redline | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
120s
max time network
158s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

redline infostealer persistence

Malware Config

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3044	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-549-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

4352 dllhost.exe

pid	process
4352	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5320340037751e10748b6463fab8ee0.exeb5320340037751e10748b6463fab8ee0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\KBDKNI\\dllhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\typesv3\\powershell.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WMSysPr9\\explorer.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\usbceip\\sihost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pspluginwkr\\powershell.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\Windows.Energy\\spoolsv.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\ShellExperienceHost.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 13 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exeb5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\System32\KBDKNI\5940a34987c991	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\usbceip\sihost.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\usbceip\sihost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\bthprops\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\KBDKNI\dllhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\e978f868350d50	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\Windows.Energy\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\Windows.Energy\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\usbceip\66fc9ff0ee96c2	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\KBDKNI\dllhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\e978f868350d50	b5320340037751e10748b6463fab8ee0.exe

Drops file in Program Files directory 2 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\f8c8f1285d826b	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 2 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\WMSysPr9\explorer.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\WMSysPr9\7a0fd90576e088	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2096	schtasks.exe
1184	schtasks.exe
2076	schtasks.exe
4200	schtasks.exe
4064	schtasks.exe
2324	schtasks.exe
1948	schtasks.exe
1296	schtasks.exe
1152	schtasks.exe

Modifies registry class 2 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exeb5320340037751e10748b6463fab8ee0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exeb5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1480	b5320340037751e10748b6463fab8ee0.exe
4028	powershell.exe
1912	powershell.exe
8	powershell.exe
1920	powershell.exe
8	powershell.exe
1912	powershell.exe
4028	powershell.exe
1920	powershell.exe
8	powershell.exe
1912	powershell.exe
4028	powershell.exe
1920	powershell.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3028	powershell.exe
4808	powershell.exe
2080	powershell.exe
2160	powershell.exe
2304	powershell.exe
2236	powershell.exe
2400	powershell.exe
2160	powershell.exe
2080	powershell.exe
2304	powershell.exe
2160	powershell.exe
4808	powershell.exe
2080	powershell.exe
3028	powershell.exe
2304	powershell.exe
2236	powershell.exe
2400	powershell.exe
4808	powershell.exe
3028	powershell.exe
2236	powershell.exe
2400	powershell.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1480	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	powershell.exe
Token: SeSecurityPrivilege	8	powershell.exe
Token: SeTakeOwnershipPrivilege	8	powershell.exe
Token: SeLoadDriverPrivilege	8	powershell.exe
Token: SeSystemProfilePrivilege	8	powershell.exe
Token: SeSystemtimePrivilege	8	powershell.exe
Token: SeProfSingleProcessPrivilege	8	powershell.exe
Token: SeIncBasePriorityPrivilege	8	powershell.exe
Token: SeCreatePagefilePrivilege	8	powershell.exe
Token: SeBackupPrivilege	8	powershell.exe
Token: SeRestorePrivilege	8	powershell.exe
Token: SeShutdownPrivilege	8	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeSystemEnvironmentPrivilege	8	powershell.exe
Token: SeRemoteShutdownPrivilege	8	powershell.exe
Token: SeUndockPrivilege	8	powershell.exe
Token: SeManageVolumePrivilege	8	powershell.exe
Token: 33	8	powershell.exe
Token: 34	8	powershell.exe
Token: 35	8	powershell.exe
Token: 36	8	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: 36	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.execmd.exeb5320340037751e10748b6463fab8ee0.execmd.exe

description	pid	process	target process
PID 1480 wrote to memory of 1920	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 1920	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 8	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 8	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 4028	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 4028	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 1912	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 1912	1480	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 1480 wrote to memory of 3264	1480	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 1480 wrote to memory of 3264	1480	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 3264 wrote to memory of 1512	3264	cmd.exe	w32tm.exe
PID 3264 wrote to memory of 1512	3264	cmd.exe	w32tm.exe
PID 3264 wrote to memory of 3144	3264	cmd.exe	b5320340037751e10748b6463fab8ee0.exe
PID 3264 wrote to memory of 3144	3264	cmd.exe	b5320340037751e10748b6463fab8ee0.exe
PID 3144 wrote to memory of 4808	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 4808	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2080	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2080	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2160	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2160	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2236	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2236	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2304	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2304	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 3028	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 3028	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2400	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 2400	3144	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 3144 wrote to memory of 3760	3144	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 3144 wrote to memory of 3760	3144	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 3760 wrote to memory of 1808	3760	cmd.exe	w32tm.exe
PID 3760 wrote to memory of 1808	3760	cmd.exe	w32tm.exe
PID 3760 wrote to memory of 4352	3760	cmd.exe	dllhost.exe
PID 3760 wrote to memory of 4352	3760	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\usbceip\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LcUCQgXmkJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
    "C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\WMSysPr9\explorer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M41JbAjmV0.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1808
    - - C:\Windows\System32\KBDKNI\dllhost.exe
        
        "C:\Windows\System32\KBDKNI\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Energy\spoolsv.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDKNI\dllhost.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\usbceip\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDKNI\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Energy\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WMSysPr9\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b5320340037751e10748b6463fab8ee0.exe.log

MD5
ec478fd232f4de82c5d99e3aa64a7a89

SHA1
ea872d8eba8e17d4b2ebac7e12dc7ee758095995

SHA256
a95efbfb725f3562661d57f733110cc0e6e15208e060b5fedb3acd513659515f

SHA512
68cb7ebe4c4f6124cdd6f66e541a95f21ed2614ad928ad1ed65f090938d935a6e1f7a6f9ca1555f19ef76e38217a028a79dc77da3c4098cfa6b9d28bc12c1abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
638573117032c383982b6e1ccd4c59d2

SHA1
b4033ce05b908d54a3a91537709d27db8cdb6160

SHA256
5895cd59235991d6684e6418bd494087b0fdb7606478fd8832a189301c75c87d

SHA512
4bfa35a404dc339ad74cc7d4ae06d31fea4e1ba8e6254ba2486fa43d3e8bca5797938cf901afaebcec726cb88a0f2b50304f0a06df9a783d9906ed1a293d6874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
638573117032c383982b6e1ccd4c59d2

SHA1
b4033ce05b908d54a3a91537709d27db8cdb6160

SHA256
5895cd59235991d6684e6418bd494087b0fdb7606478fd8832a189301c75c87d

SHA512
4bfa35a404dc339ad74cc7d4ae06d31fea4e1ba8e6254ba2486fa43d3e8bca5797938cf901afaebcec726cb88a0f2b50304f0a06df9a783d9906ed1a293d6874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
638573117032c383982b6e1ccd4c59d2

SHA1
b4033ce05b908d54a3a91537709d27db8cdb6160

SHA256
5895cd59235991d6684e6418bd494087b0fdb7606478fd8832a189301c75c87d

SHA512
4bfa35a404dc339ad74cc7d4ae06d31fea4e1ba8e6254ba2486fa43d3e8bca5797938cf901afaebcec726cb88a0f2b50304f0a06df9a783d9906ed1a293d6874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
edbda2c68465440d47140ea0822eb8ee

SHA1
d2c9a4a3182d0146f67eb754807775f559769932

SHA256
ff868998d314cc02c20e14f0898ce64034dadc5f9bcb4ceb7cdd535fa1dd433d

SHA512
0a3ab3520bfb30266523fa0b2977f417b9981cac78cc13640b9329b9b38da72d02f0a1a65c8286439e3238c3a53ad7a720474c10b446a61a8cde9a9d811ea5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ef783ff2d53055f1cb104bdd7bbde815

SHA1
0f188532f80d37ff7117a5a507f1a438165552bf

SHA256
7d1f9317be02cf58c531bbd8926fa8a11225aaba9b3c3e9f563fbbfcd13aec06

SHA512
8785093407afb55cae6196b118a179a4035783c3f0610e6df88714287be8f384ad32d847b7db28e4216bb11c3db90c121ebfe28999e9dd76a8cb15e5f2001e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ef783ff2d53055f1cb104bdd7bbde815

SHA1
0f188532f80d37ff7117a5a507f1a438165552bf

SHA256
7d1f9317be02cf58c531bbd8926fa8a11225aaba9b3c3e9f563fbbfcd13aec06

SHA512
8785093407afb55cae6196b118a179a4035783c3f0610e6df88714287be8f384ad32d847b7db28e4216bb11c3db90c121ebfe28999e9dd76a8cb15e5f2001e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7ee2a14dff5ce3a52630e352c3bd23fd

SHA1
9152192be0c274bd98ba05e18e7d19b4ad5f4c0f

SHA256
4b2f2453f581ba4c7fc724122ce7009a73c4e6de5b58d87fd0f355d4eba2000d

SHA512
1f7328d4141276fe05101d254cf682c7f31244523f6c4173aa24b6a31265ad1057200154c8d7ff1e70bf5ad3df14238f7817b2bc1713649b09bf5414e1339ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7135679247b14d419d03db09eeaaed67

SHA1
b2e82bb50fa9caf8cf2b4a30cc00ea2ce92a4355

SHA256
6054a79de01bb1697f65d4ac47bf7e45ea40db52b3bf9de431db8a18cd31884b

SHA512
8f8a196c22e12abb9344635c2c3d9f83f68b2b856c15344670427f20855571686d8dfe6311f84463a7982ec260a6d3c8760ad1412235ba38311b720802227418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f329c969199dd9906e8957e32fbea592

SHA1
658cf271e65807132d8253cf0fc06a643f262d00

SHA256
8439abd744f88b63f2fd3531e8c242e92ecd02976c36a4c2db18fc2042425c58

SHA512
cffc89921edc6282641b8caae57622c7e2af8b61e90f3f435afec34956d9222c5edb3b16c7fd8e271868d06b74c101bb130ceceb45e87d0317e8e7dbab4d4ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcUCQgXmkJ.bat

MD5
130b011dea6ca2db0fd801654dc70afc

SHA1
107e3a46094cf764ae126d22f9ba89b11fb3babb

SHA256
3a7c98566d548cbfbb98fb392cdde35c39e087f01cdbc1ce670fc18d3c7611af

SHA512
c0de41691ceabec2ef28f0d4335123094b371f128fbbd1c8a582d5c6be5c546afafc15473fb53c9d7c3e23ee03046258c3aaf1240ffcf3798fe4c088f17e4e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\M41JbAjmV0.bat

MD5
763701ad16aaa5f275cc87f92bd39fed

SHA1
5bc654f79c76269fdcd8efec6e799e45cf5cc099

SHA256
956c9d70ee51000c93ac69bfa98723b1b3d8be6870359300369bc1955fc1f439

SHA512
fc22e8399abe6d6697beec5554d942baef4f8b649d39083adae2271113c1ef084ad56722f2d279b06f2db685fcfedb1a8d87375fc80daa285138e0eb8daca398

Download Submit
C:\Windows\System32\KBDKNI\dllhost.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\KBDKNI\dllhost.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
memory/8-172-0x000001E544320000-0x000001E544322000-memory.dmp

Filesize
8KB

Download
memory/8-200-0x000001E544326000-0x000001E544328000-memory.dmp

Filesize
8KB

Download
memory/8-288-0x000001E544328000-0x000001E544329000-memory.dmp

Filesize
4KB

Download
memory/8-174-0x000001E544323000-0x000001E544325000-memory.dmp

Filesize
8KB

Download
memory/1480-126-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/1480-122-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/1480-119-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/1480-120-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download
memory/1480-118-0x0000000000470000-0x000000000069C000-memory.dmp

Filesize
2.2MB

Download
memory/1480-127-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/1480-125-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1480-124-0x000000001BF80000-0x000000001C4A6000-memory.dmp

Filesize
5.1MB

Download
memory/1480-121-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1480-123-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1912-165-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-285-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-160-0x0000026954470000-0x00000269544E6000-memory.dmp

Filesize
472KB

Download
memory/1912-167-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-199-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1920-289-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-168-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-169-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-201-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/2080-551-0x0000015EA8558000-0x0000015EA8559000-memory.dmp

Filesize
4KB

Download
memory/2080-555-0x0000015EA8553000-0x0000015EA8555000-memory.dmp

Filesize
8KB

Download
memory/2080-554-0x0000015EA8550000-0x0000015EA8552000-memory.dmp

Filesize
8KB

Download
memory/2160-576-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-466-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-557-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-556-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2236-575-0x000002A4C43F0000-0x000002A4DC5E0000-memory.dmp

Filesize
385.9MB

Download
memory/2304-558-0x000001AD2B780000-0x000001AD2B782000-memory.dmp

Filesize
8KB

Download
memory/2304-552-0x000001AD2B788000-0x000001AD2B789000-memory.dmp

Filesize
4KB

Download
memory/2400-581-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp

Filesize
385.7MB

Download
memory/2400-549-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp

Filesize
385.7MB

Download
memory/3028-469-0x000001E9A2380000-0x000001E9A2382000-memory.dmp

Filesize
8KB

Download
memory/3028-553-0x000001E9A2388000-0x000001E9A2389000-memory.dmp

Filesize
4KB

Download
memory/3028-473-0x000001E9A2383000-0x000001E9A2385000-memory.dmp

Filesize
8KB

Download
memory/3144-284-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/3144-287-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/3144-279-0x0000000000D10000-0x0000000000D66000-memory.dmp

Filesize
344KB

Download
memory/4028-148-0x0000018A58BF0000-0x0000018A58C12000-memory.dmp

Filesize
136KB

Download
memory/4028-198-0x0000018A58C66000-0x0000018A58C68000-memory.dmp

Filesize
8KB

Download
memory/4028-286-0x0000018A58C68000-0x0000018A58C69000-memory.dmp

Filesize
4KB

Download
memory/4028-163-0x0000018A58C60000-0x0000018A58C62000-memory.dmp

Filesize
8KB

Download
memory/4028-166-0x0000018A58C63000-0x0000018A58C65000-memory.dmp

Filesize
8KB

Download
memory/4352-541-0x0000000001330000-0x0000000001342000-memory.dmp

Filesize
72KB

Download
memory/4352-550-0x00000000012F0000-0x0000000001350000-memory.dmp

Filesize
384KB

Download
memory/4352-544-0x000000001BEF0000-0x000000001C0B2000-memory.dmp

Filesize
1.8MB

Download
memory/4808-463-0x000001B9A8B40000-0x000001B9C0CB0000-memory.dmp

Filesize
385.4MB

Download
memory/4808-522-0x000001B9A8B40000-0x000001B9C0CB0000-memory.dmp

Filesize
385.4MB

Download