Malware Analysis Report

2025-01-18 09:19

Sample ID 230808-mevg8sde21
Target 2244-62-0x0000000003F60000-0x0000000003F94000-memory.dmp
SHA256 378b5f99ef7b2fa25b6324acd62e02cf0041ae2225faa16019b5dedbf6fb92c4
Tags
redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

378b5f99ef7b2fa25b6324acd62e02cf0041ae2225faa16019b5dedbf6fb92c4

Threat Level: Known bad

The file 2244-62-0x0000000003F60000-0x0000000003F94000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware stealer themida

Redline family

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

XMRig Miner payload

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 10:23

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-08 10:23

Reported

2023-08-08 10:25

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4132 set thread context of 3332 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4132 set thread context of 1604 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3668 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3668 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 5084 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 5084 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4676 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 2216 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 2216 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 3696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4676 wrote to memory of 3696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4440 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 3488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 3488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4440 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4888 wrote to memory of 3856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 3856 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4888 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2780 wrote to memory of 3972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 3972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 3348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 3348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2780 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4132 wrote to memory of 3332 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4132 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/3668-133-0x0000000000C00000-0x0000000000C34000-memory.dmp

memory/3668-134-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/3668-135-0x0000000005CF0000-0x0000000006308000-memory.dmp

memory/3668-136-0x00000000057E0000-0x00000000058EA000-memory.dmp

memory/3668-137-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/3668-138-0x00000000056D0000-0x00000000056E2000-memory.dmp

memory/3668-139-0x0000000005730000-0x000000000576C000-memory.dmp

memory/3668-140-0x0000000005B40000-0x0000000005BB6000-memory.dmp

memory/3668-141-0x0000000006310000-0x00000000063A2000-memory.dmp

memory/3668-142-0x0000000006DB0000-0x0000000007354000-memory.dmp

memory/3668-143-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/3668-144-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/3668-145-0x0000000006650000-0x00000000066A0000-memory.dmp

memory/3668-146-0x0000000006BD0000-0x0000000006D92000-memory.dmp

memory/3668-147-0x0000000008F80000-0x00000000094AC000-memory.dmp

memory/3668-148-0x00000000056C0000-0x00000000056D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

memory/3668-158-0x0000000074F70000-0x0000000075720000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/220-171-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-173-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/220-172-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-174-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-175-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-176-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-177-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-178-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-179-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-180-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/220-181-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/1424-187-0x0000021E434C0000-0x0000021E434E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqkg1ry5.mc1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1424-194-0x0000021E43560000-0x0000021E43570000-memory.dmp

memory/1424-192-0x00007FFD1F840000-0x00007FFD20301000-memory.dmp

memory/1424-193-0x0000021E43560000-0x0000021E43570000-memory.dmp

memory/1424-195-0x0000021E43560000-0x0000021E43570000-memory.dmp

memory/1424-198-0x00007FFD1F840000-0x00007FFD20301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3752-201-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

memory/3752-203-0x00000270B5C60000-0x00000270B5C70000-memory.dmp

memory/3752-202-0x00000270B5C60000-0x00000270B5C70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3752-214-0x00000270B5C60000-0x00000270B5C70000-memory.dmp

memory/3752-216-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

memory/220-218-0x00007FF60F1B0000-0x00007FF6103D6000-memory.dmp

memory/220-219-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4132-221-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-223-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/4132-222-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-224-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-225-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-226-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-227-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-228-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-229-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-230-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-231-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/2360-242-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

memory/2360-243-0x000001A338960000-0x000001A338970000-memory.dmp

memory/2360-244-0x000001A338960000-0x000001A338970000-memory.dmp

memory/2360-245-0x00007FF44E9E0000-0x00007FF44E9F0000-memory.dmp

memory/2360-255-0x000001A338DD0000-0x000001A338DEC000-memory.dmp

memory/2360-256-0x000001A338DC0000-0x000001A338DCA000-memory.dmp

memory/2360-257-0x000001A339250000-0x000001A33926C000-memory.dmp

memory/2360-258-0x000001A339230000-0x000001A33923A000-memory.dmp

memory/2360-259-0x000001A339290000-0x000001A3392AA000-memory.dmp

memory/2360-260-0x000001A339240000-0x000001A339248000-memory.dmp

memory/2360-261-0x000001A339270000-0x000001A339276000-memory.dmp

memory/2360-262-0x000001A339280000-0x000001A33928A000-memory.dmp

memory/2360-263-0x000001A338960000-0x000001A338970000-memory.dmp

memory/2360-266-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

memory/3356-276-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

memory/3356-281-0x00000200D8B10000-0x00000200D8B20000-memory.dmp

memory/3356-280-0x00000200D8B10000-0x00000200D8B20000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

memory/3356-283-0x00000200D8B10000-0x00000200D8B20000-memory.dmp

memory/3356-293-0x00007FF4F8B20000-0x00007FF4F8B30000-memory.dmp

memory/4132-294-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/3356-295-0x00000200D8B10000-0x00000200D8B20000-memory.dmp

memory/3356-296-0x00000200D8B10000-0x00000200D8B20000-memory.dmp

memory/3356-298-0x00007FFD1F960000-0x00007FFD20421000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1604-303-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/4132-304-0x00007FF683960000-0x00007FF684B86000-memory.dmp

memory/4132-305-0x00007FFD3E750000-0x00007FFD3E945000-memory.dmp

memory/3332-306-0x00007FF65DF80000-0x00007FF65DFAA000-memory.dmp

memory/1604-307-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

memory/1604-309-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

memory/3332-310-0x00007FF65DF80000-0x00007FF65DFAA000-memory.dmp

memory/1604-311-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

memory/1604-313-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

memory/1604-315-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

memory/1604-317-0x00007FF7C3210000-0x00007FF7C39FF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 10:23

Reported

2023-08-08 10:25

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2244-62-0x0000000003F60000-0x0000000003F94000-memory.exe"

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp

Files

memory/932-54-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/932-55-0x0000000000BB0000-0x0000000000BE4000-memory.dmp

memory/932-56-0x0000000000470000-0x0000000000476000-memory.dmp

memory/932-57-0x00000000045B0000-0x00000000045F0000-memory.dmp

memory/932-58-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/932-59-0x00000000045B0000-0x00000000045F0000-memory.dmp

memory/932-60-0x00000000740E0000-0x00000000747CE000-memory.dmp