xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Resubmissions

14-05-2024 11:56

240514-n323naef94 3

14-05-2024 11:35

240514-nqfc5adg51 10

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral4/memory/5056-37-0x00000000003C0000-0x0000000000762000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\dllhost.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4984	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/5004-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-253-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-251-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-286-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/5004-287-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2032 powershell.exe
2204 powershell.exe
1608 powershell.exe
2668 powershell.exe
3556 powershell.exe
3152 powershell.exe
3652 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 5 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exedllhost.exelhhsgwktkatl.exe

pid process

468 Checker.exe
836 Utility.exe
5056 Sessionperf.exe
4492 dllhost.exe
3836 lhhsgwktkatl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2032	powershell.exe
2204	powershell.exe
1608	powershell.exe
2668	powershell.exe
3556	powershell.exe
3152	powershell.exe
3652	powershell.exe

pid	process
468	Checker.exe
836	Utility.exe
5056	Sessionperf.exe
4492	dllhost.exe
3836	lhhsgwktkatl.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/5004-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-286-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/5004-287-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\TAPI\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\TAPI\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Mail\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Mail\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

csc.exeUtility.exepowershell.exelhhsgwktkatl.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC2729C5C7F9AC40B89DEA8D311232B283.TMP	csc.exe
File created	\??\c:\Windows\System32\lro3o3.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 3836 set thread context of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 set thread context of 5004	3836	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	Sessionperf.exe

Drops file in Windows directory 3 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Windows\TAPI\winlogon.exe	Sessionperf.exe
File opened for modification	C:\Windows\TAPI\winlogon.exe	Sessionperf.exe
File created	C:\Windows\TAPI\cc11b995f2a76d	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4256 sc.exe
2444 sc.exe
5068 sc.exe
3348 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4256	sc.exe
2444	sc.exe
5068	sc.exe
3348	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3192	schtasks.exe
4300	schtasks.exe
2908	schtasks.exe
5112	schtasks.exe
4588	schtasks.exe
4716	schtasks.exe
2544	schtasks.exe
1640	schtasks.exe
4456	schtasks.exe
1648	schtasks.exe
3196	schtasks.exe
3040	schtasks.exe
2844	schtasks.exe
4608	schtasks.exe
1460	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2400 reg.exe

pid	process
2400	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe
5056	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

4492 dllhost.exe

pid	process
4492	dllhost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2748	Loader.exe
Token: SeDebugPrivilege	5056	Sessionperf.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	4492	dllhost.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeShutdownPrivilege	2052	powercfg.exe
Token: SeCreatePagefilePrivilege	2052	powercfg.exe
Token: SeShutdownPrivilege	2380	powercfg.exe
Token: SeCreatePagefilePrivilege	2380	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeCreatePagefilePrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	488	powercfg.exe
Token: SeCreatePagefilePrivilege	488	powercfg.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeLockMemoryPrivilege	5004	conhost.exe
Token: SeShutdownPrivilege	5104	powercfg.exe
Token: SeCreatePagefilePrivilege	5104	powercfg.exe
Token: SeShutdownPrivilege	2368	powercfg.exe
Token: SeCreatePagefilePrivilege	2368	powercfg.exe
Token: SeShutdownPrivilege	2572	powercfg.exe
Token: SeCreatePagefilePrivilege	2572	powercfg.exe
Token: SeShutdownPrivilege	3596	powercfg.exe
Token: SeCreatePagefilePrivilege	3596	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dllhost.exe

pid process

4492 dllhost.exe

pid	process
4492	dllhost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 2748 wrote to memory of 468	2748	Loader.exe	Checker.exe
PID 2748 wrote to memory of 468	2748	Loader.exe	Checker.exe
PID 2748 wrote to memory of 468	2748	Loader.exe	Checker.exe
PID 468 wrote to memory of 4720	468	Checker.exe	WScript.exe
PID 468 wrote to memory of 4720	468	Checker.exe	WScript.exe
PID 468 wrote to memory of 4720	468	Checker.exe	WScript.exe
PID 2748 wrote to memory of 836	2748	Loader.exe	Utility.exe
PID 2748 wrote to memory of 836	2748	Loader.exe	Utility.exe
PID 4720 wrote to memory of 4664	4720	WScript.exe	cmd.exe
PID 4720 wrote to memory of 4664	4720	WScript.exe	cmd.exe
PID 4720 wrote to memory of 4664	4720	WScript.exe	cmd.exe
PID 4664 wrote to memory of 2400	4664	cmd.exe	reg.exe
PID 4664 wrote to memory of 2400	4664	cmd.exe	reg.exe
PID 4664 wrote to memory of 2400	4664	cmd.exe	reg.exe
PID 4664 wrote to memory of 5056	4664	cmd.exe	Sessionperf.exe
PID 4664 wrote to memory of 5056	4664	cmd.exe	Sessionperf.exe
PID 5056 wrote to memory of 4348	5056	Sessionperf.exe	csc.exe
PID 5056 wrote to memory of 4348	5056	Sessionperf.exe	csc.exe
PID 4348 wrote to memory of 2992	4348	csc.exe	cvtres.exe
PID 4348 wrote to memory of 2992	4348	csc.exe	cvtres.exe
PID 5056 wrote to memory of 3556	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 3556	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 1608	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 1608	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 2668	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 2668	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 3152	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 3152	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 3652	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 3652	5056	Sessionperf.exe	powershell.exe
PID 5056 wrote to memory of 2952	5056	Sessionperf.exe	cmd.exe
PID 5056 wrote to memory of 2952	5056	Sessionperf.exe	cmd.exe
PID 2952 wrote to memory of 4112	2952	cmd.exe	chcp.com
PID 2952 wrote to memory of 4112	2952	cmd.exe	chcp.com
PID 2952 wrote to memory of 2044	2952	cmd.exe	w32tm.exe
PID 2952 wrote to memory of 2044	2952	cmd.exe	w32tm.exe
PID 2952 wrote to memory of 4492	2952	cmd.exe	dllhost.exe
PID 2952 wrote to memory of 4492	2952	cmd.exe	dllhost.exe
PID 3164 wrote to memory of 4856	3164	cmd.exe	wusa.exe
PID 3164 wrote to memory of 4856	3164	cmd.exe	wusa.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 396	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 5004	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 5004	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 5004	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 5004	3836	lhhsgwktkatl.exe	conhost.exe
PID 3836 wrote to memory of 5004	3836	lhhsgwktkatl.exe	conhost.exe
PID 244 wrote to memory of 1876	244	cmd.exe	wusa.exe
PID 244 wrote to memory of 1876	244	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:2400

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znngflju\znngflju.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92AB.tmp" "c:\Windows\System32\CSC2729C5C7F9AC40B89DEA8D311232B283.TMP"
7⤵
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\winlogon.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\dllhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\To0UWwuMId.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4112

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2044

C:\Program Files (x86)\Windows Mail\dllhost.exe
"C:\Program Files (x86)\Windows Mail\dllhost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4856

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:2444

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:5068

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3348

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:244

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:396

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92AB.tmp
Filesize
1KB

MD5
094a93a5f2861e4734e19340ae6b582a

SHA1
745b5c21b498dfdd11f880e93d021df84a4d66e1

SHA256
e2b886bce1b646f652b0deb21816fe7ada80df6de069e8d8b6c84e85c6da7291

SHA512
012e3b2548d4a97f75f72d34eb5f1ff621475221df5f7047f9fa76ae84d55ca98bade43343fbcb9e27c04038cf65434b670b0d55b0b2e5471395050762ff54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\To0UWwuMId.bat
Filesize
223B

MD5
95487cb4d19c6767eb793a28f21a862c

SHA1
976492e2a4ec530d848d94776eaa6a09a500b148

SHA256
353074b7916659b922085496a27681deb350dc601c365f815b288ed4b358cac2

SHA512
0798ad0289ba75b60212326662bb6fa1c38f4075963c757a069e0299395a5dcda86064dace1019708bb573b2491da01f97dd82c524580cca58e2dcf51ff2122d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orgcbh2q.tod.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znngflju\znngflju.0.cs
Filesize
360B

MD5
ad030bb97f4b0f784f8e92ed07714e6b

SHA1
b70a57a21f5ef4817beadfd096888a42297cafd5

SHA256
4d0a3dcfc341fcfa2111bf28b05bc09f1cab61ea43ab10ba5d501638a50a631f

SHA512
462d975b3d13278ec40efe168fd70dd37c23994e9c3c4d516bcefb701d7e954ece540c78e6610bfdf2bb8a5c8c78fe635f985246c9e262a972535e1811084aa3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znngflju\znngflju.cmdline
Filesize
235B

MD5
cb1ca27aa7f3432adb0d74c90c22812e

SHA1
da96f1b3f148fd47cc51d57d98c3fa3f85bbecfb

SHA256
8b4c94f6e3395dfe6f32365851f0dc0f272b556e47903f64445306bd92c9a221

SHA512
aa54c9ba93332aa1147f7cbf55e33d7aee4352876da11a893f85c39a01898367c1d32eb33440b5f966d72326bd32dfbd25aefbc85102176889c9ada0f449c5d1

Download Submit
\??\c:\Windows\System32\CSC2729C5C7F9AC40B89DEA8D311232B283.TMP
Filesize
1KB

MD5
2454379e488a0871e6bbf79b110e4f0b

SHA1
c9f31dec63230ab07ec57715d640cc077ccf2d7e

SHA256
6b1b6b15b0bf02e3adce276b777c140109f0371cebdaa4afc2a63f49162412ad

SHA512
e1899640165ee0ce96ae07388e4d5c19a480a513f1cdc6cc6901f70e9a3912e9cb06b964cebcfac6bdf400dec03b777394e148129da2e8381717ae08830f8ca3

Download Submit
memory/396-238-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/396-239-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/396-235-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/396-236-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/396-237-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/396-242-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-232-0x000001B43DC40000-0x000001B43DC4A000-memory.dmp

Filesize
40KB

Download
memory/2204-231-0x000001B43DC30000-0x000001B43DC36000-memory.dmp

Filesize
24KB

Download
memory/2204-230-0x000001B43DC00000-0x000001B43DC08000-memory.dmp

Filesize
32KB

Download
memory/2204-229-0x000001B43DC50000-0x000001B43DC6A000-memory.dmp

Filesize
104KB

Download
memory/2204-228-0x000001B43DBF0000-0x000001B43DBFA000-memory.dmp

Filesize
40KB

Download
memory/2204-227-0x000001B43DC10000-0x000001B43DC2C000-memory.dmp

Filesize
112KB

Download
memory/2204-226-0x000001B43DBE0000-0x000001B43DBEA000-memory.dmp

Filesize
40KB

Download
memory/2204-225-0x000001B43DB20000-0x000001B43DBD3000-memory.dmp

Filesize
716KB

Download
memory/2204-224-0x000001B43DB00000-0x000001B43DB1C000-memory.dmp

Filesize
112KB

Download
memory/2668-113-0x00000262974E0000-0x0000026297502000-memory.dmp

Filesize
136KB

Download
memory/2748-2-0x00007FF994850000-0x00007FF995312000-memory.dmp

Filesize
10.8MB

Download
memory/2748-0-0x00007FF994853000-0x00007FF994855000-memory.dmp

Filesize
8KB

Download
memory/2748-1-0x0000000000640000-0x000000000069E000-memory.dmp

Filesize
376KB

Download
memory/2748-3-0x00007FF994850000-0x00007FF995312000-memory.dmp

Filesize
10.8MB

Download
memory/2748-32-0x00007FF994850000-0x00007FF995312000-memory.dmp

Filesize
10.8MB

Download
memory/4492-256-0x000000001DE40000-0x000000001DF5E000-memory.dmp

Filesize
1.1MB

Download
memory/5004-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-250-0x0000021371E60000-0x0000021371E80000-memory.dmp

Filesize
128KB

Download
memory/5004-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-286-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-287-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5004-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5056-37-0x00000000003C0000-0x0000000000762000-memory.dmp

Filesize
3.6MB

Download
memory/5056-71-0x000000001C1B0000-0x000000001C1C0000-memory.dmp

Filesize
64KB

Download
memory/5056-62-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/5056-60-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/5056-58-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

Filesize
72KB

Download
memory/5056-56-0x000000001C100000-0x000000001C10E000-memory.dmp

Filesize
56KB

Download
memory/5056-66-0x000000001C200000-0x000000001C212000-memory.dmp

Filesize
72KB

Download
memory/5056-67-0x000000001C750000-0x000000001CC78000-memory.dmp

Filesize
5.2MB

Download
memory/5056-54-0x000000001C0C0000-0x000000001C0CE000-memory.dmp

Filesize
56KB

Download
memory/5056-69-0x000000001C1A0000-0x000000001C1AE000-memory.dmp

Filesize
56KB

Download
memory/5056-52-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/5056-50-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/5056-48-0x000000001C120000-0x000000001C138000-memory.dmp

Filesize
96KB

Download
memory/5056-64-0x000000001C1E0000-0x000000001C1F6000-memory.dmp

Filesize
88KB

Download
memory/5056-73-0x000000001C220000-0x000000001C230000-memory.dmp

Filesize
64KB

Download
memory/5056-46-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/5056-77-0x000000001C230000-0x000000001C23E000-memory.dmp

Filesize
56KB

Download
memory/5056-75-0x000000001C290000-0x000000001C2EA000-memory.dmp

Filesize
360KB

Download
memory/5056-39-0x000000001C0D0000-0x000000001C0F6000-memory.dmp

Filesize
152KB

Download
memory/5056-41-0x0000000002960000-0x000000000296E000-memory.dmp

Filesize
56KB

Download
memory/5056-43-0x000000001C0A0000-0x000000001C0BC000-memory.dmp

Filesize
112KB

Download
memory/5056-44-0x000000001C150000-0x000000001C1A0000-memory.dmp

Filesize
320KB

Download
memory/5056-87-0x000000001C560000-0x000000001C5AE000-memory.dmp

Filesize
312KB

Download
memory/5056-85-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/5056-83-0x000000001C4F0000-0x000000001C508000-memory.dmp

Filesize
96KB

Download
memory/5056-81-0x000000001C250000-0x000000001C25E000-memory.dmp

Filesize
56KB

Download
memory/5056-79-0x000000001C240000-0x000000001C250000-memory.dmp

Filesize
64KB

Download