xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Analysis

max time kernel
1529s
max time network
1529s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral2/memory/2472-32-0x0000000000870000-0x0000000000C12000-memory.dmp	family_zgrat_v1
behavioral2/memory/2812-136-0x0000000000C40000-0x0000000000FE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1912-217-0x0000000000010000-0x00000000003B2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1552-224-0x0000000001080000-0x0000000001422000-memory.dmp	family_zgrat_v1
behavioral2/memory/1936-233-0x0000000000880000-0x0000000000C22000-memory.dmp	family_zgrat_v1
behavioral2/memory/2108-234-0x0000000000DD0000-0x0000000001172000-memory.dmp	family_zgrat_v1
behavioral2/memory/704-237-0x0000000000140000-0x00000000004E2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1628-244-0x0000000000EC0000-0x0000000001262000-memory.dmp	family_zgrat_v1
behavioral2/memory/1236-255-0x0000000000ED0000-0x0000000001272000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\taskhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\taskhost.exe\", \"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\taskhost.exe\", \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\taskhost.exe\", \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\taskhost.exe\", \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1572	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 30 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2716-189-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-192-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-191-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-195-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-193-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-194-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-188-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-196-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-197-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-219-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-218-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-220-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-226-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-227-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-225-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-228-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-241-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-240-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-239-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-250-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-257-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2716-263-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1712 powershell.exe
2500 powershell.exe
1780 powershell.exe
2192 powershell.exe
1004 powershell.exe
1168 powershell.exe
1312 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1712	powershell.exe
2500	powershell.exe
1780	powershell.exe
2192	powershell.exe
1004	powershell.exe
1168	powershell.exe
1312	powershell.exe

Executes dropped EXE 17 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exetaskhost.exelhhsgwktkatl.exeexplorer.execsrss.exeexplorer.execmd.exelsm.exetaskhost.exeexplorer.execsrss.exeexplorer.execmd.exelsm.exe

pid	process
2516	Checker.exe
2680	Utility.exe
2472	Sessionperf.exe
2812	taskhost.exe
476
616	lhhsgwktkatl.exe
1912	explorer.exe
1552	csrss.exe
1936	explorer.exe
2108	cmd.exe
704	lsm.exe
2472	taskhost.exe
1628	explorer.exe
2036	csrss.exe
1588	explorer.exe
2604	cmd.exe
1236	lsm.exe

Loads dropped DLL 5 IoCs

Processes:

Loader.execmd.exe

pid process

2276 Loader.exe
2276 Loader.exe
2412 cmd.exe
2412 cmd.exe
476
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2276	Loader.exe
2276	Loader.exe
2412	cmd.exe
2412	cmd.exe
476

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2716-183-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-187-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-191-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-186-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-184-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-188-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-185-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-196-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-197-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-219-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-220-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-226-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-227-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-225-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-228-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-241-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-257-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2716-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\blockcontainerWincrtdll\\taskhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\blockcontainerWincrtdll\\taskhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Vss\\Writers\\lsm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Vss\\Writers\\lsm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\explorer.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

Utility.exepowershell.exelhhsgwktkatl.execsc.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File created	\??\c:\Windows\System32\CSC7D4F87BE36D045FCA49AECCAC03A3AE3.TMP	csc.exe
File created	\??\c:\Windows\System32\ickr0a.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 616 set thread context of 2112	616	lhhsgwktkatl.exe	conhost.exe
PID 616 set thread context of 2716	616	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files\Windows NT\explorer.exe	Sessionperf.exe
File created	C:\Program Files\Windows NT\7a0fd90576e088	Sessionperf.exe

Drops file in Windows directory 4 IoCs

Processes:

Sessionperf.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\Vss\Writers\101b941d020240	Sessionperf.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Vss\Writers\lsm.exe	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1624 sc.exe
1248 sc.exe
2336 sc.exe
2044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1624	sc.exe
1248	sc.exe
2336	sc.exe
2044	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2504	schtasks.exe
2236	schtasks.exe
984	schtasks.exe
1236	schtasks.exe
1584	schtasks.exe
540	schtasks.exe
840	schtasks.exe
1580	schtasks.exe
2828	schtasks.exe
2728	schtasks.exe
1952	schtasks.exe
1844	schtasks.exe
672	schtasks.exe
704	schtasks.exe
1780	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6031071ff3a5da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2440 reg.exe

pid	process
2440	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe
2472	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhost.exe

pid process

2812 taskhost.exe

pid	process
2812	taskhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exeexplorer.execsrss.execmd.exelsm.exeexplorer.exetaskhost.exeexplorer.execsrss.execmd.exelsm.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2276	Loader.exe
Token: SeDebugPrivilege	2472	Sessionperf.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2812	taskhost.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeShutdownPrivilege	1372	powercfg.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	1272	powercfg.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeShutdownPrivilege	1628	powercfg.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2736	powercfg.exe
Token: SeLockMemoryPrivilege	2716	conhost.exe
Token: SeDebugPrivilege	1912	explorer.exe
Token: SeDebugPrivilege	1552	csrss.exe
Token: SeDebugPrivilege	2108	cmd.exe
Token: SeDebugPrivilege	704	lsm.exe
Token: SeDebugPrivilege	1936	explorer.exe
Token: SeDebugPrivilege	2472	taskhost.exe
Token: SeDebugPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	2036	csrss.exe
Token: SeDebugPrivilege	2604	cmd.exe
Token: SeDebugPrivilege	1236	lsm.exe
Token: SeDebugPrivilege	1588	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taskhost.exe

pid process

2812 taskhost.exe

pid	process
2812	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.exe

description	pid	process	target process
PID 2276 wrote to memory of 2516	2276	Loader.exe	Checker.exe
PID 2276 wrote to memory of 2516	2276	Loader.exe	Checker.exe
PID 2276 wrote to memory of 2516	2276	Loader.exe	Checker.exe
PID 2276 wrote to memory of 2516	2276	Loader.exe	Checker.exe
PID 2516 wrote to memory of 2532	2516	Checker.exe	WScript.exe
PID 2516 wrote to memory of 2532	2516	Checker.exe	WScript.exe
PID 2516 wrote to memory of 2532	2516	Checker.exe	WScript.exe
PID 2516 wrote to memory of 2532	2516	Checker.exe	WScript.exe
PID 2276 wrote to memory of 2680	2276	Loader.exe	Utility.exe
PID 2276 wrote to memory of 2680	2276	Loader.exe	Utility.exe
PID 2276 wrote to memory of 2680	2276	Loader.exe	Utility.exe
PID 2532 wrote to memory of 2412	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2412	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2412	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2412	2532	WScript.exe	cmd.exe
PID 2412 wrote to memory of 2440	2412	cmd.exe	reg.exe
PID 2412 wrote to memory of 2440	2412	cmd.exe	reg.exe
PID 2412 wrote to memory of 2440	2412	cmd.exe	reg.exe
PID 2412 wrote to memory of 2440	2412	cmd.exe	reg.exe
PID 2412 wrote to memory of 2472	2412	cmd.exe	Sessionperf.exe
PID 2412 wrote to memory of 2472	2412	cmd.exe	Sessionperf.exe
PID 2412 wrote to memory of 2472	2412	cmd.exe	Sessionperf.exe
PID 2412 wrote to memory of 2472	2412	cmd.exe	Sessionperf.exe
PID 2472 wrote to memory of 2040	2472	Sessionperf.exe	csc.exe
PID 2472 wrote to memory of 2040	2472	Sessionperf.exe	csc.exe
PID 2472 wrote to memory of 2040	2472	Sessionperf.exe	csc.exe
PID 2040 wrote to memory of 2808	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 2808	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 2808	2040	csc.exe	cvtres.exe
PID 2472 wrote to memory of 1712	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1712	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1712	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 2192	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 2192	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 2192	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1312	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1312	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1312	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1168	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1168	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1168	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1004	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1004	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 1004	2472	Sessionperf.exe	powershell.exe
PID 2472 wrote to memory of 2972	2472	Sessionperf.exe	cmd.exe
PID 2472 wrote to memory of 2972	2472	Sessionperf.exe	cmd.exe
PID 2472 wrote to memory of 2972	2472	Sessionperf.exe	cmd.exe
PID 2972 wrote to memory of 2764	2972	cmd.exe	chcp.com
PID 2972 wrote to memory of 2764	2972	cmd.exe	chcp.com
PID 2972 wrote to memory of 2764	2972	cmd.exe	chcp.com
PID 2972 wrote to memory of 2872	2972	cmd.exe	w32tm.exe
PID 2972 wrote to memory of 2872	2972	cmd.exe	w32tm.exe
PID 2972 wrote to memory of 2872	2972	cmd.exe	w32tm.exe
PID 2972 wrote to memory of 2812	2972	cmd.exe	taskhost.exe
PID 2972 wrote to memory of 2812	2972	cmd.exe	taskhost.exe
PID 2972 wrote to memory of 2812	2972	cmd.exe	taskhost.exe
PID 1196 wrote to memory of 2320	1196	cmd.exe	wusa.exe
PID 1196 wrote to memory of 2320	1196	cmd.exe	wusa.exe
PID 1196 wrote to memory of 2320	1196	cmd.exe	wusa.exe
PID 616 wrote to memory of 2112	616	lhhsgwktkatl.exe	conhost.exe
PID 616 wrote to memory of 2112	616	lhhsgwktkatl.exe	conhost.exe
PID 616 wrote to memory of 2112	616	lhhsgwktkatl.exe	conhost.exe
PID 616 wrote to memory of 2112	616	lhhsgwktkatl.exe	conhost.exe
PID 616 wrote to memory of 2112	616	lhhsgwktkatl.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2440
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3wy4lpq\o3wy4lpq.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318C.tmp" "c:\Windows\System32\CSC7D4F87BE36D045FCA49AECCAC03A3AE3.TMP"
        7⤵
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\lsm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RSXHOZASOb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2872
        
        C:\blockcontainerWincrtdll\taskhost.exe
        
        "C:\blockcontainerWincrtdll\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2812
- C:\Users\Admin\AppData\Local\Temp\Utility.exe
  "C:\Users\Admin\AppData\Local\Temp\Utility.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2680
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2320
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:1248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1624
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2848
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2960
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2112
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

C:\Windows\system32\taskeng.exe
taskeng.exe {2EF48E00-A143-4546-AC22-C70432645068} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:800
- C:\Program Files\Windows NT\explorer.exe
  "C:\Program Files\Windows NT\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\NetHood\csrss.exe
  C:\Users\Admin\NetHood\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Program Files\Windows NT\explorer.exe
  "C:\Program Files\Windows NT\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\Vss\Writers\lsm.exe
  C:\Windows\Vss\Writers\lsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\blockcontainerWincrtdll\cmd.exe
  C:\blockcontainerWincrtdll\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\blockcontainerWincrtdll\taskhost.exe
  C:\blockcontainerWincrtdll\taskhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Program Files\Windows NT\explorer.exe
  "C:\Program Files\Windows NT\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Users\Admin\NetHood\csrss.exe
  C:\Users\Admin\NetHood\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Program Files\Windows NT\explorer.exe
  "C:\Program Files\Windows NT\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\Vss\Writers\lsm.exe
  C:\Windows\Vss\Writers\lsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\blockcontainerWincrtdll\cmd.exe
  C:\blockcontainerWincrtdll\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES318C.tmp

Filesize
1KB

MD5
0cbdd3ccf6a48cdbd9e04732e97281eb

SHA1
0d0780d463ffadf515dcc634a6db4f68097074e9

SHA256
402bc06828c0ab882f2b6970238ae2c5ee062b9da68c0d67dedff4ba085c8474

SHA512
aa3153bc55a2bfa57660c1ef7a9db24304a887136a0de4078ab5ba281f98471cb02845028ca14e254dfcc24e3beb72900496b91575a11a1ec872c64352d51634

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSXHOZASOb.bat

Filesize
215B

MD5
b5058efacf7b0337c672685c684b5094

SHA1
5e4177fc72cec9ee9a7559a3f723426f738b3578

SHA256
278e730755edd00a8c467774c19cf1357b99cbe8d085b756d77058f7e959c3f2

SHA512
d7642996637903d33be013ea72d16b44b42085b85576a38d80a5a4c86d54d968372ae92479d3a9f6f12ddb0521411846e9875274d6f7ec7c2c1d4711d6d3f572

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5bbeeca3e87d638f8dc0ef0f1a9a54d5

SHA1
78ddd5c2ba4afed6268ebaaff45b0d15300b6a9e

SHA256
c255870fef12860bd11cc45c5944c74630c84fb43a6de421edcf358c3009239e

SHA512
855d37b5d5f0df964cf71e881539ca5701f45ec25d6fbd1bca38cc124dcc5c3e17233c7288a0459b1492eb4ff0274eb52d72386775a00e1bc74ba4569cdc396d

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3wy4lpq\o3wy4lpq.0.cs

Filesize
371B

MD5
57bff8e34689a7ee342545955a4abcf5

SHA1
4dd0949c57c70f32c01dde698229592c5891a2c3

SHA256
6c3401d2fb01fa285099173c6a93beb7e4068d080e9674e5d299bfe9d31852d2

SHA512
3b182f824f29a07b5c84d7a448a854f9434c74a590634e76819df43ab1d583428b7776d574d228c8c2ecc9adb819c8d9ac78ac176eebb89e77bf6b98c83c597d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3wy4lpq\o3wy4lpq.cmdline

Filesize
235B

MD5
fd3e2a8d8127d92a98ea2d40fd2a677e

SHA1
9972c7aba4a3f85d9ec6f653b76cdc0b1853eece

SHA256
06a2240465420ddead4d79178d8d7a1d7583f55aa6f37f6a389bc1d55f1ef83c

SHA512
8e4546d9105e1d5f1d8a2e128d87b0f83ce0b66ee4879a1756ab84fbdf3077da01ec827dd6cb67333c9162b531f3796c968f4779d496344721c6110fc1a6a0dd

Download Submit
\??\c:\Windows\System32\CSC7D4F87BE36D045FCA49AECCAC03A3AE3.TMP

Filesize
1KB

MD5
3ffa0b85adc175bc535d5b61b093b6a5

SHA1
7fa7715f9f18aa1d9edc45935ca867602fa37894

SHA256
f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46

SHA512
d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

Download Submit
\Users\Admin\AppData\Local\Temp\Utility.exe

Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
memory/704-237-0x0000000000140000-0x00000000004E2000-memory.dmp

Filesize
3.6MB

Download
memory/1236-255-0x0000000000ED0000-0x0000000001272000-memory.dmp

Filesize
3.6MB

Download
memory/1312-132-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1552-224-0x0000000001080000-0x0000000001422000-memory.dmp

Filesize
3.6MB

Download
memory/1628-244-0x0000000000EC0000-0x0000000001262000-memory.dmp

Filesize
3.6MB

Download
memory/1780-173-0x0000000019DC0000-0x000000001A0A2000-memory.dmp

Filesize
2.9MB

Download
memory/1912-217-0x0000000000010000-0x00000000003B2000-memory.dmp

Filesize
3.6MB

Download
memory/1936-233-0x0000000000880000-0x0000000000C22000-memory.dmp

Filesize
3.6MB

Download
memory/2108-234-0x0000000000DD0000-0x0000000001172000-memory.dmp

Filesize
3.6MB

Download
memory/2112-174-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2112-175-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2112-176-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2112-177-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2112-180-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2112-178-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-123-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2276-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

Filesize
4KB

Download
memory/2276-26-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-3-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-2-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-1-0x0000000000B10000-0x0000000000B6E000-memory.dmp

Filesize
376KB

Download
memory/2472-60-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2472-50-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2472-78-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2472-76-0x0000000002340000-0x0000000002358000-memory.dmp

Filesize
96KB

Download
memory/2472-74-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2472-72-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2472-70-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2472-68-0x00000000026B0000-0x000000000270A000-memory.dmp

Filesize
360KB

Download
memory/2472-66-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2472-64-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2472-32-0x0000000000870000-0x0000000000C12000-memory.dmp

Filesize
3.6MB

Download
memory/2472-34-0x00000000002B0000-0x00000000002D6000-memory.dmp

Filesize
152KB

Download
memory/2472-36-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2472-62-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2472-58-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/2472-56-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2472-54-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2472-38-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2472-40-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2472-42-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/2472-44-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2472-46-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2472-48-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2472-80-0x000000001AF80000-0x000000001AFCE000-memory.dmp

Filesize
312KB

Download
memory/2472-52-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2500-167-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2500-166-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2716-228-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-185-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-190-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2716-195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-191-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-196-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-187-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-219-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-220-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-226-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-225-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-186-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-188-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-241-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-184-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-257-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2716-183-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2812-136-0x0000000000C40000-0x0000000000FE2000-memory.dmp

Filesize
3.6MB

Download