redline | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
120s
max time network
158s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

redline infostealer persistence

Malware Config

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3044	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3044	schtasks.exe	68

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2400-549-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
4352	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\KBDKNI\\dllhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\typesv3\\powershell.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WMSysPr9\\explorer.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\usbceip\\sihost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pspluginwkr\\powershell.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\Windows.Energy\\spoolsv.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\ShellExperienceHost.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\KBDKNI\5940a34987c991	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\usbceip\sihost.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\usbceip\sihost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\bthprops\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\KBDKNI\dllhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\e978f868350d50	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\Windows.Energy\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\Windows.Energy\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\usbceip\66fc9ff0ee96c2	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\KBDKNI\dllhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\e978f868350d50	b5320340037751e10748b6463fab8ee0.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\f8c8f1285d826b	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WMSysPr9\explorer.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\WMSysPr9\7a0fd90576e088	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2096	schtasks.exe
1184	schtasks.exe
2076	schtasks.exe
4200	schtasks.exe
4064	schtasks.exe
2324	schtasks.exe
1948	schtasks.exe
1296	schtasks.exe
1152	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1480	b5320340037751e10748b6463fab8ee0.exe
4028	powershell.exe
1912	powershell.exe
8	powershell.exe
1920	powershell.exe
8	powershell.exe
1912	powershell.exe
4028	powershell.exe
1920	powershell.exe
8	powershell.exe
1912	powershell.exe
4028	powershell.exe
1920	powershell.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3144	b5320340037751e10748b6463fab8ee0.exe
3028	powershell.exe
4808	powershell.exe
2080	powershell.exe
2160	powershell.exe
2304	powershell.exe
2236	powershell.exe
2400	powershell.exe
2160	powershell.exe
2080	powershell.exe
2304	powershell.exe
2160	powershell.exe
4808	powershell.exe
2080	powershell.exe
3028	powershell.exe
2304	powershell.exe
2236	powershell.exe
2400	powershell.exe
4808	powershell.exe
3028	powershell.exe
2236	powershell.exe
2400	powershell.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe
4352	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	powershell.exe
Token: SeSecurityPrivilege	8	powershell.exe
Token: SeTakeOwnershipPrivilege	8	powershell.exe
Token: SeLoadDriverPrivilege	8	powershell.exe
Token: SeSystemProfilePrivilege	8	powershell.exe
Token: SeSystemtimePrivilege	8	powershell.exe
Token: SeProfSingleProcessPrivilege	8	powershell.exe
Token: SeIncBasePriorityPrivilege	8	powershell.exe
Token: SeCreatePagefilePrivilege	8	powershell.exe
Token: SeBackupPrivilege	8	powershell.exe
Token: SeRestorePrivilege	8	powershell.exe
Token: SeShutdownPrivilege	8	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeSystemEnvironmentPrivilege	8	powershell.exe
Token: SeRemoteShutdownPrivilege	8	powershell.exe
Token: SeUndockPrivilege	8	powershell.exe
Token: SeManageVolumePrivilege	8	powershell.exe
Token: 33	8	powershell.exe
Token: 34	8	powershell.exe
Token: 35	8	powershell.exe
Token: 36	8	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: 36	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1920	1480	b5320340037751e10748b6463fab8ee0.exe	72
PID 1480 wrote to memory of 1920	1480	b5320340037751e10748b6463fab8ee0.exe	72
PID 1480 wrote to memory of 8	1480	b5320340037751e10748b6463fab8ee0.exe	73
PID 1480 wrote to memory of 8	1480	b5320340037751e10748b6463fab8ee0.exe	73
PID 1480 wrote to memory of 4028	1480	b5320340037751e10748b6463fab8ee0.exe	79
PID 1480 wrote to memory of 4028	1480	b5320340037751e10748b6463fab8ee0.exe	79
PID 1480 wrote to memory of 1912	1480	b5320340037751e10748b6463fab8ee0.exe	78
PID 1480 wrote to memory of 1912	1480	b5320340037751e10748b6463fab8ee0.exe	78
PID 1480 wrote to memory of 3264	1480	b5320340037751e10748b6463fab8ee0.exe	80
PID 1480 wrote to memory of 3264	1480	b5320340037751e10748b6463fab8ee0.exe	80
PID 3264 wrote to memory of 1512	3264	cmd.exe	82
PID 3264 wrote to memory of 1512	3264	cmd.exe	82
PID 3264 wrote to memory of 3144	3264	cmd.exe	83
PID 3264 wrote to memory of 3144	3264	cmd.exe	83
PID 3144 wrote to memory of 4808	3144	b5320340037751e10748b6463fab8ee0.exe	91
PID 3144 wrote to memory of 4808	3144	b5320340037751e10748b6463fab8ee0.exe	91
PID 3144 wrote to memory of 2080	3144	b5320340037751e10748b6463fab8ee0.exe	106
PID 3144 wrote to memory of 2080	3144	b5320340037751e10748b6463fab8ee0.exe	106
PID 3144 wrote to memory of 2160	3144	b5320340037751e10748b6463fab8ee0.exe	93
PID 3144 wrote to memory of 2160	3144	b5320340037751e10748b6463fab8ee0.exe	93
PID 3144 wrote to memory of 2236	3144	b5320340037751e10748b6463fab8ee0.exe	105
PID 3144 wrote to memory of 2236	3144	b5320340037751e10748b6463fab8ee0.exe	105
PID 3144 wrote to memory of 2304	3144	b5320340037751e10748b6463fab8ee0.exe	104
PID 3144 wrote to memory of 2304	3144	b5320340037751e10748b6463fab8ee0.exe	104
PID 3144 wrote to memory of 3028	3144	b5320340037751e10748b6463fab8ee0.exe	101
PID 3144 wrote to memory of 3028	3144	b5320340037751e10748b6463fab8ee0.exe	101
PID 3144 wrote to memory of 2400	3144	b5320340037751e10748b6463fab8ee0.exe	99
PID 3144 wrote to memory of 2400	3144	b5320340037751e10748b6463fab8ee0.exe	99
PID 3144 wrote to memory of 3760	3144	b5320340037751e10748b6463fab8ee0.exe	102
PID 3144 wrote to memory of 3760	3144	b5320340037751e10748b6463fab8ee0.exe	102
PID 3760 wrote to memory of 1808	3760	cmd.exe	107
PID 3760 wrote to memory of 1808	3760	cmd.exe	107
PID 3760 wrote to memory of 4352	3760	cmd.exe	108
PID 3760 wrote to memory of 4352	3760	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\usbceip\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LcUCQgXmkJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
    "C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\WMSysPr9\explorer.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M41JbAjmV0.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1808
    - - C:\Windows\System32\KBDKNI\dllhost.exe
        
        "C:\Windows\System32\KBDKNI\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Energy\spoolsv.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDKNI\dllhost.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\usbceip\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDKNI\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\typesv3\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Energy\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WMSysPr9\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-172-0x000001E544320000-0x000001E544322000-memory.dmp

Filesize
8KB

Download
memory/8-200-0x000001E544326000-0x000001E544328000-memory.dmp

Filesize
8KB

Download
memory/8-288-0x000001E544328000-0x000001E544329000-memory.dmp

Filesize
4KB

Download
memory/8-174-0x000001E544323000-0x000001E544325000-memory.dmp

Filesize
8KB

Download
memory/1480-126-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/1480-122-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/1480-119-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/1480-120-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download
memory/1480-118-0x0000000000470000-0x000000000069C000-memory.dmp

Filesize
2.2MB

Download
memory/1480-127-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/1480-125-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1480-124-0x000000001BF80000-0x000000001C4A6000-memory.dmp

Filesize
5.1MB

Download
memory/1480-121-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1480-123-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1912-165-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-285-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-160-0x0000026954470000-0x00000269544E6000-memory.dmp

Filesize
472KB

Download
memory/1912-167-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1912-199-0x0000026939B80000-0x0000026939BB0000-memory.dmp

Filesize
192KB

Download
memory/1920-289-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-168-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-169-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/1920-201-0x000001C17B5B0000-0x000001C17B690000-memory.dmp

Filesize
896KB

Download
memory/2080-551-0x0000015EA8558000-0x0000015EA8559000-memory.dmp

Filesize
4KB

Download
memory/2080-555-0x0000015EA8553000-0x0000015EA8555000-memory.dmp

Filesize
8KB

Download
memory/2080-554-0x0000015EA8550000-0x0000015EA8552000-memory.dmp

Filesize
8KB

Download
memory/2160-576-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-466-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-557-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2160-556-0x000001F47A640000-0x000001F47A660000-memory.dmp

Filesize
128KB

Download
memory/2236-575-0x000002A4C43F0000-0x000002A4DC5E0000-memory.dmp

Filesize
385.9MB

Download
memory/2304-558-0x000001AD2B780000-0x000001AD2B782000-memory.dmp

Filesize
8KB

Download
memory/2304-552-0x000001AD2B788000-0x000001AD2B789000-memory.dmp

Filesize
4KB

Download
memory/2400-581-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp

Filesize
385.7MB

Download
memory/2400-549-0x0000019A0EB90000-0x0000019A26D40000-memory.dmp

Filesize
385.7MB

Download
memory/3028-469-0x000001E9A2380000-0x000001E9A2382000-memory.dmp

Filesize
8KB

Download
memory/3028-553-0x000001E9A2388000-0x000001E9A2389000-memory.dmp

Filesize
4KB

Download
memory/3028-473-0x000001E9A2383000-0x000001E9A2385000-memory.dmp

Filesize
8KB

Download
memory/3144-284-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/3144-287-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/3144-279-0x0000000000D10000-0x0000000000D66000-memory.dmp

Filesize
344KB

Download
memory/4028-148-0x0000018A58BF0000-0x0000018A58C12000-memory.dmp

Filesize
136KB

Download
memory/4028-198-0x0000018A58C66000-0x0000018A58C68000-memory.dmp

Filesize
8KB

Download
memory/4028-286-0x0000018A58C68000-0x0000018A58C69000-memory.dmp

Filesize
4KB

Download
memory/4028-163-0x0000018A58C60000-0x0000018A58C62000-memory.dmp

Filesize
8KB

Download
memory/4028-166-0x0000018A58C63000-0x0000018A58C65000-memory.dmp

Filesize
8KB

Download
memory/4352-541-0x0000000001330000-0x0000000001342000-memory.dmp

Filesize
72KB

Download
memory/4352-550-0x00000000012F0000-0x0000000001350000-memory.dmp

Filesize
384KB

Download
memory/4352-544-0x000000001BEF0000-0x000000001C0B2000-memory.dmp

Filesize
1.8MB

Download
memory/4808-463-0x000001B9A8B40000-0x000001B9C0CB0000-memory.dmp

Filesize
385.4MB

Download
memory/4808-522-0x000001B9A8B40000-0x000001B9C0CB0000-memory.dmp

Filesize
385.4MB

Download