redline | eef30a1e1439c24ec96d1b4e3996cd6dbae3df677a35c2e88cdb2516bc4ccd19

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AllSoftware/setup.exe
Size

350.2MB
MD5

f3acb4ad0e54be9cf01bf7601b95e0c2
SHA1

4978bd134d3f27636b1648298b1d12c687cc635a
SHA256

94d2ad113de21287251ed4ac1faed0cc6119cb5c3a4734cc7ac6583e01e708f0
SHA512

c2f866ade2b0ba6fa0dd6012e101f4433df78cffad1415eaf332fda60efd1d162524446fdd3727fd9b39702bf5bc29e679249b321b5c42e440a4e472f25a5c3c
SSDEEP

6144:jla1MsbYD0n3bwZotq1/RU82KlcN2F6fAlKe:5a1Msz3bzq1/RUkrF6fsK

Score

10^/10

redline @patrickbat3men infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@PatrickBat3men

185.215.113.69:15544

Attributes

auth_value
d863b06c2a0af571a3a24c11a2a15b07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2144-133-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4576	Update.exe
5108	System.exe
1112	dllhost.exe
4208	runtime.exe
1392	runtime.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2144	2116	setup.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4536	2116	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3100	schtasks.exe
2780	schtasks.exe
5044	schtasks.exe
4640	schtasks.exe
1072	schtasks.exe
2216	schtasks.exe
3664	schtasks.exe
3244	schtasks.exe
4496	schtasks.exe
3120	schtasks.exe
4212	schtasks.exe
3624	schtasks.exe
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	AppLaunch.exe
2144	AppLaunch.exe
420	powershell.exe
420	powershell.exe
4132	powershell.exe
4132	powershell.exe
1548	powershell.exe
1548	powershell.exe
5108	System.exe
5080	powershell.exe
5080	powershell.exe
4876	powershell.exe
4876	powershell.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	AppLaunch.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	5108	System.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1112	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2144	2116	setup.exe	86
PID 2116 wrote to memory of 2144	2116	setup.exe	86
PID 2116 wrote to memory of 2144	2116	setup.exe	86
PID 2116 wrote to memory of 2144	2116	setup.exe	86
PID 2116 wrote to memory of 2144	2116	setup.exe	86
PID 2144 wrote to memory of 4576	2144	AppLaunch.exe	92
PID 2144 wrote to memory of 4576	2144	AppLaunch.exe	92
PID 4576 wrote to memory of 420	4576	Update.exe	93
PID 4576 wrote to memory of 420	4576	Update.exe	93
PID 2144 wrote to memory of 5108	2144	AppLaunch.exe	96
PID 2144 wrote to memory of 5108	2144	AppLaunch.exe	96
PID 2144 wrote to memory of 5108	2144	AppLaunch.exe	96
PID 420 wrote to memory of 2216	420	powershell.exe	97
PID 420 wrote to memory of 2216	420	powershell.exe	97
PID 4576 wrote to memory of 4132	4576	Update.exe	98
PID 4576 wrote to memory of 4132	4576	Update.exe	98
PID 4132 wrote to memory of 3664	4132	powershell.exe	100
PID 4132 wrote to memory of 3664	4132	powershell.exe	100
PID 4576 wrote to memory of 1548	4576	Update.exe	101
PID 4576 wrote to memory of 1548	4576	Update.exe	101
PID 1548 wrote to memory of 3244	1548	powershell.exe	103
PID 1548 wrote to memory of 3244	1548	powershell.exe	103
PID 5108 wrote to memory of 4728	5108	System.exe	104
PID 5108 wrote to memory of 4728	5108	System.exe	104
PID 5108 wrote to memory of 4728	5108	System.exe	104
PID 4728 wrote to memory of 4292	4728	cmd.exe	106
PID 4728 wrote to memory of 4292	4728	cmd.exe	106
PID 4728 wrote to memory of 4292	4728	cmd.exe	106
PID 4728 wrote to memory of 5080	4728	cmd.exe	107
PID 4728 wrote to memory of 5080	4728	cmd.exe	107
PID 4728 wrote to memory of 5080	4728	cmd.exe	107
PID 4728 wrote to memory of 4876	4728	cmd.exe	108
PID 4728 wrote to memory of 4876	4728	cmd.exe	108
PID 4728 wrote to memory of 4876	4728	cmd.exe	108
PID 5108 wrote to memory of 1112	5108	System.exe	109
PID 5108 wrote to memory of 1112	5108	System.exe	109
PID 5108 wrote to memory of 1112	5108	System.exe	109
PID 1112 wrote to memory of 3088	1112	dllhost.exe	111
PID 1112 wrote to memory of 3088	1112	dllhost.exe	111
PID 1112 wrote to memory of 3088	1112	dllhost.exe	111
PID 1112 wrote to memory of 1800	1112	dllhost.exe	110
PID 1112 wrote to memory of 1800	1112	dllhost.exe	110
PID 1112 wrote to memory of 1800	1112	dllhost.exe	110
PID 1112 wrote to memory of 4004	1112	dllhost.exe	121
PID 1112 wrote to memory of 4004	1112	dllhost.exe	121
PID 1112 wrote to memory of 4004	1112	dllhost.exe	121
PID 1112 wrote to memory of 4072	1112	dllhost.exe	112
PID 1112 wrote to memory of 4072	1112	dllhost.exe	112
PID 1112 wrote to memory of 4072	1112	dllhost.exe	112
PID 1112 wrote to memory of 4808	1112	dllhost.exe	119
PID 1112 wrote to memory of 4808	1112	dllhost.exe	119
PID 1112 wrote to memory of 4808	1112	dllhost.exe	119
PID 1112 wrote to memory of 1192	1112	dllhost.exe	117
PID 1112 wrote to memory of 1192	1112	dllhost.exe	117
PID 1112 wrote to memory of 1192	1112	dllhost.exe	117
PID 1112 wrote to memory of 2400	1112	dllhost.exe	116
PID 1112 wrote to memory of 2400	1112	dllhost.exe	116
PID 1112 wrote to memory of 2400	1112	dllhost.exe	116
PID 1112 wrote to memory of 4448	1112	dllhost.exe	115
PID 1112 wrote to memory of 4448	1112	dllhost.exe	115
PID 1112 wrote to memory of 4448	1112	dllhost.exe	115
PID 1112 wrote to memory of 1256	1112	dllhost.exe	114
PID 1112 wrote to memory of 1256	1112	dllhost.exe	114
PID 1112 wrote to memory of 1256	1112	dllhost.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AllSoftware\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AllSoftware\setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:420
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:2216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:3244
- - C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1800
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4072
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6537" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1256
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6537" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4448
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2400
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1192
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4808
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4004
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1094" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4736
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1094" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3941" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4384
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3941" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4856" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:3364
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:3760
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:180
      - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        6⤵
        
        PID:2644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 632
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2116 -ip 2116
1⤵
PID:4208

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
9bc83276af97842def832a8e4a57ff89

SHA1
f9412e836938d2e67b1681ef562955218568bd74

SHA256
33f0be926c68f749a4fbede88a55ee546e00dd9041ec762a6d491d30b2286492

SHA512
161c14dcc27cd66ee2c77dc959308a7c5aa1d94da356cd663cf93e4aa47b3eb54e1f799f9e4f202bc9fea2af84043899ce829954e85f50deb320a7ce9ec3d9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e60a17771d16b4cb1e687102e12092d9

SHA1
0dc0f968f419ffea4673d0471b50d186b7b13fb7

SHA256
554d5f4dacac6acc052164aae3af07ec1282f2e4f7cd268109b3da70c15cc90c

SHA512
cd29fe7f95f86dc51bc5e8e5142ab9ffb22ff280cae912f0a94009eca355d137c565bc07a3fbfb75e97d55fad9feb133faecbdc8ebd614a835819452c75d5dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
205.0MB

MD5
9204488fcffc24b65d1ea082373950cd

SHA1
7a924ff65fd9f1ca0087ba192afb6681b758aacb

SHA256
3876d25882c137d8d355b9e4afaae2263ada9a6e62d0bdd13093bdc8c99d2fe2

SHA512
b4049abe3ff21b1ae63cb305ff7491826e1da18f55003e6f059028740bf6de9bd2855a786de9b6d7b360ca23441e0ead71646724f28de4f65dfd2a6626cb8b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
203.6MB

MD5
12600f57f5344266ab441d8f42311eb3

SHA1
10d8f32b174867b4372d9de846c64b1fe1054a87

SHA256
fe2d50529f2b6b27e008469311839846e561c82d9c3983d8228904cda0026b77

SHA512
ebe79fa43333500df8e54668235ad641296109309b1535f76e8f105c978187012f83954214f6339d268ad01748e643725a45b86f7b8acf4eb8d8d7b2703aba67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
203.8MB

MD5
90b364fbf892216bb9b05b637328b0f0

SHA1
5acafb95bc9c068dcda0a80ce34327fda99c79ac

SHA256
c0c1dc68c599648200b3f1974869f3c885fd159d1737621490484e1beb170e2b

SHA512
89c3b552f2d4fd0270329b4ae616752cdb004802e5942e87396badbdb335b3c22d51e9fb148ef2ed05c2150988c326125a1e648525ce1d591f18666873fef9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
204.1MB

MD5
ceb907acf72574b78c8e6394601494b5

SHA1
60ff9411c7f094ad27142b16f0c74c1fcd69896c

SHA256
aa0f51b5e50d5a0264853c2c0d2882f4aa9cb41f8649227a457f83b790d00244

SHA512
51a94e7d32a5b360f397f2f7221d4171767905a67e47717d1ecd32b79cd9f9c70ca5b4ebab4b968a84e1dae96f28ea9d4e11f48a2fb875083a3a4ca67f1c9754

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
62KB

MD5
09a29f3b529c5e9ab25a47973bb0900a

SHA1
b8dce851d01dbe0335f11fa8449b52a2270776e6

SHA256
33035a718f5445742b82707f0ba6aff80337cac1e89b6b3b8b51177c7f9f578a

SHA512
35e92a26fc392b15eb7fd78ca1f6a6c08afe42ed535fd020237215d7f4db0f66fa0676eb70d646f8790c9724c30c605a99b33cf6a6c84c3de78f6061f1a48efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
62KB

MD5
09a29f3b529c5e9ab25a47973bb0900a

SHA1
b8dce851d01dbe0335f11fa8449b52a2270776e6

SHA256
33035a718f5445742b82707f0ba6aff80337cac1e89b6b3b8b51177c7f9f578a

SHA512
35e92a26fc392b15eb7fd78ca1f6a6c08afe42ed535fd020237215d7f4db0f66fa0676eb70d646f8790c9724c30c605a99b33cf6a6c84c3de78f6061f1a48efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
62KB

MD5
09a29f3b529c5e9ab25a47973bb0900a

SHA1
b8dce851d01dbe0335f11fa8449b52a2270776e6

SHA256
33035a718f5445742b82707f0ba6aff80337cac1e89b6b3b8b51177c7f9f578a

SHA512
35e92a26fc392b15eb7fd78ca1f6a6c08afe42ed535fd020237215d7f4db0f66fa0676eb70d646f8790c9724c30c605a99b33cf6a6c84c3de78f6061f1a48efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smhshjmm.j0j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/420-183-0x00000177E76B0000-0x00000177E76C0000-memory.dmp

Filesize
64KB

Download
memory/420-184-0x00000177E76B0000-0x00000177E76C0000-memory.dmp

Filesize
64KB

Download
memory/420-182-0x00000177E7610000-0x00000177E7632000-memory.dmp

Filesize
136KB

Download
memory/1112-284-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1112-285-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/1112-302-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/1548-218-0x0000023F70F90000-0x0000023F70FA0000-memory.dmp

Filesize
64KB

Download
memory/1548-220-0x0000023F70F90000-0x0000023F70FA0000-memory.dmp

Filesize
64KB

Download
memory/1548-219-0x0000023F70F90000-0x0000023F70FA0000-memory.dmp

Filesize
64KB

Download
memory/2144-138-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/2144-143-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/2144-144-0x00000000065B0000-0x0000000006642000-memory.dmp

Filesize
584KB

Download
memory/2144-140-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/2144-145-0x0000000006C00000-0x00000000071A4000-memory.dmp

Filesize
5.6MB

Download
memory/2144-148-0x0000000008360000-0x000000000888C000-memory.dmp

Filesize
5.2MB

Download
memory/2144-141-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download
memory/2144-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2144-146-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2144-139-0x0000000005740000-0x000000000584A000-memory.dmp

Filesize
1.0MB

Download
memory/2144-147-0x0000000007C60000-0x0000000007E22000-memory.dmp

Filesize
1.8MB

Download
memory/2144-142-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4132-202-0x00000223EBA30000-0x00000223EBA40000-memory.dmp

Filesize
64KB

Download
memory/4132-204-0x00000223EBA30000-0x00000223EBA40000-memory.dmp

Filesize
64KB

Download
memory/4876-286-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4876-287-0x0000000074630000-0x000000007467C000-memory.dmp

Filesize
304KB

Download
memory/4876-297-0x000000007F6C0000-0x000000007F6D0000-memory.dmp

Filesize
64KB

Download
memory/4876-279-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4876-278-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/5080-223-0x0000000004CF0000-0x0000000005318000-memory.dmp

Filesize
6.2MB

Download
memory/5080-250-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/5080-262-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/5080-263-0x0000000006F30000-0x0000000006F3E000-memory.dmp

Filesize
56KB

Download
memory/5080-264-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/5080-265-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

Filesize
32KB

Download
memory/5080-255-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download
memory/5080-254-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/5080-253-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

Filesize
64KB

Download
memory/5080-251-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/5080-252-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/5080-222-0x00000000008D0000-0x0000000000906000-memory.dmp

Filesize
216KB

Download
memory/5080-240-0x0000000075150000-0x000000007519C000-memory.dmp

Filesize
304KB

Download
memory/5080-239-0x0000000006010000-0x0000000006042000-memory.dmp

Filesize
200KB

Download
memory/5080-238-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/5080-232-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/5080-226-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/5080-225-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/5080-224-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/5108-261-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5108-186-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/5108-185-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5108-172-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download