xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Resubmissions

14-05-2024 11:56

240514-n323naef94 3

14-05-2024 11:35

240514-nqfc5adg51 10

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral3/memory/700-37-0x00000000000A0000-0x0000000000442000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Utility.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\blockcontainerWincrtdll\\Registry.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\blockcontainerWincrtdll\\lsass.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Utility.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Utility.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\blockcontainerWincrtdll\\Registry.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Utility.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\blockcontainerWincrtdll\\Registry.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2980	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/836-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-251-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-253-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-286-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/836-287-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4612 powershell.exe
4480 powershell.exe
1900 powershell.exe
2124 powershell.exe
3224 powershell.exe
3336 powershell.exe
3256 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4612	powershell.exe
4480	powershell.exe
1900	powershell.exe
2124	powershell.exe
3224	powershell.exe
3336	powershell.exe
3256	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeChecker.exeWScript.exeSessionperf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Sessionperf.exe

Executes dropped EXE 5 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exeRegistry.exelhhsgwktkatl.exe

pid process

1784 Checker.exe
872 Utility.exe
700 Sessionperf.exe
2932 Registry.exe
4544 lhhsgwktkatl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1784	Checker.exe
872	Utility.exe
700	Sessionperf.exe
2932	Registry.exe
4544	lhhsgwktkatl.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/836-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-286-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/836-287-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Windows\\AppReadiness\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\blockcontainerWincrtdll\\Registry.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\blockcontainerWincrtdll\\lsass.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\blockcontainerWincrtdll\\lsass.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Windows\\AppReadiness\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\blockcontainerWincrtdll\\Registry.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exelhhsgwktkatl.execsc.exeUtility.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File created	\??\c:\Windows\System32\CSC7CC7F7CFBD3D45B0BB2C9027F4CC15F.TMP	csc.exe
File created	\??\c:\Windows\System32\cwwwvr.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 4544 set thread context of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 set thread context of 836	4544	lhhsgwktkatl.exe	conhost.exe

Drops file in Windows directory 3 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Windows\AppReadiness\Utility.exe	Sessionperf.exe
File opened for modification	C:\Windows\AppReadiness\Utility.exe	Sessionperf.exe
File created	C:\Windows\AppReadiness\fa0a42e5f0e653	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3764 sc.exe
1400 sc.exe
2144 sc.exe
4904 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3764	sc.exe
1400	sc.exe
2144	sc.exe
4904	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2488	schtasks.exe
5076	schtasks.exe
4580	schtasks.exe
2240	schtasks.exe
3064	schtasks.exe
4288	schtasks.exe
4496	schtasks.exe
1172	schtasks.exe
3116	schtasks.exe
4996	schtasks.exe
4132	schtasks.exe
1900	schtasks.exe
1936	schtasks.exe
4272	schtasks.exe
4396	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2976 reg.exe

pid	process
2976	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe
700	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Registry.exe

pid process

2932 Registry.exe

pid	process
2932	Registry.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exeRegistry.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1836	Loader.exe
Token: SeDebugPrivilege	700	Sessionperf.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	2932	Registry.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	3868	powercfg.exe
Token: SeCreatePagefilePrivilege	3868	powercfg.exe
Token: SeShutdownPrivilege	1120	powercfg.exe
Token: SeCreatePagefilePrivilege	1120	powercfg.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeCreatePagefilePrivilege	1880	powercfg.exe
Token: SeShutdownPrivilege	3116	powercfg.exe
Token: SeCreatePagefilePrivilege	3116	powercfg.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeShutdownPrivilege	3340	powercfg.exe
Token: SeCreatePagefilePrivilege	3340	powercfg.exe
Token: SeShutdownPrivilege	1864	powercfg.exe
Token: SeCreatePagefilePrivilege	1864	powercfg.exe
Token: SeLockMemoryPrivilege	836	conhost.exe
Token: SeShutdownPrivilege	3984	powercfg.exe
Token: SeCreatePagefilePrivilege	3984	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Registry.exe

pid process

2932 Registry.exe

pid	process
2932	Registry.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1784	1836	Loader.exe	Checker.exe
PID 1836 wrote to memory of 1784	1836	Loader.exe	Checker.exe
PID 1836 wrote to memory of 1784	1836	Loader.exe	Checker.exe
PID 1836 wrote to memory of 872	1836	Loader.exe	Utility.exe
PID 1836 wrote to memory of 872	1836	Loader.exe	Utility.exe
PID 1784 wrote to memory of 3340	1784	Checker.exe	WScript.exe
PID 1784 wrote to memory of 3340	1784	Checker.exe	WScript.exe
PID 1784 wrote to memory of 3340	1784	Checker.exe	WScript.exe
PID 3340 wrote to memory of 3124	3340	WScript.exe	cmd.exe
PID 3340 wrote to memory of 3124	3340	WScript.exe	cmd.exe
PID 3340 wrote to memory of 3124	3340	WScript.exe	cmd.exe
PID 3124 wrote to memory of 2976	3124	cmd.exe	reg.exe
PID 3124 wrote to memory of 2976	3124	cmd.exe	reg.exe
PID 3124 wrote to memory of 2976	3124	cmd.exe	reg.exe
PID 3124 wrote to memory of 700	3124	cmd.exe	Sessionperf.exe
PID 3124 wrote to memory of 700	3124	cmd.exe	Sessionperf.exe
PID 700 wrote to memory of 3880	700	Sessionperf.exe	csc.exe
PID 700 wrote to memory of 3880	700	Sessionperf.exe	csc.exe
PID 3880 wrote to memory of 4940	3880	csc.exe	cvtres.exe
PID 3880 wrote to memory of 4940	3880	csc.exe	cvtres.exe
PID 700 wrote to memory of 4480	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 4480	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 4612	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 4612	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3256	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3256	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3336	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3336	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3224	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3224	700	Sessionperf.exe	powershell.exe
PID 700 wrote to memory of 3464	700	Sessionperf.exe	cmd.exe
PID 700 wrote to memory of 3464	700	Sessionperf.exe	cmd.exe
PID 3464 wrote to memory of 2620	3464	cmd.exe	chcp.com
PID 3464 wrote to memory of 2620	3464	cmd.exe	chcp.com
PID 3464 wrote to memory of 3736	3464	cmd.exe	w32tm.exe
PID 3464 wrote to memory of 3736	3464	cmd.exe	w32tm.exe
PID 3464 wrote to memory of 2932	3464	cmd.exe	Registry.exe
PID 3464 wrote to memory of 2932	3464	cmd.exe	Registry.exe
PID 4288 wrote to memory of 824	4288	cmd.exe	wusa.exe
PID 4288 wrote to memory of 824	4288	cmd.exe	wusa.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 2164	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 836	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 836	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 836	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 836	4544	lhhsgwktkatl.exe	conhost.exe
PID 4544 wrote to memory of 836	4544	lhhsgwktkatl.exe	conhost.exe
PID 644 wrote to memory of 1036	644	cmd.exe	wusa.exe
PID 644 wrote to memory of 1036	644	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:2976

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vf1wfrov\vf1wfrov.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6784.tmp" "c:\Windows\System32\CSC7CC7F7CFBD3D45B0BB2C9027F4CC15F.TMP"
7⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\Utility.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\Registry.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\dllhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\lsass.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RLphYW2oBM.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2620

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3736

C:\blockcontainerWincrtdll\Registry.exe
"C:\blockcontainerWincrtdll\Registry.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:824

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:3764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4904

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\Utility.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Utility" /sc ONLOGON /tr "'C:\Windows\AppReadiness\Utility.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\Utility.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\blockcontainerWincrtdll\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\blockcontainerWincrtdll\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\blockcontainerWincrtdll\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\blockcontainerWincrtdll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1036

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2164

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6784.tmp
Filesize
1KB

MD5
f5d86514d62ec79d4a8b09a6d75e2ea0

SHA1
f3aefb921ce2f47f9c93b950c3b11940fbe1495f

SHA256
0206cd914dc1f9a04ef1527bfbc00ccc5fdf77247d920bc394a12dabc1747d52

SHA512
5602141f8e44dbaee2183df36a088bbcea7439c2ad0d42841e8bd869a3e04b0e11eefe29026aadc196286f0d908c3a54e5f0d70066a9b08d437e0012d0102f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLphYW2oBM.bat
Filesize
215B

MD5
a5a8db7656992c5d326c40f60d8333c5

SHA1
7ee7df857316d9903e5685b5fa24834a36625351

SHA256
444926ebf42edaf438cfa61f126e3b909a27695df286f33e4d76834e02d73c1a

SHA512
71bd9b5dee1a7a8de9856f8d535f8f7cc7f03a7e60e1abd9e72621a1d6370044f000585c8a20f7f0c271a4ce59f0f1db03f683f8fb7854db6e33687fc32f4a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ccukwlw4.1zr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vf1wfrov\vf1wfrov.0.cs
Filesize
367B

MD5
46cee9b6e463e670c76a61e32e44b19f

SHA1
3bfdaff2d2b3c2bc9f067c7b0b4e9c19b4ad80ee

SHA256
dac88298a5d8b054f63dc969763d1754986d6a0c675b67d38713a008c11ec68c

SHA512
8280f85ba42fc87bce6bd414a7e7337ac03d7d760dff8531d3e68cd25d2a3741351e9d1c66166ff770e10cdf730e23969a7909733264d074f1cec8f0d62ed9a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vf1wfrov\vf1wfrov.cmdline
Filesize
235B

MD5
e56c5a0e10a8d567ca0cc03a7354e928

SHA1
5cdb78ae645f2faab2f9d9be05c60dd62d51ab6b

SHA256
d51fb0b996a54974daeea5b5ab8019cb8b99397f445fa0dc9220330062c5dc30

SHA512
c890e5504b312c203707478f316e78f93201217b1aa3dc7ef5ac1a589cf6dd14db9fead277d5b65f8a2633994589c6045e668d0f487b1e9d79cb4deb460b6bc5

Download Submit
\??\c:\Windows\System32\CSC7CC7F7CFBD3D45B0BB2C9027F4CC15F.TMP
Filesize
1KB

MD5
913b41bbe173c6878eae5b8d8b62f5b7

SHA1
386047df3df2b03e486bc87c4b7a3fee5f68ad73

SHA256
24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135

SHA512
c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

Download Submit
memory/700-54-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/700-134-0x000000001B8E0000-0x000000001B92E000-memory.dmp

Filesize
312KB

Download
memory/700-48-0x0000000002700000-0x0000000002718000-memory.dmp

Filesize
96KB

Download
memory/700-50-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/700-52-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/700-46-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/700-56-0x0000000002840000-0x000000000284E000-memory.dmp

Filesize
56KB

Download
memory/700-58-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/700-60-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/700-62-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/700-64-0x000000001B3E0000-0x000000001B3F6000-memory.dmp

Filesize
88KB

Download
memory/700-66-0x000000001B400000-0x000000001B412000-memory.dmp

Filesize
72KB

Download
memory/700-67-0x000000001B950000-0x000000001BE78000-memory.dmp

Filesize
5.2MB

Download
memory/700-69-0x00000000028E0000-0x00000000028EE000-memory.dmp

Filesize
56KB

Download
memory/700-71-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/700-73-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/700-75-0x000000001B480000-0x000000001B4DA000-memory.dmp

Filesize
360KB

Download
memory/700-77-0x000000001B420000-0x000000001B42E000-memory.dmp

Filesize
56KB

Download
memory/700-79-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/700-81-0x000000001B440000-0x000000001B44E000-memory.dmp

Filesize
56KB

Download
memory/700-83-0x000000001B6E0000-0x000000001B6F8000-memory.dmp

Filesize
96KB

Download
memory/700-85-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/700-87-0x000000001B750000-0x000000001B79E000-memory.dmp

Filesize
312KB

Download
memory/700-44-0x0000000002890000-0x00000000028E0000-memory.dmp

Filesize
320KB

Download
memory/700-43-0x0000000000DD0000-0x0000000000DEC000-memory.dmp

Filesize
112KB

Download
memory/700-41-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/700-39-0x00000000026D0000-0x00000000026F6000-memory.dmp

Filesize
152KB

Download
memory/700-37-0x00000000000A0000-0x0000000000442000-memory.dmp

Filesize
3.6MB

Download
memory/836-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-287-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-286-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/836-250-0x000001E2DFB40000-0x000001E2DFB60000-memory.dmp

Filesize
128KB

Download
memory/1836-1-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

Filesize
8KB

Download
memory/1836-0-0x0000000000A40000-0x0000000000A9E000-memory.dmp

Filesize
376KB

Download
memory/1836-2-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1836-3-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1836-24-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/2124-228-0x0000020F55A20000-0x0000020F55A2A000-memory.dmp

Filesize
40KB

Download
memory/2124-226-0x0000020F555B0000-0x0000020F555BA000-memory.dmp

Filesize
40KB

Download
memory/2124-224-0x0000020F55800000-0x0000020F5581C000-memory.dmp

Filesize
112KB

Download
memory/2124-232-0x0000020F55A70000-0x0000020F55A7A000-memory.dmp

Filesize
40KB

Download
memory/2124-231-0x0000020F55A60000-0x0000020F55A66000-memory.dmp

Filesize
24KB

Download
memory/2124-230-0x0000020F55A30000-0x0000020F55A38000-memory.dmp

Filesize
32KB

Download
memory/2124-229-0x0000020F55A80000-0x0000020F55A9A000-memory.dmp

Filesize
104KB

Download
memory/2124-225-0x0000020F55820000-0x0000020F558D5000-memory.dmp

Filesize
724KB

Download
memory/2124-227-0x0000020F55A40000-0x0000020F55A5C000-memory.dmp

Filesize
112KB

Download
memory/2164-237-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2164-236-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2164-235-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2164-238-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2164-242-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2164-239-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-256-0x000000001DA00000-0x000000001DA4E000-memory.dmp

Filesize
312KB

Download
memory/4612-114-0x000001DAC2E00000-0x000001DAC2E22000-memory.dmp

Filesize
136KB

Download