Analysis Overview
SHA256
f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
xmrig
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Drops file in Drivers directory
Stops running service(s)
Downloads MZ/PE file
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-16 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 22:04
Reported
2023-10-16 22:07
Platform
win7-20230831-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files\Google\Chrome\updater.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2680 set thread context of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1260 set thread context of 1592 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 1260 set thread context of 2768 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0905d187d00da01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\grrhfnlxagtw.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| GB | 145.239.200.147:30225 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
Files
memory/2084-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-1-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-2-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-3-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2084-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-10-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/2084-11-0x0000000004B80000-0x0000000004BC0000-memory.dmp
memory/2084-12-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/2084-13-0x0000000004B80000-0x0000000004BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabDBF0.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarDC50.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/2084-51-0x00000000091E0000-0x000000000A419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/2084-54-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/2100-55-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-56-0x0000000077A50000-0x0000000077BF9000-memory.dmp
memory/2100-57-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-58-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-59-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-60-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-61-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-62-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-63-0x0000000077A50000-0x0000000077BF9000-memory.dmp
memory/940-69-0x000000001B1F0000-0x000000001B4D2000-memory.dmp
memory/940-70-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/940-71-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/940-72-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/940-73-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/940-74-0x00000000025D0000-0x0000000002650000-memory.dmp
memory/940-75-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/940-76-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/2100-82-0x000000013F9D0000-0x0000000140C09000-memory.dmp
memory/2100-83-0x0000000077A50000-0x0000000077BF9000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/1260-86-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
\Program Files\Google\Chrome\updater.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/1260-87-0x0000000077A50000-0x0000000077BF9000-memory.dmp
memory/1260-88-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-89-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-90-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-91-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-92-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-93-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-94-0x0000000077A50000-0x0000000077BF9000-memory.dmp
memory/3052-95-0x0000000019CD0000-0x0000000019FB2000-memory.dmp
memory/3052-96-0x0000000000880000-0x0000000000888000-memory.dmp
memory/3052-97-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
memory/3052-98-0x00000000011E0000-0x0000000001260000-memory.dmp
memory/3052-99-0x00000000011E0000-0x0000000001260000-memory.dmp
memory/3052-100-0x00000000011E0000-0x0000000001260000-memory.dmp
memory/3052-101-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
memory/1260-102-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/3052-103-0x00000000011E0000-0x0000000001260000-memory.dmp
memory/3052-104-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2b19df2da3af86adf584efbddd0d31c0 |
| SHA1 | f1738910789e169213611c033d83bc9577373686 |
| SHA256 | 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd |
| SHA512 | 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6 |
C:\Windows\TEMP\grrhfnlxagtw.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/2768-113-0x0000000000240000-0x0000000000260000-memory.dmp
memory/1260-114-0x000000013F9A0000-0x0000000140BD9000-memory.dmp
memory/1260-115-0x0000000077A50000-0x0000000077BF9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-16 22:04
Reported
2023-10-16 22:07
Platform
win10v2004-20230915-en
Max time kernel
160s
Max time network
158s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files\Google\Chrome\updater.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4632 set thread context of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3616 set thread context of 1428 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 3616 set thread context of 4316 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\grrhfnlxagtw.xml"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| GB | 145.239.200.147:30225 | tcp | |
| US | 8.8.8.8:53 | 147.200.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| US | 8.8.8.8:53 | 217.192.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/1872-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1872-1-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/1872-2-0x0000000007D40000-0x00000000082E4000-memory.dmp
memory/1872-3-0x0000000007830000-0x00000000078C2000-memory.dmp
memory/1872-4-0x00000000079D0000-0x00000000079E0000-memory.dmp
memory/1872-5-0x00000000079E0000-0x00000000079EA000-memory.dmp
memory/1872-6-0x0000000008910000-0x0000000008F28000-memory.dmp
memory/1872-7-0x0000000007B80000-0x0000000007C8A000-memory.dmp
memory/1872-8-0x0000000007AB0000-0x0000000007AC2000-memory.dmp
memory/1872-9-0x0000000007B10000-0x0000000007B4C000-memory.dmp
memory/1872-10-0x0000000007C90000-0x0000000007CDC000-memory.dmp
memory/1872-11-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/1872-12-0x00000000083D0000-0x0000000008436000-memory.dmp
memory/1872-13-0x0000000009340000-0x0000000009502000-memory.dmp
memory/1872-14-0x0000000009A40000-0x0000000009F6C000-memory.dmp
memory/1872-15-0x00000000079D0000-0x00000000079E0000-memory.dmp
memory/1872-16-0x0000000009290000-0x00000000092E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/1120-27-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1120-29-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
memory/1120-28-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1120-30-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1120-31-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1120-32-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1872-34-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/1120-35-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/1120-37-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
memory/3812-47-0x00000253EE6D0000-0x00000253EE6F2000-memory.dmp
memory/3812-50-0x00000253EC420000-0x00000253EC430000-memory.dmp
memory/3812-51-0x00000253EC420000-0x00000253EC430000-memory.dmp
memory/3812-49-0x00000253EC420000-0x00000253EC430000-memory.dmp
memory/3812-48-0x00007FFA73AD0000-0x00007FFA74591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ruh10xsk.lln.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3812-54-0x00007FFA73AD0000-0x00007FFA74591000-memory.dmp
memory/1120-61-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/1120-60-0x00007FF7408F0000-0x00007FF741B29000-memory.dmp
memory/3616-63-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-64-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
memory/3616-65-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
memory/3616-66-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-67-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-68-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-69-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-71-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
memory/3768-82-0x00000298238D0000-0x00000298238E0000-memory.dmp
memory/3768-81-0x00007FFA73AD0000-0x00007FFA74591000-memory.dmp
memory/3768-94-0x000002983E140000-0x000002983E1F5000-memory.dmp
memory/3768-93-0x000002983E120000-0x000002983E13C000-memory.dmp
memory/3768-83-0x00007FF4A41D0000-0x00007FF4A41E0000-memory.dmp
memory/3768-95-0x000002983DEF0000-0x000002983DEFA000-memory.dmp
memory/3768-96-0x000002983E340000-0x000002983E35C000-memory.dmp
memory/3768-97-0x000002983DF00000-0x000002983DF0A000-memory.dmp
memory/3768-99-0x000002983DF10000-0x000002983DF18000-memory.dmp
memory/3768-98-0x000002983E380000-0x000002983E39A000-memory.dmp
memory/3768-100-0x000002983E360000-0x000002983E366000-memory.dmp
memory/3768-101-0x000002983E370000-0x000002983E37A000-memory.dmp
memory/3768-102-0x00000298238D0000-0x00000298238E0000-memory.dmp
memory/4316-114-0x0000000000D40000-0x0000000000D60000-memory.dmp
memory/3616-115-0x00007FF644ED0000-0x00007FF646109000-memory.dmp
memory/3616-116-0x00007FFA92790000-0x00007FFA92985000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 0c5f3483a23c84f846ea7953c4bdd390 |
| SHA1 | fa9d08eb946292f9e9578de5cac7d9ddad8eb49d |
| SHA256 | 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d |
| SHA512 | 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f |
C:\Windows\TEMP\grrhfnlxagtw.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
memory/3768-105-0x00007FFA73AD0000-0x00007FFA74591000-memory.dmp
memory/1428-117-0x00007FF7AFCF0000-0x00007FF7AFD03000-memory.dmp
memory/4316-118-0x00007FF763640000-0x00007FF763E80000-memory.dmp
memory/4316-120-0x00007FF763640000-0x00007FF763E80000-memory.dmp
memory/4316-122-0x00007FF763640000-0x00007FF763E80000-memory.dmp
memory/4316-124-0x00007FF763640000-0x00007FF763E80000-memory.dmp
memory/4316-126-0x00007FF763640000-0x00007FF763E80000-memory.dmp