raccoon | 428b820b1ffe34eb41bb4ff1909f299b90df21e5b41052b0bd283c212f64fef2

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a1f23b47f11d5b3e691fdf901aafea.exe
Size

862KB
MD5

39a1f23b47f11d5b3e691fdf901aafea
SHA1

cc97907047c8b80321a33630195aa34c9984eeb5
SHA256

428b820b1ffe34eb41bb4ff1909f299b90df21e5b41052b0bd283c212f64fef2
SHA512

3057c1eaea2e482da6e9b3502ce289ca22bd396fb44fd18a484532472fca24c52c1bde043f5b9e32fe832ba93138f8c0e2295c94d766d9f70822e896846df9c8
SSDEEP

12288:Llrs2RbKAlpWE8HS/DmCMJmoA9cDRUkmgc8Wv1tF:ZrUuoE8HCDmNA9cDRUkmgrWv1tF

Score

10^/10

raccoon redline xmrig ytstealer c7ede4e1d38311f89345e94d76fa9d65 discovery infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

c7ede4e1d38311f89345e94d76fa9d65

http://45.15.156.11/

rc4.plain

Extracted

Family

redline

78.24.216.5:42717

Attributes

auth_value
6687e352a0604d495c3851d248ebf06f

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3392-164-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2812-182-0x0000000000BD0000-0x00000000019E2000-memory.dmp	family_ytstealer
behavioral2/memory/3240-187-0x00000000003D0000-0x00000000011A9000-memory.dmp	family_ytstealer
behavioral2/memory/2812-228-0x0000000000BD0000-0x00000000019E2000-memory.dmp	family_ytstealer
behavioral2/memory/3240-231-0x00000000003D0000-0x00000000011A9000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x00010000000231ef-235.dat	xmrig
behavioral2/files/0x00010000000231ef-236.dat	xmrig

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1252	2.0.1-beta.exe
3924	u7iHw02S.exe
2812	S8P2oKSL.exe
3240	6tbLMC8q.exe
4016	dllhost.exe
428	winlogson.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022dd5-150.dat	upx
behavioral2/files/0x0001000000022dd5-151.dat	upx
behavioral2/memory/2812-152-0x0000000000BD0000-0x00000000019E2000-memory.dmp	upx
behavioral2/files/0x0001000000022dd6-154.dat	upx
behavioral2/files/0x0001000000022dd6-155.dat	upx
behavioral2/memory/3240-157-0x00000000003D0000-0x00000000011A9000-memory.dmp	upx
behavioral2/memory/2812-182-0x0000000000BD0000-0x00000000019E2000-memory.dmp	upx
behavioral2/memory/3240-187-0x00000000003D0000-0x00000000011A9000-memory.dmp	upx
behavioral2/memory/2812-228-0x0000000000BD0000-0x00000000019E2000-memory.dmp	upx
behavioral2/memory/3240-231-0x00000000003D0000-0x00000000011A9000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	39a1f23b47f11d5b3e691fdf901aafea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2.0.1-beta.exe

Loads dropped DLL 3 IoCs

pid	Process
1252	2.0.1-beta.exe
1252	2.0.1-beta.exe
1252	2.0.1-beta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4172 set thread context of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1780	schtasks.exe
4704	schtasks.exe
3932	schtasks.exe
4844	schtasks.exe
4612	schtasks.exe
3068	schtasks.exe
3664	schtasks.exe
2816	schtasks.exe
2120	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	39a1f23b47f11d5b3e691fdf901aafea.exe
4172	39a1f23b47f11d5b3e691fdf901aafea.exe
3924	u7iHw02S.exe
4532	powershell.exe
4532	powershell.exe
1436	powershell.exe
1436	powershell.exe
3392	InstallUtil.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4824	powershell.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4824	powershell.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
3088	powershell.exe
3088	powershell.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
3240	6tbLMC8q.exe
3240	6tbLMC8q.exe
3240	6tbLMC8q.exe
3240	6tbLMC8q.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe
4016	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	39a1f23b47f11d5b3e691fdf901aafea.exe
Token: SeDebugPrivilege	3924	u7iHw02S.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	3392	InstallUtil.exe
Token: SeDebugPrivilege	4016	dllhost.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeLockMemoryPrivilege	428	winlogson.exe
Token: SeLockMemoryPrivilege	428	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
428	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1252	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	82
PID 4172 wrote to memory of 1252	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	82
PID 4172 wrote to memory of 1252	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	82
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 4172 wrote to memory of 3392	4172	39a1f23b47f11d5b3e691fdf901aafea.exe	83
PID 1252 wrote to memory of 3924	1252	2.0.1-beta.exe	85
PID 1252 wrote to memory of 3924	1252	2.0.1-beta.exe	85
PID 1252 wrote to memory of 3924	1252	2.0.1-beta.exe	85
PID 1252 wrote to memory of 2812	1252	2.0.1-beta.exe	87
PID 1252 wrote to memory of 2812	1252	2.0.1-beta.exe	87
PID 1252 wrote to memory of 3240	1252	2.0.1-beta.exe	88
PID 1252 wrote to memory of 3240	1252	2.0.1-beta.exe	88
PID 3924 wrote to memory of 828	3924	u7iHw02S.exe	89
PID 3924 wrote to memory of 828	3924	u7iHw02S.exe	89
PID 3924 wrote to memory of 828	3924	u7iHw02S.exe	89
PID 828 wrote to memory of 2404	828	cmd.exe	91
PID 828 wrote to memory of 2404	828	cmd.exe	91
PID 828 wrote to memory of 2404	828	cmd.exe	91
PID 828 wrote to memory of 4532	828	cmd.exe	92
PID 828 wrote to memory of 4532	828	cmd.exe	92
PID 828 wrote to memory of 4532	828	cmd.exe	92
PID 828 wrote to memory of 1436	828	cmd.exe	93
PID 828 wrote to memory of 1436	828	cmd.exe	93
PID 828 wrote to memory of 1436	828	cmd.exe	93
PID 3924 wrote to memory of 4016	3924	u7iHw02S.exe	94
PID 3924 wrote to memory of 4016	3924	u7iHw02S.exe	94
PID 3924 wrote to memory of 4016	3924	u7iHw02S.exe	94
PID 4016 wrote to memory of 4592	4016	dllhost.exe	95
PID 4016 wrote to memory of 4592	4016	dllhost.exe	95
PID 4016 wrote to memory of 4592	4016	dllhost.exe	95
PID 4016 wrote to memory of 2684	4016	dllhost.exe	97
PID 4016 wrote to memory of 2684	4016	dllhost.exe	97
PID 4016 wrote to memory of 2684	4016	dllhost.exe	97
PID 4016 wrote to memory of 3708	4016	dllhost.exe	98
PID 4016 wrote to memory of 3708	4016	dllhost.exe	98
PID 4016 wrote to memory of 3708	4016	dllhost.exe	98
PID 4016 wrote to memory of 3808	4016	dllhost.exe	100
PID 4016 wrote to memory of 3808	4016	dllhost.exe	100
PID 4016 wrote to memory of 3808	4016	dllhost.exe	100
PID 4016 wrote to memory of 1844	4016	dllhost.exe	107
PID 4016 wrote to memory of 1844	4016	dllhost.exe	107
PID 4016 wrote to memory of 1844	4016	dllhost.exe	107
PID 4016 wrote to memory of 2256	4016	dllhost.exe	103
PID 4016 wrote to memory of 2256	4016	dllhost.exe	103
PID 4016 wrote to memory of 2256	4016	dllhost.exe	103
PID 4016 wrote to memory of 1656	4016	dllhost.exe	106
PID 4016 wrote to memory of 1656	4016	dllhost.exe	106
PID 4016 wrote to memory of 1656	4016	dllhost.exe	106
PID 4016 wrote to memory of 1772	4016	dllhost.exe	109
PID 4016 wrote to memory of 1772	4016	dllhost.exe	109
PID 4016 wrote to memory of 1772	4016	dllhost.exe	109
PID 4016 wrote to memory of 816	4016	dllhost.exe	110
PID 4016 wrote to memory of 816	4016	dllhost.exe	110
PID 4016 wrote to memory of 816	4016	dllhost.exe	110
PID 4016 wrote to memory of 3964	4016	dllhost.exe	112
PID 4016 wrote to memory of 3964	4016	dllhost.exe	112
PID 4016 wrote to memory of 3964	4016	dllhost.exe	112
PID 4016 wrote to memory of 3036	4016	dllhost.exe	114

C:\Users\Admin\AppData\Local\Temp\39a1f23b47f11d5b3e691fdf901aafea.exe
"C:\Users\Admin\AppData\Local\Temp\39a1f23b47f11d5b3e691fdf901aafea.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2.0.1-beta.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2.0.1-beta.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\u7iHw02S.exe
    "C:\Users\Admin\AppData\Local\Temp\u7iHw02S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2684
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3808
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2256
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1656
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1844
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6276" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:816
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6276" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9626" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3964
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9626" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3943" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3036
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3943" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8041" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2548
      - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:428
- - C:\Users\Admin\AppData\Local\Temp\S8P2oKSL.exe
    "C:\Users\Admin\AppData\Local\Temp\S8P2oKSL.exe"
    3⤵
    - Executes dropped EXE
    PID:2812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "Get-WmiObject Win32_PortConnector"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\6tbLMC8q.exe
    "C:\Users\Admin\AppData\Local\Temp\6tbLMC8q.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\6tbLMC8q.exe
      4⤵
      PID:4056
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
313B

MD5
f920724371620678f04d3578dcf70b03

SHA1
fef9541c5d2a818518d934300e20aba60df6c82c

SHA256
40764f677fa97fe2ef4c9099e94b107f345286f11e38d9c22dca6ba3d8053d05

SHA512
5dcbe7fe11bef73611d3669dc0c3f787ebb27ef668ca217acc05f39b3d4330fce58f26f16d4ab5ab99a807c218dc370cb4ea227c1e5498d61f05a8cd40ce86e2

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
4875e0a9b5559ea56e4c06993b89fd9e

SHA1
b1619f3579a946022892e882cbe1daca1c95487e

SHA256
bc6f134a8103a5fa02f8146ea17e59e8eb6dcda4aba64601e01cde2ef00e39f5

SHA512
ac1508d1068cc9d5a395a452be524ca1538c0bb32384b80952e443ae43e2382485910279fbc9408774562d8e5c51899ee026c82da84081f984cfc47e7bda3f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
09bd615161835b0415b7b314f70cc5db

SHA1
ce55f3706257584a4e34fdb7aa35e9ecef5e8c8b

SHA256
d5233c37cc0b00c7845003dbe86b6f1a9f4ad702a358881fcec2aaa1000f5751

SHA512
0a74ae6b5b45ba2d0f9187b5d6d2bc466c2b95803b2f35a2203587b45141117b3df25181b75250bb1d7638728525c10c5f612d59bba444583a47903f9341bd9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8b3329ee30570e5d15a68bc3d682d0f4

SHA1
df5d74f4717d02dff55bb2e25c5621f7c0a63576

SHA256
455fbf4c80db4a4a199a798c1d202b162bb43e88e33d57eab899a85a1a240514

SHA512
0827735d0f0db5501da7daec1d71db157cf5b79928434ab513a2d265d4035af12116e011a964a5716e74b8b410363ac890c37851a2255bdd3903a3c120bcf7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7d8c93aade740907b5a7cb38f7d62b03

SHA1
3a7d650b0449d66632845a2a7d3361c605374c8e

SHA256
136e86edc6c592a80db1d8d63d08a6a7fbe20410c117acb16a3822bec5ea77b9

SHA512
9dd81d6f9fbe940fc6bef190aab82a69566e62fd71c15bb9652d02c4e4281d5cee7e7992ff8b38654fec76025b7ecd4fcc81520e7d1892289e899d22f37d4009

Download Submit
C:\Users\Admin\AppData\Local\Temp\6tbLMC8q.exe

Filesize
4.0MB

MD5
75060018af84f824d7092df53e32302b

SHA1
ac2d9c265fce47fcc142ca6ebd71c97379f775de

SHA256
62593502aafb54977fe7d53e8f0312dfdc6336e6cba7172a771d37cf3f00c97e

SHA512
0a5b1066e75daa0fd2bb912911398cd6e829ea98aa831cba3d32bc82f0131f8f92a55fee8cffb5563769f1bc4742122ffc00805d48f6e0e9f53559fb5571a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\6tbLMC8q.exe

Filesize
4.0MB

MD5
75060018af84f824d7092df53e32302b

SHA1
ac2d9c265fce47fcc142ca6ebd71c97379f775de

SHA256
62593502aafb54977fe7d53e8f0312dfdc6336e6cba7172a771d37cf3f00c97e

SHA512
0a5b1066e75daa0fd2bb912911398cd6e829ea98aa831cba3d32bc82f0131f8f92a55fee8cffb5563769f1bc4742122ffc00805d48f6e0e9f53559fb5571a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8P2oKSL.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8P2oKSL.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7iHw02S.exe

Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7iHw02S.exe

Filesize
72KB

MD5
ed273349dcfdbc3ad38937b248e716d9

SHA1
ac6856ede07307fcebd2a2a6ba6dc88563f8eb73

SHA256
be25a5efd1b35505dc31bba98070dc404865b0a1411eb41a76b17e3deb845598

SHA512
5edede7fc1f954e9454bb64bbcaf7aa32310889d30613cd96efe1815c6a7ae3c9d2e94260a9305966ee61863ec9161e14a422cf2863bd0cf787bab98388eeaae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2.0.1-beta.exe

Filesize
57KB

MD5
c8e8803848918c12275bd7658db00041

SHA1
c9e049b334bc504bff286379d4c00eb8e7c270ed

SHA256
bac760f4bbbee93e63a78bcaebf56448d2e1217bcb5b61db51ce44d3aac5cf6a

SHA512
b6cd612545fdb68d069a1257935ca67230bfadf95af63b484bc927ff9221ef24325c6d21604ac77da918046d68dc5cddf6acabdd6a5d8dbe0ff2a6dba5736c76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2.0.1-beta.exe

Filesize
57KB

MD5
c8e8803848918c12275bd7658db00041

SHA1
c9e049b334bc504bff286379d4c00eb8e7c270ed

SHA256
bac760f4bbbee93e63a78bcaebf56448d2e1217bcb5b61db51ce44d3aac5cf6a

SHA512
b6cd612545fdb68d069a1257935ca67230bfadf95af63b484bc927ff9221ef24325c6d21604ac77da918046d68dc5cddf6acabdd6a5d8dbe0ff2a6dba5736c76

Download Submit
memory/428-239-0x000001E754C30000-0x000001E754C70000-memory.dmp

Filesize
256KB

Download
memory/428-241-0x000001E754C70000-0x000001E754C90000-memory.dmp

Filesize
128KB

Download
memory/428-240-0x000001E754C70000-0x000001E754C90000-memory.dmp

Filesize
128KB

Download
memory/428-237-0x000001E753330000-0x000001E753350000-memory.dmp

Filesize
128KB

Download
memory/1436-184-0x0000000071910000-0x000000007195C000-memory.dmp

Filesize
304KB

Download
memory/2812-152-0x0000000000BD0000-0x00000000019E2000-memory.dmp

Filesize
14.1MB

Download
memory/2812-182-0x0000000000BD0000-0x00000000019E2000-memory.dmp

Filesize
14.1MB

Download
memory/2812-228-0x0000000000BD0000-0x00000000019E2000-memory.dmp

Filesize
14.1MB

Download
memory/3088-227-0x00007FFDB6270000-0x00007FFDB6D31000-memory.dmp

Filesize
10.8MB

Download
memory/3088-224-0x00000201C8500000-0x00000201C8522000-memory.dmp

Filesize
136KB

Download
memory/3088-226-0x00007FFDB6270000-0x00007FFDB6D31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-187-0x00000000003D0000-0x00000000011A9000-memory.dmp

Filesize
13.8MB

Download
memory/3240-157-0x00000000003D0000-0x00000000011A9000-memory.dmp

Filesize
13.8MB

Download
memory/3240-231-0x00000000003D0000-0x00000000011A9000-memory.dmp

Filesize
13.8MB

Download
memory/3392-185-0x0000000006590000-0x0000000006606000-memory.dmp

Filesize
472KB

Download
memory/3392-186-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3392-222-0x0000000008180000-0x00000000086AC000-memory.dmp

Filesize
5.2MB

Download
memory/3392-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3392-166-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/3392-217-0x0000000006890000-0x00000000068E0000-memory.dmp

Filesize
320KB

Download
memory/3392-169-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/3392-167-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/3392-221-0x00000000073F0000-0x00000000075B2000-memory.dmp

Filesize
1.8MB

Download
memory/3392-168-0x00000000056B0000-0x00000000057BA000-memory.dmp

Filesize
1.0MB

Download
memory/3924-147-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/3924-148-0x000000000C0E0000-0x000000000C146000-memory.dmp

Filesize
408KB

Download
memory/4016-191-0x0000000000800000-0x00000000008F4000-memory.dmp

Filesize
976KB

Download
memory/4172-136-0x0000000008E00000-0x0000000008E0A000-memory.dmp

Filesize
40KB

Download
memory/4172-134-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4172-133-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4172-135-0x0000000008E40000-0x0000000008ED2000-memory.dmp

Filesize
584KB

Download
memory/4172-132-0x00000000004A0000-0x000000000056A000-memory.dmp

Filesize
808KB

Download
memory/4532-171-0x0000000071910000-0x000000007195C000-memory.dmp

Filesize
304KB

Download
memory/4532-160-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/4532-161-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4532-162-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/4532-163-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4532-165-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4532-170-0x0000000006E80000-0x0000000006EB2000-memory.dmp

Filesize
200KB

Download
memory/4532-179-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/4532-178-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/4532-177-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/4532-176-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/4532-175-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4532-174-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/4532-173-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-172-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/4824-218-0x0000000071910000-0x000000007195C000-memory.dmp

Filesize
304KB

Download