Malware Analysis Report

2025-01-18 05:11

Sample ID 231016-1yxctshe53
Target file.exe
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
Tags
redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware themida trojan

RedLine payload

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 22:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 22:04

Reported

2023-10-16 22:07

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 22:04

Reported

2023-10-16 22:06

Platform

win7-20230831-en

Max time kernel

148s

Max time network

141s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Google\Chrome\updater.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3048 set thread context of 2024 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 3048 set thread context of 608 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0ed67e47c00da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2412 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2412 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1648 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1648 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1296 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1296 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1624 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1624 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1624 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1624 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1624 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1624 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
GB 145.239.200.147:30225 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp

Files

memory/2596-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-1-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-2-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-3-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2596-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2596-10-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2596-11-0x0000000007310000-0x0000000007350000-memory.dmp

memory/2596-12-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2596-13-0x0000000007310000-0x0000000007350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF366.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarF3C6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/2596-53-0x0000000008F00000-0x000000000A139000-memory.dmp

memory/2824-55-0x0000000077830000-0x00000000779D9000-memory.dmp

memory/2596-54-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2824-57-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-58-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-59-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-60-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-61-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-62-0x0000000077830000-0x00000000779D9000-memory.dmp

memory/944-67-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/944-68-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/944-69-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/944-70-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/944-71-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

memory/944-73-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/944-72-0x0000000002250000-0x0000000002258000-memory.dmp

memory/944-74-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/944-75-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/2824-79-0x000000013FEF0000-0x0000000141129000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/2824-82-0x000000013FEF0000-0x0000000141129000-memory.dmp

memory/2824-83-0x0000000077830000-0x00000000779D9000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/3048-86-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-87-0x0000000077830000-0x00000000779D9000-memory.dmp

memory/3048-88-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-89-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-90-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-91-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-92-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-93-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-94-0x0000000077830000-0x00000000779D9000-memory.dmp

memory/2712-96-0x0000000019B40000-0x0000000019E22000-memory.dmp

memory/2712-97-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

memory/2712-98-0x0000000001050000-0x00000000010D0000-memory.dmp

memory/2712-100-0x0000000000A90000-0x0000000000A98000-memory.dmp

memory/2712-101-0x0000000001050000-0x00000000010D0000-memory.dmp

memory/2712-99-0x0000000001050000-0x00000000010D0000-memory.dmp

memory/2712-102-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

memory/2712-103-0x0000000001050000-0x00000000010D0000-memory.dmp

memory/2712-104-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Windows\TEMP\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/608-114-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/3048-113-0x000000013F890000-0x0000000140AC9000-memory.dmp

memory/3048-115-0x0000000077830000-0x00000000779D9000-memory.dmp

memory/2024-116-0x0000000140000000-0x0000000140013000-memory.dmp

memory/608-117-0x0000000140000000-0x0000000140840000-memory.dmp

memory/608-119-0x0000000140000000-0x0000000140840000-memory.dmp

memory/608-121-0x0000000140000000-0x0000000140840000-memory.dmp

memory/608-123-0x0000000140000000-0x0000000140840000-memory.dmp

memory/608-125-0x0000000140000000-0x0000000140840000-memory.dmp

memory/608-127-0x0000000140000000-0x0000000140840000-memory.dmp