laplas | 084d376d323c8eb5d77a446295a94f236bb93945a4df6cdd5b96ba517584963e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2023 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a7f93250c5512797946e177cbaf44dfbed5d58.exe
Size

856KB
MD5

beeb5de149b4c472848421bee7416093
SHA1

42a7f93250c5512797946e177cbaf44dfbed5d58
SHA256

084d376d323c8eb5d77a446295a94f236bb93945a4df6cdd5b96ba517584963e
SHA512

22d165f268fca102ce2197e73d657f30d3e96eb5eaa3e7daf3cf6aeec4dbfeab9ed1be4a4a791fc386dcd8198dfb60c81aa6eb1a4679978ed1c738dc1b037153
SSDEEP

3072:ivS07xLCZ3IhEq6OdmpBf65NvDaNN5CEddUHzNJNMsnSJ9NJCHwFwkNEqWX/ODsv:ivS09LCZ3IhE5egMrXd

Score

10^/10

laplas redline xmrig infostealer miner persistence spyware stealer

Malware Config

Extracted

Family

redline

168.119.228.126:11552

Attributes

auth_value
ee2d0ef2a4d0cbee5b6303070e44cb8a

Extracted

Family

laplas

clipper.guru

Attributes

api_key
6421b2bdb6b1eebc6487e916bb1c79875fbc8da77152f9914b4aefb39a69f6d5

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4080-136-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/files/0x0006000000023257-218.dat	xmrig

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3996	update.exe
2148	System.exe
2716	dllhost.exe
1028	OEFGCBRcPg.exe
4756	winlogson.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2104	schtasks.exe
4936	schtasks.exe
3644	schtasks.exe
4428	schtasks.exe
2592	schtasks.exe
3472	schtasks.exe
4552	schtasks.exe
4988	schtasks.exe
1780	schtasks.exe
1128	schtasks.exe
4836	schtasks.exe
2844	schtasks.exe
1868	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	88	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	csc.exe
4080	csc.exe
3996	update.exe
3492	powershell.exe
3492	powershell.exe
1124	powershell.exe
1124	powershell.exe
5008	powershell.exe
5008	powershell.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe
2716	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	csc.exe
Token: SeDebugPrivilege	3996	update.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2716	dllhost.exe
Token: SeLockMemoryPrivilege	4756	winlogson.exe
Token: SeLockMemoryPrivilege	4756	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4756	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 204	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	80
PID 776 wrote to memory of 204	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	80
PID 776 wrote to memory of 204	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	80
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 776 wrote to memory of 4080	776	42a7f93250c5512797946e177cbaf44dfbed5d58.exe	81
PID 4080 wrote to memory of 3996	4080	csc.exe	83
PID 4080 wrote to memory of 3996	4080	csc.exe	83
PID 4080 wrote to memory of 3996	4080	csc.exe	83
PID 4080 wrote to memory of 2148	4080	csc.exe	86
PID 4080 wrote to memory of 2148	4080	csc.exe	86
PID 4080 wrote to memory of 2148	4080	csc.exe	86
PID 3996 wrote to memory of 3756	3996	update.exe	87
PID 3996 wrote to memory of 3756	3996	update.exe	87
PID 3996 wrote to memory of 3756	3996	update.exe	87
PID 3756 wrote to memory of 3608	3756	cmd.exe	89
PID 3756 wrote to memory of 3608	3756	cmd.exe	89
PID 3756 wrote to memory of 3608	3756	cmd.exe	89
PID 3756 wrote to memory of 3492	3756	cmd.exe	90
PID 3756 wrote to memory of 3492	3756	cmd.exe	90
PID 3756 wrote to memory of 3492	3756	cmd.exe	90
PID 3756 wrote to memory of 1124	3756	cmd.exe	91
PID 3756 wrote to memory of 1124	3756	cmd.exe	91
PID 3756 wrote to memory of 1124	3756	cmd.exe	91
PID 3756 wrote to memory of 5008	3756	cmd.exe	92
PID 3756 wrote to memory of 5008	3756	cmd.exe	92
PID 3756 wrote to memory of 5008	3756	cmd.exe	92
PID 3996 wrote to memory of 2716	3996	update.exe	93
PID 3996 wrote to memory of 2716	3996	update.exe	93
PID 3996 wrote to memory of 2716	3996	update.exe	93
PID 2148 wrote to memory of 3296	2148	System.exe	94
PID 2148 wrote to memory of 3296	2148	System.exe	94
PID 2148 wrote to memory of 3296	2148	System.exe	94
PID 3296 wrote to memory of 1128	3296	cmd.exe	96
PID 3296 wrote to memory of 1128	3296	cmd.exe	96
PID 3296 wrote to memory of 1128	3296	cmd.exe	96
PID 2716 wrote to memory of 528	2716	dllhost.exe	97
PID 2716 wrote to memory of 528	2716	dllhost.exe	97
PID 2716 wrote to memory of 528	2716	dllhost.exe	97
PID 2716 wrote to memory of 4060	2716	dllhost.exe	99
PID 2716 wrote to memory of 4060	2716	dllhost.exe	99
PID 2716 wrote to memory of 4060	2716	dllhost.exe	99
PID 2716 wrote to memory of 1192	2716	dllhost.exe	101
PID 2716 wrote to memory of 1192	2716	dllhost.exe	101
PID 2716 wrote to memory of 1192	2716	dllhost.exe	101
PID 2716 wrote to memory of 4916	2716	dllhost.exe	102
PID 2716 wrote to memory of 4916	2716	dllhost.exe	102
PID 2716 wrote to memory of 4916	2716	dllhost.exe	102
PID 2716 wrote to memory of 4996	2716	dllhost.exe	104
PID 2716 wrote to memory of 4996	2716	dllhost.exe	104
PID 2716 wrote to memory of 4996	2716	dllhost.exe	104
PID 2716 wrote to memory of 2316	2716	dllhost.exe	106
PID 2716 wrote to memory of 2316	2716	dllhost.exe	106
PID 2716 wrote to memory of 2316	2716	dllhost.exe	106
PID 2716 wrote to memory of 4832	2716	dllhost.exe	109
PID 2716 wrote to memory of 4832	2716	dllhost.exe	109
PID 2716 wrote to memory of 4832	2716	dllhost.exe	109
PID 2716 wrote to memory of 3068	2716	dllhost.exe	110
PID 2716 wrote to memory of 3068	2716	dllhost.exe	110

C:\Users\Admin\AppData\Local\Temp\42a7f93250c5512797946e177cbaf44dfbed5d58.exe
"C:\Users\Admin\AppData\Local\Temp\42a7f93250c5512797946e177cbaf44dfbed5d58.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:528
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1192
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4916
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4832
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1305" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2512
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1305" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3637" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4068
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3637" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3434" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3434" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5386" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:228
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5386" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:2592
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4992
      - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4756
- - C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C schtasks /create /tn JbBFjWcHIk /tr C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn JbBFjWcHIk /tr C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1128

C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe
C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe
1⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
60KB

MD5
8eac424b39ecd7724237708242536dce

SHA1
dbd058d840422fcaaf1d6897564e73be3641f7d3

SHA256
a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229

SHA512
1ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
60KB

MD5
8eac424b39ecd7724237708242536dce

SHA1
dbd058d840422fcaaf1d6897564e73be3641f7d3

SHA256
a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229

SHA512
1ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
6f4532e49d65c2be0355b222f96e06e8

SHA1
268e90ce25e01bbb205f6ae3f493f8da36a61480

SHA256
acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab

SHA512
85f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
311B

MD5
a86dab3a83115be5f4ab7305f98d20d1

SHA1
205065359958ec8bf0bf9aef699d680fa477aac0

SHA256
9c05df57e16b54dda6dbd2bbc5362905d7d24bade2f447f23ec244adacfc8cfc

SHA512
78eb7f1db743472532b726e3bef831dd532c9f347ebb2b1f3a8333cd17972e75547e98b149ecee760c0bf384b941276a2151c0551a4351bebe26fcfa87dadb7d

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
13096d8d61cc161abad17c0d01e85ba3

SHA1
f68befac7ee6d02916676726d6d9f63299fc29fa

SHA256
2cfafde33d1bc95655a9ab469f9313f437f6dc9a168a095cfe125770df79be49

SHA512
9649543ac40020a66f7a252fd66ae054a6c4e845c802c583ab0ff6dc2eb15280d719f5bda38442e6943f800365aab2fdb7d544113346346b9e3a6998e3ff5ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
714a103f992132aae270574ec7505c90

SHA1
856aa1c9900a73710eac61c750f9cd7b2a6d4f01

SHA256
fe6909486c451a0c444648ee8047278baa6e023416585be7f89d874076911a2f

SHA512
8de07c84e080457b1defacd86dc484d650a4eadf7b71af9c0f993a761dcadb44e817790226db3912a4d9426bbed415ad8ca1211b3ebedccc37aaa953583ed47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d87cea3ecbb4dd5b5fc256518a0efb1c

SHA1
5e1c566af71813e4091af8912311046a4d27a81c

SHA256
2d6c3a334014f3f06b00f874e1730b270a165538d039281856168cfd79b36919

SHA512
a198348b0a7eb8a796e0df71587bff17eba870a15197a5409183d8b946f274efc1297e25c08a2837eb27a2dd3730223cc0410e3ef68ff9518f6411b988813d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
4.6MB

MD5
b104c66ebdb30b1d1e0ad45a7960807f

SHA1
eab91aadf465ff2ebbeb21f28d7eaec2ad21954b

SHA256
fb00f8583be5fdb2c0711ab318d319f58e37f6c177621f9c3132f209a6ae09d1

SHA512
d56148b368f30c51f803dcadfbc70166aef1eaa11bae69c42fcb7a138970320769b6e2410159cbd39371fdd620ce3e66a30aca08351b8f27058c44388521bc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
4.6MB

MD5
b104c66ebdb30b1d1e0ad45a7960807f

SHA1
eab91aadf465ff2ebbeb21f28d7eaec2ad21954b

SHA256
fb00f8583be5fdb2c0711ab318d319f58e37f6c177621f9c3132f209a6ae09d1

SHA512
d56148b368f30c51f803dcadfbc70166aef1eaa11bae69c42fcb7a138970320769b6e2410159cbd39371fdd620ce3e66a30aca08351b8f27058c44388521bc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
56KB

MD5
2e16b9fc1ce92309c4658bc5e78a5c63

SHA1
ffee7171cefd8bcf8e27671078bf40ad41e41cbc

SHA256
a2d08339c34dd2a487a9b13e12027f5df57d8080df13e6cf5f0328b6639095e3

SHA512
015a900c7f47d5c0e92bd3bc15b2aa5dcf7a8ec12900881582319c497a45d3ad1b3d33be2f221da2d501a86661f45e659c1ec5870db489e4e1d031ce5759c6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
56KB

MD5
2e16b9fc1ce92309c4658bc5e78a5c63

SHA1
ffee7171cefd8bcf8e27671078bf40ad41e41cbc

SHA256
a2d08339c34dd2a487a9b13e12027f5df57d8080df13e6cf5f0328b6639095e3

SHA512
015a900c7f47d5c0e92bd3bc15b2aa5dcf7a8ec12900881582319c497a45d3ad1b3d33be2f221da2d501a86661f45e659c1ec5870db489e4e1d031ce5759c6de

Download Submit
C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe

Filesize
411.8MB

MD5
d35fb8289f8c16f837a758b682e51cce

SHA1
7211d421024f6a6e8e892289dcbe28d34236aab5

SHA256
705071920237d4501a982c5cd1340456bea4607ba97331ee314a191da305bcf2

SHA512
ea45d5b4771fe0355f092e404749ac7d22348a1cc48a7ce88f5e72e570148a0bc571cc22d7f7ea6ed10c0316562922039967705513a533f0e7197f4a08a39b40

Download Submit
C:\Users\Admin\AppData\Roaming\JbBFjWcHIk\OEFGCBRcPg.exe

Filesize
415.1MB

MD5
c152d9dc9039dd5f9623078087ab9106

SHA1
b9225ffbbba1fd04d2c06051a74857e96cc972d5

SHA256
0a24234d8f824797eb04fba35c8610a13492f613f6a01ab50901427babcd33cb

SHA512
5f0fa23f054abb0528f355058e83e45a5bcc4076a1e2dd5f103ccc1200e10160bf50cc85f7e18566943cc5f398b931b4217e795a3e146f729bd3794819745f2e

Download Submit
memory/776-132-0x0000000000070000-0x000000000014A000-memory.dmp

Filesize
872KB

Download
memory/776-133-0x0000000004A50000-0x0000000004AB6000-memory.dmp

Filesize
408KB

Download
memory/1124-176-0x0000000071D00000-0x0000000071D4C000-memory.dmp

Filesize
304KB

Download
memory/2716-183-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/3492-169-0x0000000007710000-0x00000000077A6000-memory.dmp

Filesize
600KB

Download
memory/3492-167-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/3492-171-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/3492-172-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/3492-164-0x0000000071D00000-0x0000000071D4C000-memory.dmp

Filesize
304KB

Download
memory/3492-163-0x0000000006730000-0x0000000006762000-memory.dmp

Filesize
200KB

Download
memory/3492-158-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download
memory/3492-159-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/3492-170-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/3492-160-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/3492-161-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3492-168-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/3492-165-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/3492-166-0x0000000007AF0000-0x000000000816A000-memory.dmp

Filesize
6.5MB

Download
memory/3492-162-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/3996-151-0x000000000AB40000-0x000000000AB4A000-memory.dmp

Filesize
40KB

Download
memory/3996-150-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

Filesize
80KB

Download
memory/4080-137-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/4080-140-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/4080-142-0x0000000006050000-0x00000000060E2000-memory.dmp

Filesize
584KB

Download
memory/4080-143-0x0000000006EA0000-0x0000000007062000-memory.dmp

Filesize
1.8MB

Download
memory/4080-139-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/4080-144-0x0000000007BB0000-0x00000000080DC000-memory.dmp

Filesize
5.2MB

Download
memory/4080-145-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/4080-138-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/4080-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4080-141-0x0000000006520000-0x0000000006AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4080-146-0x0000000006E10000-0x0000000006E60000-memory.dmp

Filesize
320KB

Download
memory/4756-221-0x0000022402710000-0x0000022402750000-memory.dmp

Filesize
256KB

Download
memory/4756-219-0x0000022400E10000-0x0000022400E30000-memory.dmp

Filesize
128KB

Download
memory/5008-179-0x0000000071D00000-0x0000000071D4C000-memory.dmp

Filesize
304KB

Download