Analysis Overview
SHA256
5048f4d069d68eb6944b230e184fc3757a8d224dbd0aeef80a96285b13d79c15
Threat Level: Known bad
The file Lunar Release V1.2.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Xworm
Detect Xworm Payload
XMRig Miner payload
Stops running service(s)
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:30
Reported
2024-06-01 03:31
Platform
win11-20240426-en
Max time kernel
4s
Max time network
31s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LunarExecutor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Sound Adapter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\num2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe | N/A |
| N/A | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | N/A |
| N/A | N/A | C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\num2.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 980 set thread context of 2532 | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | C:\Windows\system32\conhost.exe |
| PID 980 set thread context of 4132 | N/A | C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe | C:\Windows\system32\svchost.exe |
| PID 1356 set thread context of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe | C:\Windows\system32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Sound Adapter.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Users\Admin\AppData\Local\Temp\Lunar Release V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Release V1.2.exe"
C:\Users\Admin\AppData\Local\Temp\LunarExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\LunarExecutor.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Sound Adapter.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Sound Adapter.exe"
C:\Users\Admin\AppData\Local\Temp\num2.EXE
"C:\Users\Admin\AppData\Local\Temp\num2.EXE"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HDNFMUHS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HDNFMUHS"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "YWZWALUU"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "YWZWALUU"
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AMD Graphics Manager" /tr "C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Users\Admin\AppData\Roaming\AMD Graphics Manager
"C:\Users\Admin\AppData\Roaming\AMD Graphics Manager"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 91.92.241.69:5555 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\LunarExecutor.exe
| MD5 | 1799672512d979b9e42c59cf585cbb10 |
| SHA1 | c11ed2acd408521f61e359456eb67b1f6bb7ad81 |
| SHA256 | afb7c6a1ecc819d8727b24229f74db0d430d40d1062342bd31e2495dc496adc4 |
| SHA512 | 7bf6a2688e953dcd73819769acbbada305216bce540c20a3d6eaa8a6942000a29651c8a16a8f9640be8d8185a0a05787d75223cb612065cf0051c8be46f134d9 |
C:\Users\Admin\AppData\Local\Temp\Windows Sound Adapter.exe
| MD5 | 9ac62ff292d4ae060777d8fa192a5bbc |
| SHA1 | 37039579fd2940f2b7965d65fcbfb12bfec6aaee |
| SHA256 | 691fcb5dfa44d54d8e233989ef826d164bd0f3002052c0011b2698f4b5a2b062 |
| SHA512 | e81ec0bf563e85e127b1d3ed397426d4225eb3df697fa96e125d2bdaebd8c1f2c9b0604189fc8a6eae11f362eb293f7185344e4859c403a001cc0e71dfa1c60b |
memory/2268-18-0x00007FFEA7A13000-0x00007FFEA7A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\num2.EXE
| MD5 | e6fe75c4390d3970545f0fdbb3274244 |
| SHA1 | 8b6ed33f1778800cf0549bd7214249bdb81fbb58 |
| SHA256 | 48aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5 |
| SHA512 | 17b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20 |
memory/2268-27-0x00000000002C0000-0x00000000002D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | fee27684fe21a3556b90c2e127a5781b |
| SHA1 | fd326ed988341323d7f42bada2b3faa73432e0d9 |
| SHA256 | c2e0e53f63f811e31283c40cc8ffc69bd456353c1508db51197e8bb65996676c |
| SHA512 | 00d3d5ff6484a01e861f57a05e6e2b6f5be868290c53b66348d039ef210ee3fc2e92ee436ed4fe634aad542143940a1bbab44b2f3c1c2387ea32c098429155da |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jhi_service.exe
| MD5 | 1994ad04639f3d12c7bbfa37feb3434f |
| SHA1 | 4979247e5a9771286a91827851527e5dbfb80c8e |
| SHA256 | c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c |
| SHA512 | adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MicrosoftEdgeUpdater.exe
| MD5 | 19c095e1c399bdaa0663caa9162f0b0e |
| SHA1 | cb5504712ec965f7c43883f2f251823755b1e37e |
| SHA256 | 38edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713 |
| SHA512 | a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9 |
memory/4132-58-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-59-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-62-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-60-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-64-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-68-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-70-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-69-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-67-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-66-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-65-0x0000019937780000-0x00000199377A0000-memory.dmp
memory/4132-63-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4132-61-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2532-54-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2532-53-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2532-52-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2532-51-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2532-50-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2532-57-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4nqv5m4.5ww.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3584-79-0x000001FB2EF70000-0x000001FB2EF92000-memory.dmp
memory/2152-85-0x0000000140000000-0x000000014002B000-memory.dmp
memory/692-102-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/428-106-0x000002392B4B0000-0x000002392B4DB000-memory.dmp
memory/996-110-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/452-114-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/452-113-0x0000028459D70000-0x0000028459D9B000-memory.dmp
memory/996-109-0x0000021BD7290000-0x0000021BD72BB000-memory.dmp
memory/1040-118-0x00000144D9570000-0x00000144D959B000-memory.dmp
memory/692-101-0x0000018EB4040000-0x0000018EB406B000-memory.dmp
memory/1120-122-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/1120-121-0x0000017AAB460000-0x0000017AAB48B000-memory.dmp
memory/1040-119-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/1128-128-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/1128-127-0x000001AFF4550000-0x000001AFF457B000-memory.dmp
memory/604-98-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/604-97-0x0000025C348A0000-0x0000025C348CB000-memory.dmp
memory/604-96-0x0000025C34870000-0x0000025C34894000-memory.dmp
memory/428-107-0x00007FFE88B10000-0x00007FFE88B20000-memory.dmp
memory/2152-93-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2152-89-0x00007FFEC7D60000-0x00007FFEC7E1D000-memory.dmp
memory/2152-88-0x00007FFEC8A80000-0x00007FFEC8C89000-memory.dmp
memory/2152-87-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2152-83-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2152-84-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2268-378-0x00007FFEA7A10000-0x00007FFEA84D2000-memory.dmp
memory/2152-82-0x0000000140000000-0x000000014002B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD Graphics Manager.lnk
| MD5 | 1135afe29f0ae092a4dec47444a988ef |
| SHA1 | 0da130492b6e3a33e1d6286ce70664ccac9f002c |
| SHA256 | d5f7d723f660f9af91b9c32548e86f7751ea0ad8f8eff47256bdfb8f433b85fe |
| SHA512 | 843f42c41a641befdf91550566c454b2678ee174d5e7fb588bc01109bf575e813cbafe014e0bdd3f3daf5e4edc7604bfca7fa26500f2ffb72959ec1e64b714e9 |