7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff

Analysis

max time kernel
300s
max time network
174s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe
Size

2.5MB
MD5

45cf615d933419ef9d00f8d97a1398b3
SHA1

192b29caf7441cf066218a851369bb7ce05098ca
SHA256

7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff
SHA512

28544eaed74b56a3863fad0b4f0e127efd8ce0ccabd362dfc50f3108425713a1ff8434ea71e8f4fdbcfca9acdca4982a83ebf3439e7760d0c477c9e93b68ae16
SSDEEP

24576:woTeEqAgbv+zwJEYLQjggOYNYNk6qM4BMYNT6wdwScagc9Irkz6U+1gLkAAl3RuW:DiXLvXJrUjgaBRvIYz6U+1godl3

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
98820	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
98416	AppLaunch.exe
98416	AppLaunch.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	AppLaunch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 98820 set thread context of 97908	98820	dllhost.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
98408	schtasks.exe
98396	schtasks.exe
98532	schtasks.exe
98084	schtasks.exe
98276	schtasks.exe
98248	schtasks.exe
98380	schtasks.exe
98576	schtasks.exe
98092	schtasks.exe
98156	schtasks.exe
98196	schtasks.exe
98464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
98528	powershell.exe
98592	powershell.exe
98680	powershell.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe
97908	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	98528	powershell.exe
Token: SeDebugPrivilege	98592	powershell.exe
Token: SeDebugPrivilege	98416	AppLaunch.exe
Token: SeDebugPrivilege	98680	powershell.exe
Token: SeDebugPrivilege	97908	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 1380 wrote to memory of 98416	1380	7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe	28
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98416 wrote to memory of 98484	98416	AppLaunch.exe	29
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98512	98484	cmd.exe	31
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98528	98484	cmd.exe	32
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98592	98484	cmd.exe	33
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98484 wrote to memory of 98680	98484	cmd.exe	34
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98416 wrote to memory of 98820	98416	AppLaunch.exe	35
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 98820 wrote to memory of 97908	98820	dllhost.exe	37
PID 97908 wrote to memory of 97972	97908	AppLaunch.exe	38
PID 97908 wrote to memory of 97972	97908	AppLaunch.exe	38
PID 97908 wrote to memory of 97972	97908	AppLaunch.exe	38
PID 97908 wrote to memory of 97972	97908	AppLaunch.exe	38

C:\Users\Admin\AppData\Local\Temp\7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe
"C:\Users\Admin\AppData\Local\Temp\7ae22ee20d89916729b0bbeb070ef32a7224657c446cc0db4165b36b261d12ff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:98416
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:98484
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:98512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98680
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:98820
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:97908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:97972
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:97984
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98008
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98032
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98056
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98112
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98144
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98188
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4066" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98292
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4066" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2728" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98260
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2728" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3021" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:98332
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3021" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7453" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1380
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7453" /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:98532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
        5⤵
        
        PID:98848
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
        5⤵
        
        PID:98876
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:98904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
        5⤵
        
        PID:98940
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:98968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
        5⤵
        
        PID:99076
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:99104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
        5⤵
        
        PID:99144
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:99172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
2.5MB

MD5
4876f266b3d91871a99223729dc7852d

SHA1
3bf2783c79c163c56ff7fb0424f9e74d1d4d2253

SHA256
fb2fc7c9aee8de196d0669dd0b5685bc383b3f0fa245a55ad3b001cdcf55daa9

SHA512
4435f58e00a64e123bcab3e23b5888104fcb3210837e19ffa19ae433b07fe48b64500d84f30f4e3e00b940c1717de876d30c8f94ae31e361f9a56c87e7f21768

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
2.5MB

MD5
4876f266b3d91871a99223729dc7852d

SHA1
3bf2783c79c163c56ff7fb0424f9e74d1d4d2253

SHA256
fb2fc7c9aee8de196d0669dd0b5685bc383b3f0fa245a55ad3b001cdcf55daa9

SHA512
4435f58e00a64e123bcab3e23b5888104fcb3210837e19ffa19ae433b07fe48b64500d84f30f4e3e00b940c1717de876d30c8f94ae31e361f9a56c87e7f21768

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
465B

MD5
e1d81ab02877f72bbc2a634eca6aaf3e

SHA1
e0f3ad3e144d256c680dc021742f2c38ab7235d1

SHA256
32b13f694dd937b21757ee94f56222dfe9adaace8cc991ff95a110b5c3eaf0fa

SHA512
cb6c7fcda8cab946e0581da59580af902ce1bd95ac6ba5132f713e30d483d51a7315d993c2a2aa6a94ef502c329c38d38e92e45df522bc62d5a09885816f750c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e790705348ae7412183d4756cb511a24

SHA1
71f7118bdb3b64218640f99d39246b85b692f887

SHA256
084456ca70effa007d5eba3458924658bb1b77e04f7c2a6696ad4d22c893061d

SHA512
cb0ab858fda4aebeb8727e3e201c07b10b4f4e1352c573a2738985108b0f78cb964a362ba845d153eca00e5837fa0688d2cd00c06e715d3bfd14d358066b8ec2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6e77c61f18961cbea40b414f7a6e714d

SHA1
86a1ce66661fc51ed7173cc4529f18c676224797

SHA256
10864a2b1eba21ea3a14850f49f374a075db3762cecaa3eaf61ea24003e420a9

SHA512
2c1e8565cc0cd7e50588120e3489aaa74a13425bec5f2466d37ca632fdf95616632a0977ddccb57bce38c064710ca8abd7f8263e93503a5fcaf7d22b7a753150

Download Submit
\ProgramData\Dllhost\dllhost.exe

Filesize
2.5MB

MD5
4876f266b3d91871a99223729dc7852d

SHA1
3bf2783c79c163c56ff7fb0424f9e74d1d4d2253

SHA256
fb2fc7c9aee8de196d0669dd0b5685bc383b3f0fa245a55ad3b001cdcf55daa9

SHA512
4435f58e00a64e123bcab3e23b5888104fcb3210837e19ffa19ae433b07fe48b64500d84f30f4e3e00b940c1717de876d30c8f94ae31e361f9a56c87e7f21768

Download Submit
\ProgramData\Dllhost\dllhost.exe

Filesize
2.5MB

MD5
4876f266b3d91871a99223729dc7852d

SHA1
3bf2783c79c163c56ff7fb0424f9e74d1d4d2253

SHA256
fb2fc7c9aee8de196d0669dd0b5685bc383b3f0fa245a55ad3b001cdcf55daa9

SHA512
4435f58e00a64e123bcab3e23b5888104fcb3210837e19ffa19ae433b07fe48b64500d84f30f4e3e00b940c1717de876d30c8f94ae31e361f9a56c87e7f21768

Download Submit
memory/97908-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/97908-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/97908-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/97908-98-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/98416-63-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/98416-64-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/98416-56-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/98416-54-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/98416-62-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/98528-71-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/98528-72-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/98592-76-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/98592-77-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/98680-82-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download
memory/98680-83-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download