xmrig | 5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369

Analysis

max time kernel
852s
max time network
901s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.exe
Size

104KB
MD5

4a9f5b7664e2ebf47aa5fc4240dc8a22
SHA1

d0fc11aab0181df38d193cf8dfd1843fe06c844a
SHA256

5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369
SHA512

f45224b584b64d4ac32d4e6303ad87b2902ea310ac332ed0a0c7a706df2441eb0ef1f5076fe2716d004e59aa6a8e9e5e5e3a8f012008f05aef05064ad1e1eed6
SSDEEP

192:xjZaDMFEa4ajXPeeZnXwqXTyE1hEjjTyXfan55tfMcePLiZmGhTuRY9SRXiKqiRh:hp4ajGCnXGMsGXfwldJ99Sjvb99Sjv

Score

10^/10

xmrig xworm defense_evasion execution miner rat trojan

Malware Config

Extracted

Family

xworm

Mutex

yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا

Attributes

Install_directory
%Port%
install_file
MicrosoftEdgeUpdateTaskMachineUAC.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3824-333-0x000002001F200000-0x000002001F20E000-memory.dmp	family_xworm

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/files/0x001c00000002af62-69.dat	family_xmrig
behavioral1/files/0x001c00000002af62-69.dat	xmrig
behavioral1/memory/3824-70-0x00000200034F0000-0x0000020003E36000-memory.dmp	xmrig
behavioral1/memory/3824-82-0x000002001E6C0000-0x000002001F2F4000-memory.dmp	xmrig
behavioral1/files/0x001900000002af64-200.dat	family_xmrig
behavioral1/files/0x001900000002af64-200.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 3 IoCs

pid	Process
3824	xmrig.exe
2208	fbb3goyp.dsj.exe
3788	z12ibzlu.n0p.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2732	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741023104"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={86195CDC-E791-4619-BBA2-18737F46F487}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Mar 2025 17:31:44 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1281"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "0"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = ":BackgroundTransferApiGroup:"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "224"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\51e9c19b-ab54-46c0-8f9f-517a85f = "MicrosoftWindows.Client.CBS_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = ":BackgroundTransferApi:"	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874369"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5600310000000000635ac88b1000526f616d696e6700400009000400efbe515ab3a6635acb8b2e0000005c5702000000010000000000000000000000000000009bd7960052006f0061006d0069006e006700000016000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\51e9c19b-ab54-46c0-8f9f-517a85f	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f7840f05f6481501b109f0800aa002f954e0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\51e9c19b-ab54-46c0-8f9f-517a85f = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3320	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	powershell.exe
2732	powershell.exe
2652	powershell.exe
2652	powershell.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe
2208	fbb3goyp.dsj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3824	xmrig.exe
Token: SeDebugPrivilege	2208	fbb3goyp.dsj.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2256	svchost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeAuditPrivilege	2700	svchost.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3320	Explorer.EXE
3968	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2732	4964	miner.exe	77
PID 4964 wrote to memory of 2732	4964	miner.exe	77
PID 2732 wrote to memory of 2652	2732	powershell.exe	79
PID 2732 wrote to memory of 2652	2732	powershell.exe	79
PID 4964 wrote to memory of 3824	4964	miner.exe	80
PID 4964 wrote to memory of 3824	4964	miner.exe	80
PID 3824 wrote to memory of 2208	3824	xmrig.exe	81
PID 3824 wrote to memory of 2208	3824	xmrig.exe	81
PID 2208 wrote to memory of 632	2208	fbb3goyp.dsj.exe	5
PID 2208 wrote to memory of 688	2208	fbb3goyp.dsj.exe	7
PID 2208 wrote to memory of 988	2208	fbb3goyp.dsj.exe	12
PID 2208 wrote to memory of 552	2208	fbb3goyp.dsj.exe	13
PID 2208 wrote to memory of 452	2208	fbb3goyp.dsj.exe	14
PID 2208 wrote to memory of 716	2208	fbb3goyp.dsj.exe	15
PID 2208 wrote to memory of 1060	2208	fbb3goyp.dsj.exe	16
PID 2208 wrote to memory of 1140	2208	fbb3goyp.dsj.exe	18
PID 2208 wrote to memory of 1192	2208	fbb3goyp.dsj.exe	19
PID 2208 wrote to memory of 1204	2208	fbb3goyp.dsj.exe	20
PID 2208 wrote to memory of 1228	2208	fbb3goyp.dsj.exe	21
PID 2208 wrote to memory of 1336	2208	fbb3goyp.dsj.exe	22
PID 2208 wrote to memory of 1348	2208	fbb3goyp.dsj.exe	23
PID 2208 wrote to memory of 1452	2208	fbb3goyp.dsj.exe	24
PID 2208 wrote to memory of 1488	2208	fbb3goyp.dsj.exe	25
PID 2208 wrote to memory of 1504	2208	fbb3goyp.dsj.exe	26
PID 2208 wrote to memory of 1608	2208	fbb3goyp.dsj.exe	27
PID 2208 wrote to memory of 1664	2208	fbb3goyp.dsj.exe	28
PID 2208 wrote to memory of 1724	2208	fbb3goyp.dsj.exe	29
PID 2208 wrote to memory of 1784	2208	fbb3goyp.dsj.exe	30
PID 2208 wrote to memory of 1804	2208	fbb3goyp.dsj.exe	31
PID 2208 wrote to memory of 1844	2208	fbb3goyp.dsj.exe	32
PID 2208 wrote to memory of 1856	2208	fbb3goyp.dsj.exe	33
PID 2208 wrote to memory of 1872	2208	fbb3goyp.dsj.exe	34
PID 2208 wrote to memory of 1956	2208	fbb3goyp.dsj.exe	35
PID 2208 wrote to memory of 2036	2208	fbb3goyp.dsj.exe	36
PID 2208 wrote to memory of 1812	2208	fbb3goyp.dsj.exe	37
PID 2208 wrote to memory of 2256	2208	fbb3goyp.dsj.exe	39
PID 3824 wrote to memory of 3788	3824	xmrig.exe	82
PID 3824 wrote to memory of 3788	3824	xmrig.exe	82
PID 688 wrote to memory of 2720	688	lsass.exe	45
PID 688 wrote to memory of 2720	688	lsass.exe	45
PID 2208 wrote to memory of 2424	2208	fbb3goyp.dsj.exe	40
PID 2208 wrote to memory of 2548	2208	fbb3goyp.dsj.exe	41
PID 2208 wrote to memory of 2556	2208	fbb3goyp.dsj.exe	42
PID 2208 wrote to memory of 2616	2208	fbb3goyp.dsj.exe	43
PID 2208 wrote to memory of 2700	2208	fbb3goyp.dsj.exe	44
PID 2208 wrote to memory of 2720	2208	fbb3goyp.dsj.exe	45
PID 2208 wrote to memory of 2768	2208	fbb3goyp.dsj.exe	46
PID 2208 wrote to memory of 2776	2208	fbb3goyp.dsj.exe	47
PID 2208 wrote to memory of 2784	2208	fbb3goyp.dsj.exe	48
PID 2208 wrote to memory of 2892	2208	fbb3goyp.dsj.exe	49
PID 2208 wrote to memory of 3008	2208	fbb3goyp.dsj.exe	50
PID 2208 wrote to memory of 3132	2208	fbb3goyp.dsj.exe	51
PID 2208 wrote to memory of 3320	2208	fbb3goyp.dsj.exe	52
PID 2208 wrote to memory of 3500	2208	fbb3goyp.dsj.exe	53
PID 2208 wrote to memory of 3552	2208	fbb3goyp.dsj.exe	54
PID 2208 wrote to memory of 3896	2208	fbb3goyp.dsj.exe	57
PID 2208 wrote to memory of 3968	2208	fbb3goyp.dsj.exe	58
PID 2208 wrote to memory of 4016	2208	fbb3goyp.dsj.exe	59
PID 2208 wrote to memory of 4056	2208	fbb3goyp.dsj.exe	60
PID 2208 wrote to memory of 4248	2208	fbb3goyp.dsj.exe	61
PID 2208 wrote to memory of 4500	2208	fbb3goyp.dsj.exe	62
PID 2208 wrote to memory of 5576	2208	fbb3goyp.dsj.exe	65
PID 2208 wrote to memory of 5728	2208	fbb3goyp.dsj.exe	66
PID 2208 wrote to memory of 3416	2208	fbb3goyp.dsj.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:552

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1608
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3008

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3320
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Roaming\xmrig.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\xmrig' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Expand-Archive -Path C:\Users\Admin\AppData\Roaming\xmrig.zip -DestinationPath C:\Users\Admin\AppData\Roaming\xmrig -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
    "C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\fbb3goyp.dsj.exe
      "C:\Users\Admin\AppData\Local\Temp\fbb3goyp.dsj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\z12ibzlu.n0p.exe
      "C:\Users\Admin\AppData\Local\Temp\z12ibzlu.n0p.exe"
      4⤵
      Executes dropped EXE
      PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3416

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5228

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4360

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2292

C:\Windows\system32\DllHost.exe
"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}
1⤵
PID:2884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4604

C:\Windows\system32\DllHost.exe
"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}
1⤵
PID:1188

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
ebfcb00529ad09551c354330b3cfcdfa

SHA1
3a151f3d637c409c1cf19b398aa1a628eb7ec0a4

SHA256
c9ec55790056d096f74d1a3cb3bd91b9cf0bafb566451e5bddafb6aa0f1188cd

SHA512
c20214613fce0c6b3aab50a70b9bbf30000a891305ecd201c321829a94cd0ce147c778df6b0134c487dc7d57020d50fb8d6fbb0f04ef8461e82768c16418b419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
cb06b7be3314e402026ef79129fbc201

SHA1
c4aca9e012afad033efd2e9737bb7f8aca283afb

SHA256
c291b38e7647a28c33cbb257a06cc8dce145fec95ec8451489a9e6c558448c95

SHA512
471703225a6f2872c5bb4d2654fe79962a1f1b91f49637629a7f8a39c4143f522feafca8f00b24e424a23b8eb5b6784c7410d5c6144685676440ff12d8781c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
1273f02d16367c29e0c8ab5f109a5834

SHA1
29112b1cb9d09780a5300ec9720204638f192645

SHA256
90b7cd379bfe5670a31c0d40ba82bf2cd820e4bed4ba4e8b9a0b68dc5cf8cce0

SHA512
64dc546f1750f0ce6503194789626e77c3d9d5a548b7b57483c90c03e4ba2c4bd2e0b29dab8ac229b081a6b6c37b6125b5e759cd27c942941dae7c94344e6125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
babe540a35ac204bfc3d674146d0e584

SHA1
54a2de5ee0778fa61df8d1a5bcac17cff7a90065

SHA256
7c6e03d0c6975cd8b61a02801dca3a25e98f1691c9942bb6f6c528f905fc15de

SHA512
e980d52c60ae11c3958cbba14a31cc422adcb6b581f0d57f2f7e26f7bdda6b8bb4b3656c792caf6604ebe7780073434da50f933f732658f65d922f63db42ee7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
49c8e2972f02d4af2b7c3aad9853228d

SHA1
43496c2b1db1887ae6f24a9a18674276b1e17a7e

SHA256
46e1cd681d887bf12260c46ed770446a31ecf10f62638808a37a9fabed5e5a7a

SHA512
21a4bb2acec41c747e6dbc23522f2a6d9ec9bde94dae292758e44f3d71a2ddd863604760be8bef2e602fde6ce60f5fc9250bdbe67e7484db614b2fa2844af64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oh40t30i.zlc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbb3goyp.dsj.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\z12ibzlu.n0p.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig.zip

Filesize
3.8MB

MD5
9895805962f3b439c3eb845cd30303c6

SHA1
d488cfa52f17c60432813e7906ee812e0ae37fec

SHA256
e30b7057712cdb8760a87b44eb2db03879f4ff54344aaf562e927814b5ce7e5b

SHA512
ec526ca0cc850d03d220c46f9b592045983c392edc30a5cdee5157fe1ea38711f49a475e566c7e2017956f1aa6b1c64a9a4565a26bd466f5ac679aae728c98ce

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe

Filesize
9.3MB

MD5
72107c3009343491bdbd5a2bf27e0d17

SHA1
79ae9dd4ffc65810342c093fb3dd1413a830660d

SHA256
9af0d7469bffba8aea58c666b94ae68e34373f554ba8a145ec5fcc78baf0e6c6

SHA512
eab28e887aeb275527f4d4fa9a7ccd69dfaf21d249005eb9c9a9c098ca062cfabed02da2133e84c0b6109fbd4b6358e905199c24cdc9bb41799e63ccfbe3768e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
4b030ca7965a657b8fcd0ad7146785c4

SHA1
3b92b05b24eaa844a011c395f563b7e57138bb20

SHA256
b166929f6d12b36452b4d074e6571b9e8f78fc81cad0492706abba1e1d23f957

SHA512
f2e2395e260c21b6d65659fffc62dae47e35da32d95b9980562a01266bf060ac82e1c4f580b4ef354cbb9ef09f0b0974b5cf041c3fd19e42f8ff789789a5bf8e

Download Submit
memory/452-109-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/452-108-0x000001FB80FA0000-0x000001FB80FCB000-memory.dmp

Filesize
172KB

Download
memory/552-96-0x000001A2FC150000-0x000001A2FC17B000-memory.dmp

Filesize
172KB

Download
memory/552-97-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/632-86-0x000001E276530000-0x000001E276555000-memory.dmp

Filesize
148KB

Download
memory/632-87-0x000001E276560000-0x000001E27658B000-memory.dmp

Filesize
172KB

Download
memory/632-88-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/688-92-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/688-91-0x000001F628DB0000-0x000001F628DDB000-memory.dmp

Filesize
172KB

Download
memory/716-120-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/716-119-0x000001EF976B0000-0x000001EF976DB000-memory.dmp

Filesize
172KB

Download
memory/988-100-0x00000139138A0000-0x00000139138CB000-memory.dmp

Filesize
172KB

Download
memory/988-102-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1060-123-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1060-122-0x0000029475D40000-0x0000029475D6B000-memory.dmp

Filesize
172KB

Download
memory/1140-125-0x0000023265990000-0x00000232659BB000-memory.dmp

Filesize
172KB

Download
memory/1140-126-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1192-129-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1192-128-0x000002ACA7B60000-0x000002ACA7B8B000-memory.dmp

Filesize
172KB

Download
memory/1204-132-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1204-131-0x000001F807E90000-0x000001F807EBB000-memory.dmp

Filesize
172KB

Download
memory/1228-135-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1228-134-0x0000015133360000-0x000001513338B000-memory.dmp

Filesize
172KB

Download
memory/1336-137-0x000001C912A70000-0x000001C912A9B000-memory.dmp

Filesize
172KB

Download
memory/1336-138-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/1348-140-0x0000017AED5A0000-0x0000017AED5CB000-memory.dmp

Filesize
172KB

Download
memory/1348-141-0x00007FF7FDE90000-0x00007FF7FDEA0000-memory.dmp

Filesize
64KB

Download
memory/2208-80-0x00007FF83DE00000-0x00007FF83E009000-memory.dmp

Filesize
2.0MB

Download
memory/2208-81-0x00007FF83CD10000-0x00007FF83CDCD000-memory.dmp

Filesize
756KB

Download
memory/2652-39-0x000002BF45A00000-0x000002BF45A0A000-memory.dmp

Filesize
40KB

Download
memory/2652-38-0x000002BF45A10000-0x000002BF45A22000-memory.dmp

Filesize
72KB

Download
memory/2732-18-0x00007FF81CD93000-0x00007FF81CD95000-memory.dmp

Filesize
8KB

Download
memory/2732-27-0x0000020B35110000-0x0000020B35132000-memory.dmp

Filesize
136KB

Download
memory/2732-28-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/2732-29-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/2732-66-0x00007FF81CD90000-0x00007FF81D852000-memory.dmp

Filesize
10.8MB

Download
memory/3824-82-0x000002001E6C0000-0x000002001F2F4000-memory.dmp

Filesize
12.2MB

Download
memory/3824-333-0x000002001F200000-0x000002001F20E000-memory.dmp

Filesize
56KB

Download
memory/3824-70-0x00000200034F0000-0x0000020003E36000-memory.dmp

Filesize
9.3MB

Download
memory/3824-71-0x0000020004280000-0x00000200042AC000-memory.dmp

Filesize
176KB

Download