028675b9470
SHA1 1af4518b0bc179ea15f8a9140cb2191230b7d1ea
SHA256 41f6075998a62c186388d98c805ab7c889befeb85d069367738756cd2b341d06
SHA512 ef24ec6b46f113dc12faa71d842d824abee5d1c51f34274c43f435232ae480d732b8acf7c83a6c550e635909cb329c7ffad03a49bd4ee0210e30fdcc516c6fb3

memory/1676-166-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

memory/1676-167-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

memory/1676-168-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/1676-165-0x000000001B120000-0x000000001B402000-memory.dmp

memory/1676-169-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

memory/1676-170-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/1676-171-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/1676-172-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/1676-173-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1840-176-0x000000013F680000-0x00000001408A6000-memory.dmp

memory/1840-178-0x0000000076E30000-0x0000000076FD9000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1984-182-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-183-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-184-0x0000000076E30000-0x0000000076FD9000-memory.dmp

memory/1284-185-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-186-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-187-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-188-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-189-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-190-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-191-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-192-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-193-0x0000000076E30000-0x0000000076FD9000-memory.dmp

memory/3012-194-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/3012-196-0x0000000000F20000-0x0000000000FA0000-memory.dmp

memory/3012-195-0x0000000000F20000-0x0000000000FA0000-memory.dmp

memory/3012-197-0x0000000000F20000-0x0000000000FA0000-memory.dmp

memory/3012-199-0x0000000000F20000-0x0000000000FA0000-memory.dmp

memory/3012-198-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/3012-200-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/1284-201-0x000000013F0D0000-0x00000001402F6000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1748-205-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

memory/1748-206-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/1748-207-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

memory/1748-209-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/1748-208-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/1748-210-0x000007FEF4BC0000-0x000007FEF555D000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2816-216-0x0000000000340000-0x0000000000360000-memory.dmp

memory/1284-215-0x000000013F0D0000-0x00000001402F6000-memory.dmp

memory/1284-217-0x0000000076E30000-0x0000000076FD9000-memory.dmp

memory/2316-218-0x0000000140000000-0x000000014002A000-memory.dmp

memory/2816-219-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-221-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2316-222-0x0000000140000000-0x000000014002A000-memory.dmp

memory/2816-223-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-225-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-227-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-229-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-231-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/2816-233-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-08 06:20

Reported

2023-08-08 06:22

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2588-61-0x0000000003E70000-0x0000000003EA4000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
NL 20.123.141.233:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4332-133-0x0000000000A90000-0x0000000000AC4000-memory.dmp

memory/4332-134-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4332-135-0x0000000005B40000-0x0000000006158000-memory.dmp

memory/4332-136-0x0000000005630000-0x000000000573A000-memory.dmp

memory/4332-137-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4332-138-0x0000000005560000-0x0000000005572000-memory.dmp

memory/4332-139-0x00000000055C0000-0x00000000055FC000-memory.dmp

memory/4332-140-0x00000000058D0000-0x0000000005946000-memory.dmp

memory/4332-141-0x0000000006160000-0x00000000061F2000-memory.dmp

memory/4332-142-0x0000000006C00000-0x00000000071A4000-memory.dmp

memory/4332-143-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4332-144-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4332-145-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4332-146-0x00000000067E0000-0x0000000006830000-memory.dmp

memory/4332-147-0x0000000007380000-0x0000000007542000-memory.dmp

memory/4332-148-0x0000000007DD0000-0x00000000082FC000-memory.dmp

memory/4332-150-0x0000000074570000-0x0000000074D20000-memory.dmp