Analysis
-
max time kernel
1798s -
max time network
1798s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-05-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win10v2004-20240426-en
General
-
Target
Loader.exe
-
Size
353KB
-
MD5
da4a981460566d93b7c25f1527c5d321
-
SHA1
ad0dc4e6192057d2f80b080741cdfea83c399a0b
-
SHA256
fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
-
SHA512
06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
-
SSDEEP
6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Checker.exe family_zgrat_v1 C:\blockcontainerWincrtdll\Sessionperf.exe family_zgrat_v1 behavioral4/memory/3892-36-0x00000000001C0000-0x0000000000562000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
Sessionperf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Default User\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\sppsvc.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\"" Sessionperf.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 3608 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3608 schtasks.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral4/memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4228 powershell.exe 4068 powershell.exe 4084 powershell.exe 4048 powershell.exe 1368 powershell.exe 2040 powershell.exe 4380 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
Processes:
Checker.exeUtility.exeSessionperf.exeSearchHost.exelhhsgwktkatl.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exedwm.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exepid process 3552 Checker.exe 3452 Utility.exe 3892 Sessionperf.exe 2812 SearchHost.exe 1092 lhhsgwktkatl.exe 1720 fontdrvhost.exe 2804 sppsvc.exe 2348 dwm.exe 3152 Idle.exe 568 fontdrvhost.exe 4896 SearchHost.exe 1012 sppsvc.exe 3264 dwm.exe 3096 fontdrvhost.exe 2456 sppsvc.exe 4520 dwm.exe 948 Idle.exe 4760 fontdrvhost.exe 1064 SearchHost.exe 3852 sppsvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral4/memory/1548-252-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-251-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-250-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-254-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-253-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
Sessionperf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\blockcontainerWincrtdll\\sppsvc.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\blockcontainerWincrtdll\\sppsvc.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\fontdrvhost.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" Sessionperf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\"" Sessionperf.exe -
Drops file in System32 directory 6 IoCs
Processes:
csc.exeUtility.exepowershell.exelhhsgwktkatl.exedescription ioc process File created \??\c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP csc.exe File created \??\c:\Windows\System32\rcy5hw.exe csc.exe File opened for modification C:\Windows\system32\MRT.exe Utility.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe lhhsgwktkatl.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
lhhsgwktkatl.exedescription pid process target process PID 1092 set thread context of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 set thread context of 1548 1092 lhhsgwktkatl.exe conhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Sessionperf.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\fontdrvhost.exe Sessionperf.exe File created C:\Program Files\Google\Chrome\Application\5b884080fd4f94 Sessionperf.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1904 sc.exe 4620 sc.exe 4728 sc.exe 692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2848 schtasks.exe 1900 schtasks.exe 5056 schtasks.exe 1812 schtasks.exe 904 schtasks.exe 4808 schtasks.exe 2276 schtasks.exe 3652 schtasks.exe 4724 schtasks.exe 3764 schtasks.exe 1104 schtasks.exe 8 schtasks.exe 4720 schtasks.exe 4496 schtasks.exe 416 schtasks.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe -
Modifies registry class 2 IoCs
Processes:
Checker.exeSessionperf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Sessionperf.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sessionperf.exepid process 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe 3892 Sessionperf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SearchHost.exepid process 2812 SearchHost.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchHost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exefontdrvhost.exesppsvc.exedwm.exeIdle.exefontdrvhost.exeSearchHost.exesppsvc.exedwm.exefontdrvhost.exesppsvc.exedwm.exeIdle.exeSearchHost.exefontdrvhost.exesppsvc.exedescription pid process Token: SeDebugPrivilege 5004 Loader.exe Token: SeDebugPrivilege 3892 Sessionperf.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeDebugPrivilege 2812 SearchHost.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeShutdownPrivilege 596 powercfg.exe Token: SeCreatePagefilePrivilege 596 powercfg.exe Token: SeShutdownPrivilege 1812 powercfg.exe Token: SeCreatePagefilePrivilege 1812 powercfg.exe Token: SeShutdownPrivilege 3564 powercfg.exe Token: SeCreatePagefilePrivilege 3564 powercfg.exe Token: SeShutdownPrivilege 4224 powercfg.exe Token: SeCreatePagefilePrivilege 4224 powercfg.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2756 powercfg.exe Token: SeCreatePagefilePrivilege 2756 powercfg.exe Token: SeLockMemoryPrivilege 1548 conhost.exe Token: SeShutdownPrivilege 4412 powercfg.exe Token: SeCreatePagefilePrivilege 4412 powercfg.exe Token: SeShutdownPrivilege 396 powercfg.exe Token: SeCreatePagefilePrivilege 396 powercfg.exe Token: SeShutdownPrivilege 4992 powercfg.exe Token: SeCreatePagefilePrivilege 4992 powercfg.exe Token: SeDebugPrivilege 1720 fontdrvhost.exe Token: SeDebugPrivilege 2804 sppsvc.exe Token: SeDebugPrivilege 2348 dwm.exe Token: SeDebugPrivilege 3152 Idle.exe Token: SeDebugPrivilege 568 fontdrvhost.exe Token: SeDebugPrivilege 4896 SearchHost.exe Token: SeDebugPrivilege 1012 sppsvc.exe Token: SeDebugPrivilege 3264 dwm.exe Token: SeDebugPrivilege 3096 fontdrvhost.exe Token: SeDebugPrivilege 2456 sppsvc.exe Token: SeDebugPrivilege 4520 dwm.exe Token: SeDebugPrivilege 948 Idle.exe Token: SeDebugPrivilege 1064 SearchHost.exe Token: SeDebugPrivilege 4760 fontdrvhost.exe Token: SeDebugPrivilege 3852 sppsvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SearchHost.exepid process 2812 SearchHost.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exedescription pid process target process PID 5004 wrote to memory of 3552 5004 Loader.exe Checker.exe PID 5004 wrote to memory of 3552 5004 Loader.exe Checker.exe PID 5004 wrote to memory of 3552 5004 Loader.exe Checker.exe PID 3552 wrote to memory of 4076 3552 Checker.exe WScript.exe PID 3552 wrote to memory of 4076 3552 Checker.exe WScript.exe PID 3552 wrote to memory of 4076 3552 Checker.exe WScript.exe PID 5004 wrote to memory of 3452 5004 Loader.exe Utility.exe PID 5004 wrote to memory of 3452 5004 Loader.exe Utility.exe PID 4076 wrote to memory of 3140 4076 WScript.exe cmd.exe PID 4076 wrote to memory of 3140 4076 WScript.exe cmd.exe PID 4076 wrote to memory of 3140 4076 WScript.exe cmd.exe PID 3140 wrote to memory of 412 3140 cmd.exe reg.exe PID 3140 wrote to memory of 412 3140 cmd.exe reg.exe PID 3140 wrote to memory of 412 3140 cmd.exe reg.exe PID 3140 wrote to memory of 3892 3140 cmd.exe Sessionperf.exe PID 3140 wrote to memory of 3892 3140 cmd.exe Sessionperf.exe PID 3892 wrote to memory of 2512 3892 Sessionperf.exe csc.exe PID 3892 wrote to memory of 2512 3892 Sessionperf.exe csc.exe PID 2512 wrote to memory of 3684 2512 csc.exe cvtres.exe PID 2512 wrote to memory of 3684 2512 csc.exe cvtres.exe PID 3892 wrote to memory of 4380 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4380 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4228 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4228 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4068 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4068 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4084 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4084 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4048 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 4048 3892 Sessionperf.exe powershell.exe PID 3892 wrote to memory of 2196 3892 Sessionperf.exe cmd.exe PID 3892 wrote to memory of 2196 3892 Sessionperf.exe cmd.exe PID 2196 wrote to memory of 4088 2196 cmd.exe chcp.com PID 2196 wrote to memory of 4088 2196 cmd.exe chcp.com PID 2196 wrote to memory of 2208 2196 cmd.exe w32tm.exe PID 2196 wrote to memory of 2208 2196 cmd.exe w32tm.exe PID 2196 wrote to memory of 2812 2196 cmd.exe SearchHost.exe PID 2196 wrote to memory of 2812 2196 cmd.exe SearchHost.exe PID 8 wrote to memory of 4692 8 cmd.exe wusa.exe PID 8 wrote to memory of 4692 8 cmd.exe wusa.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 3092 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 1548 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 1548 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 1548 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 1548 1092 lhhsgwktkatl.exe conhost.exe PID 1092 wrote to memory of 1548 1092 lhhsgwktkatl.exe conhost.exe PID 1716 wrote to memory of 4048 1716 cmd.exe wusa.exe PID 1716 wrote to memory of 4048 1716 cmd.exe wusa.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
C:\blockcontainerWincrtdll\Sessionperf.exe"C:\blockcontainerWincrtdll/Sessionperf.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F18.tmp" "c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\SearchHost.exe"C:\Recovery\WindowsRE\SearchHost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Utility.exe"C:\Users\Admin\AppData\Local\Temp\Utility.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"3⤵
- Launches sc.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\blockcontainerWincrtdll\sppsvc.exeC:\blockcontainerWincrtdll\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\SearchHost.exeC:\Recovery\WindowsRE\SearchHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\blockcontainerWincrtdll\sppsvc.exeC:\blockcontainerWincrtdll\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\blockcontainerWincrtdll\sppsvc.exeC:\blockcontainerWincrtdll\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\dwm.exeC:\Recovery\WindowsRE\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\SearchHost.exeC:\Recovery\WindowsRE\SearchHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\blockcontainerWincrtdll\sppsvc.exeC:\blockcontainerWincrtdll\sppsvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.logFilesize
847B
MD52940b232afa412901f8ae5651c790f93
SHA1f79bd5d1433c803515e2d9a016396344187beea2
SHA25616f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43
SHA512553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
C:\Users\Admin\AppData\Local\Temp\Checker.exeFilesize
3.9MB
MD51003b37d9d942d41a38a83670eaa285c
SHA1a4ee7ef69fc681caf1116d59578667abb9080ad6
SHA256d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae
SHA5120c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a
-
C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.batFilesize
212B
MD52beec5ad24e90dd22bc98da01fa2fe49
SHA15e1a749730ab661b142d00191b52cd1e7293e89d
SHA2567007aab3519930a82178a42d867e34dc6fb0b1e7d60f5fdd14836d0c494ed618
SHA512dba6e5e5cc3291b9abc9f1829ba4a07e3223e8938f5164d5e2af3782831c33fc30a8f07e33a63d641e4c89647d2bd986f1f2cc5335b280b2a35157316da8b28b
-
C:\Users\Admin\AppData\Local\Temp\RES5F18.tmpFilesize
1KB
MD5b08cd188315056831f63924d52293357
SHA1c4cad19d29f7290f69565f9f42e7eb2c1fc57b85
SHA256960511dc4e585da3cc2594224dea7a0c97c25af275eef13b2acb225c1ecf3f90
SHA512ccb868f2a666c19a8fbc8a7098aec5185e51f475415dfad1ba78552cd8e194e00fa3fb61b6ca12264738b6fcca990fff84c5aaab54dcf7ab48555d8ae44c6cdb
-
C:\Users\Admin\AppData\Local\Temp\Utility.exeFilesize
5.0MB
MD5b1ac2ea973651a70ea72597e13a10f0a
SHA107e7cdedc54067a46b1d42cdf8a2c9050c3d3419
SHA256e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47
SHA51202b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fweqgnbz.tb4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbeFilesize
228B
MD54f702b152f4098393712e3fe99b04fbd
SHA1fec2f913e1fac5053127e175f1ba048c9d8dd25c
SHA256f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2
SHA5127c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf
-
C:\blockcontainerWincrtdll\Sessionperf.exeFilesize
3.6MB
MD5bf0f63bb48eb95aaec6fc6a001c974ce
SHA119baab2b0c129ecbd6a1aa21bada3e2e5cdd1136
SHA256bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc
SHA512130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c
-
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.batFilesize
201B
MD5159297f9e35114bf97d74622097780d8
SHA12aaaf993b9ecb9bae43ccd41585734512ff08355
SHA256650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81
SHA512a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69
-
\??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.0.csFilesize
369B
MD5aa143456ce0c100dbe52c6f26860bf6e
SHA1a158af4607915edbe05c4ef2d4b8d889ee470bed
SHA256ef2a71abf56daf6e1d5d25b7a731b217a161ecd415a82cdc2fcd2631aa75e01a
SHA512c2c132d439bca422909d8e35cca66da2dbb8b9f4c9daf88837f7cf59dce9c19bbe08cbf5306862c77d7482a0ef1b753c271b802ff5ee0a46883817b518a0e4e6
-
\??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdlineFilesize
235B
MD5a80f938991ff2427734a3e9f1a3ffc5a
SHA1de671400ece423518c7f6a463cbbb79b72dc28f6
SHA25640ed650d1bed8634e1f10783f273d9afcd04c488231d0be41e6b028e82e40df7
SHA51251fd52227936e2a9be8f5b25462889448644b74f508100b08f8cc34337213e0d24f0158978f3753ecdd0b491362db7541ddd8928a8b3be96b58f6d6ffe7e8d0f
-
\??\c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMPFilesize
1KB
MD5ea2f5a870429cbb69781d4e52b72ae9a
SHA1db13a37a4edc79d97ffa246cf2772215a204bce9
SHA256341d3939c2cfbd6d7b4687d412fe896e3c2590523d03119616cb068a0c85cb45
SHA512f9f4e0170e33f075bdbd7ea5cfabff0109ea04b63121a50fa6226e68c8955f0e6828d8c46d3c02341dd68adde2028998a9fd0d25db560f956fa37d8dc73e94c4
-
memory/1368-210-0x000001D12E3D0000-0x000001D12E51F000-memory.dmpFilesize
1.3MB
-
memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-257-0x0000015985C10000-0x0000015985C30000-memory.dmpFilesize
128KB
-
memory/1548-250-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-251-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-252-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-254-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-253-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2040-231-0x00000198D4050000-0x00000198D4103000-memory.dmpFilesize
716KB
-
memory/2040-232-0x00000198D4020000-0x00000198D402A000-memory.dmpFilesize
40KB
-
memory/2040-230-0x00000198D4030000-0x00000198D404C000-memory.dmpFilesize
112KB
-
memory/2040-233-0x00000198D4230000-0x00000198D424C000-memory.dmpFilesize
112KB
-
memory/2040-234-0x00000198D4210000-0x00000198D421A000-memory.dmpFilesize
40KB
-
memory/2040-235-0x00000198D4270000-0x00000198D428A000-memory.dmpFilesize
104KB
-
memory/2040-236-0x00000198D4220000-0x00000198D4228000-memory.dmpFilesize
32KB
-
memory/2040-237-0x00000198D4250000-0x00000198D4256000-memory.dmpFilesize
24KB
-
memory/2040-238-0x00000198D4260000-0x00000198D426A000-memory.dmpFilesize
40KB
-
memory/2040-241-0x00000198D3B70000-0x00000198D3CBF000-memory.dmpFilesize
1.3MB
-
memory/2812-265-0x000000001CC10000-0x000000001CC7F000-memory.dmpFilesize
444KB
-
memory/2812-264-0x000000001CA70000-0x000000001CA79000-memory.dmpFilesize
36KB
-
memory/2812-263-0x000000001D3E0000-0x000000001D48F000-memory.dmpFilesize
700KB
-
memory/3092-244-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-246-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-249-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-242-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-243-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3092-245-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3892-51-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/3892-63-0x000000001BFE0000-0x000000001BFF6000-memory.dmpFilesize
88KB
-
memory/3892-86-0x000000001C360000-0x000000001C3AE000-memory.dmpFilesize
312KB
-
memory/3892-84-0x000000001C060000-0x000000001C06C000-memory.dmpFilesize
48KB
-
memory/3892-82-0x000000001C2F0000-0x000000001C308000-memory.dmpFilesize
96KB
-
memory/3892-80-0x000000001C050000-0x000000001C05E000-memory.dmpFilesize
56KB
-
memory/3892-78-0x000000001C040000-0x000000001C050000-memory.dmpFilesize
64KB
-
memory/3892-76-0x000000001C030000-0x000000001C03E000-memory.dmpFilesize
56KB
-
memory/3892-74-0x000000001C090000-0x000000001C0EA000-memory.dmpFilesize
360KB
-
memory/3892-72-0x000000001C020000-0x000000001C030000-memory.dmpFilesize
64KB
-
memory/3892-70-0x000000001BFB0000-0x000000001BFC0000-memory.dmpFilesize
64KB
-
memory/3892-68-0x000000001BFA0000-0x000000001BFAE000-memory.dmpFilesize
56KB
-
memory/3892-66-0x000000001C550000-0x000000001CA78000-memory.dmpFilesize
5.2MB
-
memory/3892-36-0x00000000001C0000-0x0000000000562000-memory.dmpFilesize
3.6MB
-
memory/3892-38-0x000000001B210000-0x000000001B236000-memory.dmpFilesize
152KB
-
memory/3892-40-0x0000000000E00000-0x0000000000E0E000-memory.dmpFilesize
56KB
-
memory/3892-42-0x000000001BEE0000-0x000000001BEFC000-memory.dmpFilesize
112KB
-
memory/3892-43-0x000000001BF50000-0x000000001BFA0000-memory.dmpFilesize
320KB
-
memory/3892-65-0x000000001C000000-0x000000001C012000-memory.dmpFilesize
72KB
-
memory/3892-45-0x0000000000E10000-0x0000000000E20000-memory.dmpFilesize
64KB
-
memory/3892-61-0x000000001BF40000-0x000000001BF50000-memory.dmpFilesize
64KB
-
memory/3892-59-0x000000001BF10000-0x000000001BF1C000-memory.dmpFilesize
48KB
-
memory/3892-57-0x000000001BFC0000-0x000000001BFD2000-memory.dmpFilesize
72KB
-
memory/3892-55-0x000000001BF00000-0x000000001BF0E000-memory.dmpFilesize
56KB
-
memory/3892-53-0x000000001B240000-0x000000001B24E000-memory.dmpFilesize
56KB
-
memory/3892-147-0x000000001CD80000-0x000000001CE2F000-memory.dmpFilesize
700KB
-
memory/3892-49-0x0000000000E20000-0x0000000000E30000-memory.dmpFilesize
64KB
-
memory/3892-47-0x000000001BF20000-0x000000001BF38000-memory.dmpFilesize
96KB
-
memory/4048-172-0x000001EFF3420000-0x000001EFF356F000-memory.dmpFilesize
1.3MB
-
memory/4068-169-0x0000022256C50000-0x0000022256D9F000-memory.dmpFilesize
1.3MB
-
memory/4084-163-0x000002876E290000-0x000002876E3DF000-memory.dmpFilesize
1.3MB
-
memory/4228-166-0x00000219F3930000-0x00000219F3A7F000-memory.dmpFilesize
1.3MB
-
memory/4380-162-0x000001A233090000-0x000001A2331DF000-memory.dmpFilesize
1.3MB
-
memory/4380-117-0x000001A21AE20000-0x000001A21AE42000-memory.dmpFilesize
136KB
-
memory/5004-0-0x00007FF815A93000-0x00007FF815A95000-memory.dmpFilesize
8KB
-
memory/5004-31-0x00007FF815A90000-0x00007FF816552000-memory.dmpFilesize
10.8MB
-
memory/5004-2-0x00007FF815A90000-0x00007FF816552000-memory.dmpFilesize
10.8MB
-
memory/5004-1-0x0000000000920000-0x000000000097E000-memory.dmpFilesize
376KB