redline | b5bb65f44c5f4e5021f914a090fc8167d7ab5f93b69bb589b283d8a1b80d18c8

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879A1CC064DBB64D3EC72FD1C246376E.exe
Size

168KB
MD5

879a1cc064dbb64d3ec72fd1c246376e
SHA1

29b7a5d7c3d890e4cd57c977ff0e0c6cf03010f8
SHA256

b5bb65f44c5f4e5021f914a090fc8167d7ab5f93b69bb589b283d8a1b80d18c8
SHA512

402d10f1ec986de7f6de6820378f92fb43853a64a808bb0a9dcea5178859b89048f262242d1502c65dd8d499a107178be6a57af9cea45ed43ad8f68b62fc4bd0
SSDEEP

3072:V0ODgnL3kfWp5Z466hJOVukx+qVEA9YbbCLmwB8e8hH:uOD+FkE+ogbCLmwB

Score

10^/10

redline xmrig xyi discovery infostealer miner persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

xyi

193.233.20.13:11552

Attributes

auth_value
047b878d2df34cc0bb8e92d3fa4f34d8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/files/0x0010000000023558-272.dat	family_xmrig
behavioral2/files/0x0010000000023558-272.dat	xmrig
behavioral2/files/0x0010000000023558-273.dat	family_xmrig
behavioral2/files/0x0010000000023558-273.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	879A1CC064DBB64D3EC72FD1C246376E.exe

Executes dropped EXE 3 IoCs

pid	Process
1600	update.exe
5028	dllhost.exe
2372	winlogson.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3720	schtasks.exe
4620	schtasks.exe
3084	schtasks.exe
3712	schtasks.exe
3364	schtasks.exe
3252	schtasks.exe
4696	schtasks.exe
4844	schtasks.exe
3716	schtasks.exe
1528	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	879A1CC064DBB64D3EC72FD1C246376E.exe
1808	879A1CC064DBB64D3EC72FD1C246376E.exe
1600	update.exe
732	powershell.exe
732	powershell.exe
4500	powershell.exe
4500	powershell.exe
2000	powershell.exe
2000	powershell.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	879A1CC064DBB64D3EC72FD1C246376E.exe
Token: SeDebugPrivilege	1600	update.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	5028	dllhost.exe
Token: SeLockMemoryPrivilege	2372	winlogson.exe
Token: SeLockMemoryPrivilege	2372	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1600	1808	879A1CC064DBB64D3EC72FD1C246376E.exe	86
PID 1808 wrote to memory of 1600	1808	879A1CC064DBB64D3EC72FD1C246376E.exe	86
PID 1808 wrote to memory of 1600	1808	879A1CC064DBB64D3EC72FD1C246376E.exe	86
PID 1600 wrote to memory of 1856	1600	update.exe	87
PID 1600 wrote to memory of 1856	1600	update.exe	87
PID 1600 wrote to memory of 1856	1600	update.exe	87
PID 1856 wrote to memory of 3016	1856	cmd.exe	89
PID 1856 wrote to memory of 3016	1856	cmd.exe	89
PID 1856 wrote to memory of 3016	1856	cmd.exe	89
PID 1856 wrote to memory of 732	1856	cmd.exe	90
PID 1856 wrote to memory of 732	1856	cmd.exe	90
PID 1856 wrote to memory of 732	1856	cmd.exe	90
PID 1856 wrote to memory of 4500	1856	cmd.exe	91
PID 1856 wrote to memory of 4500	1856	cmd.exe	91
PID 1856 wrote to memory of 4500	1856	cmd.exe	91
PID 1856 wrote to memory of 2000	1856	cmd.exe	93
PID 1856 wrote to memory of 2000	1856	cmd.exe	93
PID 1856 wrote to memory of 2000	1856	cmd.exe	93
PID 1600 wrote to memory of 5028	1600	update.exe	96
PID 1600 wrote to memory of 5028	1600	update.exe	96
PID 1600 wrote to memory of 5028	1600	update.exe	96
PID 5028 wrote to memory of 4344	5028	dllhost.exe	97
PID 5028 wrote to memory of 4344	5028	dllhost.exe	97
PID 5028 wrote to memory of 4344	5028	dllhost.exe	97
PID 5028 wrote to memory of 3580	5028	dllhost.exe	99
PID 5028 wrote to memory of 3580	5028	dllhost.exe	99
PID 5028 wrote to memory of 3580	5028	dllhost.exe	99
PID 5028 wrote to memory of 2792	5028	dllhost.exe	119
PID 5028 wrote to memory of 2792	5028	dllhost.exe	119
PID 5028 wrote to memory of 2792	5028	dllhost.exe	119
PID 5028 wrote to memory of 432	5028	dllhost.exe	101
PID 5028 wrote to memory of 432	5028	dllhost.exe	101
PID 5028 wrote to memory of 432	5028	dllhost.exe	101
PID 5028 wrote to memory of 2812	5028	dllhost.exe	102
PID 5028 wrote to memory of 2812	5028	dllhost.exe	102
PID 5028 wrote to memory of 2812	5028	dllhost.exe	102
PID 5028 wrote to memory of 4000	5028	dllhost.exe	117
PID 5028 wrote to memory of 4000	5028	dllhost.exe	117
PID 5028 wrote to memory of 4000	5028	dllhost.exe	117
PID 5028 wrote to memory of 3592	5028	dllhost.exe	116
PID 5028 wrote to memory of 3592	5028	dllhost.exe	116
PID 5028 wrote to memory of 3592	5028	dllhost.exe	116
PID 5028 wrote to memory of 2104	5028	dllhost.exe	114
PID 5028 wrote to memory of 2104	5028	dllhost.exe	114
PID 5028 wrote to memory of 2104	5028	dllhost.exe	114
PID 5028 wrote to memory of 4836	5028	dllhost.exe	104
PID 5028 wrote to memory of 4836	5028	dllhost.exe	104
PID 5028 wrote to memory of 4836	5028	dllhost.exe	104
PID 5028 wrote to memory of 2680	5028	dllhost.exe	112
PID 5028 wrote to memory of 2680	5028	dllhost.exe	112
PID 5028 wrote to memory of 2680	5028	dllhost.exe	112
PID 5028 wrote to memory of 2904	5028	dllhost.exe	107
PID 5028 wrote to memory of 2904	5028	dllhost.exe	107
PID 5028 wrote to memory of 2904	5028	dllhost.exe	107
PID 5028 wrote to memory of 3384	5028	dllhost.exe	106
PID 5028 wrote to memory of 3384	5028	dllhost.exe	106
PID 5028 wrote to memory of 3384	5028	dllhost.exe	106
PID 4344 wrote to memory of 3720	4344	cmd.exe	121
PID 4344 wrote to memory of 3720	4344	cmd.exe	121
PID 4344 wrote to memory of 3720	4344	cmd.exe	121
PID 3580 wrote to memory of 3364	3580	cmd.exe	122
PID 3580 wrote to memory of 3364	3580	cmd.exe	122
PID 3580 wrote to memory of 3364	3580	cmd.exe	122
PID 432 wrote to memory of 3716	432	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\879A1CC064DBB64D3EC72FD1C246376E.exe
"C:\Users\Admin\AppData\Local\Temp\879A1CC064DBB64D3EC72FD1C246376E.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk373" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk373" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8129" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:3384
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8129" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk49" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk49" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3252
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2529" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2529" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:2104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2144
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:452
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1904
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.2MB

MD5
6c454e10bbea489cfc96253fe55ec282

SHA1
22fd5c79495ad06036635eff26a31c76d859e3b7

SHA256
a12c34fef1d6475d99aa9af2e8bf1fd55bca83982a0ee2a9131ffd9fd15cb2a7

SHA512
81f45ebeffc0205e4132db3f29584e267f986dc8b5e02f3d444a8470e24e073259cb2075af8a832aa09da1dc20b0609e2e4b3ec68284232ce86547e6bf794562

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.2MB

MD5
6c454e10bbea489cfc96253fe55ec282

SHA1
22fd5c79495ad06036635eff26a31c76d859e3b7

SHA256
a12c34fef1d6475d99aa9af2e8bf1fd55bca83982a0ee2a9131ffd9fd15cb2a7

SHA512
81f45ebeffc0205e4132db3f29584e267f986dc8b5e02f3d444a8470e24e073259cb2075af8a832aa09da1dc20b0609e2e4b3ec68284232ce86547e6bf794562

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
313B

MD5
7685e846884afc9bb7da3fc1a2971173

SHA1
0a8414d6a845922082eb56bf12eadf61f4953326

SHA256
2f7876c215a603759aa43d8a988e960ea825c720c6f14e1c578e239129553dae

SHA512
0f61095cf570ee201bacdc8def6fa583da6e7ef54c0e756572bf0e9796becd2fc76a3b8aace82de6288706e567dc38daa09044130dbe66876b68c173dc05ab28

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
44b6503a45dc94c8c9af93fbeeab1cec

SHA1
2bf63cb40380b0eebf05de7bcf2711e525dcae6f

SHA256
b74643cc427f37f508790ab1a93d3b491c082314e2595d6bd6df96e8d1a2cc7b

SHA512
3d7a87006467d65b82d814fc0c2f7d8d0c5ea43fbec3fb88368b82e9d25d01c892cd2faafbd69b194e73ab9b515d386d9dcd9b6cc6ea0bd5ab56079a355bd0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b953e6b4965059e2d093358d6dc63e94

SHA1
7bcee6c1b3ebc6dd64f6f5aaff63efc62ed828ca

SHA256
481a97e0565acb53fa1f780c679e01dc3b0dda192933582a355b477819831edd

SHA512
a2c44a06e84d733536a9381161466c3e645092964e9edc4422cedc70992ba39d3ee02e6628746a1f0333eef45b9b153ff135d01743a436f54fa0f38ff82200f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bea7c372f5196f8bde60c10a46eccceb

SHA1
678f721ace6ce0b2fb24660b4527246af584fe04

SHA256
cf952fbee909bc0ef7f0a1ccf195cf91f165bd9c9476fa142b4a056cebdbdca6

SHA512
aff869b1449fc03f7415c979d5e7389e472c81cfbad055c9beff9a152a6ffe654d5bfc1cbf1a3099e0618cea63d38e12277108efa61687565348e50471a3727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvnn5fmj.olm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
memory/732-202-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/732-181-0x0000000070050000-0x000000007009C000-memory.dmp

Filesize
304KB

Download
memory/732-164-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/732-165-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/732-166-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/732-167-0x0000000005200000-0x0000000005828000-memory.dmp

Filesize
6.2MB

Download
memory/732-168-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/732-171-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/732-204-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/732-179-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/732-180-0x0000000006570000-0x00000000065A2000-memory.dmp

Filesize
200KB

Download
memory/732-203-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/732-191-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/732-192-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/732-193-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/732-194-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/732-195-0x000000007F460000-0x000000007F470000-memory.dmp

Filesize
64KB

Download
memory/732-196-0x0000000007330000-0x000000000733A000-memory.dmp

Filesize
40KB

Download
memory/732-197-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/1600-162-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/1600-163-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/1600-161-0x0000000000100000-0x0000000000116000-memory.dmp

Filesize
88KB

Download
memory/1600-231-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/1808-146-0x000000000DCD0000-0x000000000E1FC000-memory.dmp

Filesize
5.2MB

Download
memory/1808-136-0x000000000A290000-0x000000000A2A2000-memory.dmp

Filesize
72KB

Download
memory/1808-144-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1808-145-0x000000000BF30000-0x000000000C0F2000-memory.dmp

Filesize
1.8MB

Download
memory/1808-142-0x000000000AE40000-0x000000000AEA6000-memory.dmp

Filesize
408KB

Download
memory/1808-140-0x000000000A720000-0x000000000A7B2000-memory.dmp

Filesize
584KB

Download
memory/1808-134-0x000000000A820000-0x000000000AE38000-memory.dmp

Filesize
6.1MB

Download
memory/1808-138-0x000000000A2F0000-0x000000000A32C000-memory.dmp

Filesize
240KB

Download
memory/1808-143-0x000000000C750000-0x000000000C7A0000-memory.dmp

Filesize
320KB

Download
memory/1808-139-0x000000000A600000-0x000000000A676000-memory.dmp

Filesize
472KB

Download
memory/1808-141-0x000000000B3F0000-0x000000000B994000-memory.dmp

Filesize
5.6MB

Download
memory/1808-137-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1808-135-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/1808-133-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/2000-246-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2000-247-0x0000000070050000-0x000000007009C000-memory.dmp

Filesize
304KB

Download
memory/2000-245-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2000-244-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2000-261-0x000000007F6F0000-0x000000007F700000-memory.dmp

Filesize
64KB

Download
memory/2372-276-0x0000014267600000-0x0000014267640000-memory.dmp

Filesize
256KB

Download
memory/2372-274-0x00000141D5440000-0x00000141D5460000-memory.dmp

Filesize
128KB

Download
memory/2372-277-0x00000141D54A0000-0x00000141D54C0000-memory.dmp

Filesize
128KB

Download
memory/2372-278-0x00000141D54A0000-0x00000141D54C0000-memory.dmp

Filesize
128KB

Download
memory/4500-221-0x0000000070050000-0x000000007009C000-memory.dmp

Filesize
304KB

Download
memory/4500-232-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download
memory/4500-219-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4500-218-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/5028-266-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/5028-262-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/5028-260-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download