Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/05/2024, 07:56
240518-js2a6aaf51 1017/05/2024, 19:50
240517-ykrjbaga59 1017/05/2024, 19:47
240517-yhmscaff8t 10Analysis
-
max time kernel
338s -
max time network
332s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
18/05/2024, 07:56
General
-
Target
https://oxy.st/d/BNQh
Malware Config
Extracted
xworm
pacific-ambient.gl.at.ply.gg:44633
-
Install_directory
%AppData%
-
install_file
WindowsUpdate.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
XMRig Miner payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/BNQh1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa443cab58,0x7ffa443cab68,0x7ffa443cab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3776 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4320 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4124 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4868 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3576 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4632 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Nitama External.exe"C:\Users\Admin\Downloads\Nitama External.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitama External.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nitama External.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2756 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2400 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5592 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2396 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1524 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5152 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5700 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5108 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3152 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29249:108:7zEvent48901⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\xmrig-6.21.3\benchmark_10M.cmd"1⤵
-
C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exexmrig.exe --bench=10M --submit2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\xmrig-6.21.3\start.cmd" "1⤵
-
C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exexmrig.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
4KB
MD5bc35d5e7c41acc40584abe83e2ee0992
SHA15757ae9e1b7c94dd9c845461be42ae9615373171
SHA256e6792b60c98b4b1be1ac16ddd9a7d4631b13913cbdf4b2d5e30e95859eccb15b
SHA5129f5acf949d4ee0c206edddc405d1ded652ee712545e28edeecae186c19fe524bdda2484cc0546a577cc38aa426146926a52aa57b43556b768c9108a08d2a4148
-
Filesize
864B
MD518f14cf4ebeafd5631eaec758b19fd56
SHA147222d1365a4f603b71320bc74906d9fe09447e2
SHA2565befec75ebc9ce0ebe5a298c223e5609cc5b8f666e5e26828df4fd4c6609a355
SHA5129defb5813301e3e477cf742f2ca824980bbe238980fc318338b4f25214cd19a843653643b02a8ea9dcebb28968d1979dbf8f9b4f0ef34db0baab1e074c15d4ae
-
Filesize
2KB
MD528d3393809291bba8a59fee414e093ec
SHA1bac8aead7ed9415026a958432cc30a97bc2d36e6
SHA256d87c7a68efb9e166cbbe4f69a0017f15478be7d0153b89cd92e680fc24bfe28e
SHA512fda14392f7912c6ebf430a410cc0e1192f28b3335126e30c56bf92560c7398b54e69563d1f356a4e1e2860a7f4527b5a2aa7e4e7d797e174b4bed3aceab5347b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
7KB
MD5d7f2db0c5feaaefb9674155242428071
SHA1d50da3651bced58772db060f0a21e5b140e498a3
SHA256c05cacc9e70cc7b6c3420606231e8b1a45c2701742daf7076087c35853f6d207
SHA5124ffdd8f9e17371104eb53b505b4ab8525a3acbe84b9d80e4e27ff887a3b74e8b85a82be0dd5c2db252b922e9badfffa53b1ee66e175dd6e2351eb0bb49540030
-
Filesize
7KB
MD52787834245ba1f33c33504489b85547b
SHA158f0dcb63ab73e2a2acec230c99caf51c08a372d
SHA256eaba270c5531635169caa6591b16952d8bcaceb1e4e2da2d1a57b67654c0d993
SHA5122e6f9838d06e1520581887ed05a8384f70e824b95c459b53f65d5208ff1ff4a8cdf19963fe24151ea742e5009528504ecc8f946a68fbb5ddf3fe900f76b76beb
-
Filesize
7KB
MD53f5cb804ebd8cc3bfd7476dd874aaa58
SHA12fd5ced9411a59efaf44d3ae382991a0aec5458e
SHA256b07d7a2975fd94810ff137997b1b4a49d2d0d32592b1c7561b0779026b2f4f6c
SHA51285b635b993fdbe5d7361f85f8e8b61bd63d6a074846cc21aa6f5604bd4b83e802027ead4707d137e896a3bfdeec0ff40ab101f939a5674c24fac94013869afd6
-
Filesize
4KB
MD5304cff57f84b93408340da5d6cb82aa2
SHA1b1862042fdf3f0e7f1812a0d4526a2c22d08f71e
SHA2561fccb0feec772cef5c745d4ca2d141714e967d0ec55803a0ae4ca1f56119c565
SHA5120275e43799a52b014f738eebd2efa42b9f175e600b793e844226c5d51cc0bc4091e4ea87863443163e1abaf000abe39ee8f69ab48826ced47e2ebc507426a29e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5402dd309639be3667f6238235b8da1c9
SHA126df2c0c0bb386abc9f7c06da63ba7420419c859
SHA2566f244685be6f4c717dc4cb2534ce65bf3e55a12b8be93c8c91361ae107bbf525
SHA5120f0f754b68eff5d81614e0fae15ba96ace692e5a2d5d843535456f0065c5561e33de48e8423051ee1ebe1f1cd7278c19aabab8243d55b39e56e6d4e355a3b44c
-
Filesize
3KB
MD507fa4fe40e4ac1a859de36ee08b8bd20
SHA15dee8342141138000f79eeff16a2ee5db342b138
SHA256fa35eb3b85f8934da857de26f5f29b5795a76beb92790b28fba6e821f26f88b5
SHA512d9dd6c08c620519d668cc77502782f0d83edebc19e271626e8c1a7d1a6f0c75fc4aed2571f960bcd9b49428f5aafe93075aa7db98c6aec265f54a3435771c1f9
-
Filesize
3KB
MD5ceed8d88ce70b36af14ce2a8fa31d052
SHA176c96a1462a5714990edcfcbd1b2b15a4ff39ff3
SHA256a1d1770bad97a3dabef38967bdc67d4caf3433f0fb407644bfefb775ba2caa33
SHA51289106ce6902d5d2e04c4be7236561d48597de8c712dcecc5b9327b057c2b6256f03625c59a306d19506ed86b2472c54e6f5010d0e0e509c8f62f143aa067b397
-
Filesize
3KB
MD577764eb1725a0fcfc19c6cd019bfc9fa
SHA17cceea11b3ec9ea697a4662a6330436b923fe6ab
SHA256bf001fae5779fcfb77bc25f5f1ef02cd6b2d1ff225a02ac8299c45a1c5bce84b
SHA512d17b7762be165f06ec3f3ae6a780e46e7f9296b153b9620fef3c1f02e8800a4c0446b74258b95deba875afa62d983b74f6957dd6b750f2b004dba22643b62407
-
Filesize
2KB
MD552cd85530d732871670e4d8c555004e0
SHA13652bac98d37dbebe22ae672826ee3a25289923e
SHA256cbb51eedc1c46d60c0603cb2a834a269de84f3a422da602737fbc57e925985ec
SHA51261d2583e301b0e09e5b1009a615c787d96493179fccdc57fba429607a0b75044878da1fd40a6e0bd4343cc1f0bc07571456b3f21beb23f6fff369f4b6890a659
-
Filesize
2KB
MD53465a7e32ad3056def1a480822b9a72a
SHA1588b972e7a362f4e13056fe2241e429343eb2817
SHA256c5325816880e21752194ccab631f5b916d1983fdd97f38b7e808c6714c3a76f6
SHA51234fe60c2b57d5c4e800e1d5fc4166ac7b4f784ba15d2687a7a2eebd467c10e73ef4ebe5dae2bd6d4f519b1acbb191cdecffa529410af480fed0a670b6aa1fb2f
-
Filesize
1KB
MD5d74261212b0168ecbe41b17ec0b3459f
SHA1cbd846e8badf5b7f303e8cb074ae939bd036f17d
SHA256f076e3fc02fc10898024e671a99b25a6e1184fabe9ea1e0fc97d168fb990adc3
SHA5126ca4419123e95340f191889ac647f520666fae90b2d5c65ea0429bda8f4f87dc4beb92e18944133afdc14932c16ab703e17f02899a3d24ffe48af7671bfc3b4b
-
Filesize
3KB
MD5b494e3bfba9680b2715af4be2640e3b4
SHA13f9e7de22ece31905d714bf4ce2db26d3596b61e
SHA256de56a7ac7a09552c6784729fcd692bd5fcbd6bdb96913171236ee05bc4bbb729
SHA512568afe109d9012a9babd6541b4a9156b4eb394e87e5a5d2f1ad57e1172d1f513da0951aaa1dbd417598578e60a135eaf6e13e6aa8c9c6241857decf9142ff76f
-
Filesize
3KB
MD554da9c0707d2360d74f146f05f5abc76
SHA14aa22a1dcec33067146cde04cbb908935a9098ab
SHA256bf5eff27abe46ba859d775282d15cfed73bf324b1aff718bd74e86513aa1d98a
SHA512b48c1173261351f4992684dc816ecb4a5bf99eec36c1897590aa439b0a63b8d227daa30e7329b59a6abf9022fe94a30712afd164e086a841d075f628d4aeda2a
-
Filesize
3KB
MD5e31fc2fd1588be94177065319833a2b6
SHA1384b77f0e9f68399bb1539806a8e156916438be7
SHA256a95561ca960b1b5c4d5afa203f4627900c612bd50e929cf3ad3384bba3ed1255
SHA5120e87f1bd18ca29eb5bfc565a90066a8c54a638b94b5692002f5cfa94ee647ba65ef44690a88dd0c341dcfe9afa3485c7b2ed7edf24fd223b40f432dfabd3dd7c
-
Filesize
7KB
MD5519a1a4ef1ed926ab92a7fd38d56b2fa
SHA161cf986d6cf9bfffdcc81268c3728961d1901b47
SHA256f189b49898b961c53ed09c81667a74b147fa9fbeba6f1b4a93a9559d4e4fe87b
SHA512281c3a54f8ec85fcfc7329423f5dde53062faac641a467ebbb5d4a9fd8cb19f42ac6f26dd883d3f8ee670dca7b7d7a51ecd272444adb32f9f3cfd8f74f7d878a
-
Filesize
8KB
MD575244e64ba8338a6797aa8e34c6c98ea
SHA18a9c4d50de572e3f95de9eeea6c82cbc702f0857
SHA25604ce74b28e4ca048e3c9c182a03e7634b9ce2b9c8ca93e06c8c95a3668cefcfe
SHA5124669599c9b6d1a1a7935c03bd504df43c9c040296a59b3aa683f2e658f92c578fec7465f671894e1f3922eaf36970ed67f31c8fdf2fc2eb49c17a587335b2dd5
-
Filesize
8KB
MD5f7d945dfe0e4993f28bf410d4d7cc50b
SHA1103b69d1037e1e44960b6d936243ca40256b6a40
SHA2567a7147c584dacf7b89454b0380d162b4368e2cebce22d0ade01ecfac79d999ae
SHA512a9ce920fdeccbc625a897ad6a65280f8e81f3f747f1489c73fa33e09fcd575490fe1b6784bec152119458cbcd62ae8c4312fd7549eb23c8ce341110b07555148
-
Filesize
8KB
MD5422db26944d94549def570b46063b5fb
SHA1563cd2e327b831fe9a57237c9d17be0df9af8b5a
SHA2561e915f153b9102049b21f2da74c3805a22dda2b369905e13153c762f67c9c2e4
SHA512c9cbca91740e1c175a45b220a95f185a510b34fba4fe886ce910e52148de4bb6f2e16b62c334d7e44a1135abcbc57f136c03f709226bfdd9e92d01d04e758920
-
Filesize
7KB
MD5554710174714b2ac7117c5bcf69da13f
SHA18c9f46e590b95051c02b36208b6148fb302ae02f
SHA25603ea0f0069af9520022a10d1e7b7424225beec82461327de892fc554f7ded4e5
SHA512c398eb5e8c54651b3bb23597b2ce31848552314a88e1eb71b774b321e5e7e70004d81c9a677641d1374e47930d7d047841f5391dd1482bb2acf18cdbd5f66596
-
Filesize
8KB
MD5ee2ea3657f0f887e390c0edc8c4aead6
SHA10d1d968ae4fde57ac834666529c43e1adfb58bfa
SHA256e2ab8d617322d2aa04399dc97d870a8a6ae0dd299f412528bf16326fe6ee260f
SHA512d29ef4de57eba3f5a54cdc5036616ff1a6532e90ab6777ee004b93485a7bd71662a0a87ea88a158d65cc310a413af9a3d471a62f4b172e294bc34129b6f49c82
-
Filesize
130KB
MD5980be0cc0573aef15cc33e770b42f59b
SHA18a4832b1c60177460c0eea684faa536651f4c550
SHA256b90d5de4425475a8ba38eb313c766b11222d85eac33fa8dd6ae787883f1c9865
SHA5121c3da1b5324c6d0584974d250fa1376dacb40b3e4227075138d4ba1bf5b79189ab10146c4d935b1d34ca565366ddfda17991f7e6968f49e6d98fe44215cb8dc6
-
Filesize
130KB
MD5a5f0d282fe6ea2aea76ca17e6a5ed896
SHA13cb6fa17a5cf796559559fb8da49b06dfcc8f390
SHA256d67370834655a1e59c547c79243a05fc9a69239a53f4f86cb12ddbdc0efba32d
SHA5126d281b5cc3ea79e330f1506e1c149d28f048d278c0c84ede1b002a27e99b34f13cf9548979e2566e2386cb5f512f0484ea9e5b947a324835b5e93cbaaa98f475
-
Filesize
130KB
MD598e809670688798551219258d29c72f4
SHA13cd3aca2de7c72be8ade166fd33802142dad1c9f
SHA25609832884acbfd85d96e24930649e122e33fed0bafb56017ff8fccf939e95241a
SHA5127e081e315f73aa482d9204271da9fcb44995a1cd9e4ef934e0ac1ae879e2136312d871d7e6123767a270500d0a18679772709ed3f4a4dcc7c1cf6c215e044f98
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d81a2c2874bbf24d30e051f4afb358c6
SHA13712d23c90915249af49b94dcf1a721ec5aea09a
SHA2564f8549a3eb3dd68100c00f7f84bbd2ece45bf146638ce883ee81908bd282ce9b
SHA512f34490ddf5cc85abb71543612522192a88dfe2bcfad473038c49a48aa095b1ef8f49e49b17e9efe7e4a28cea3d1af4dcbdbc4c232121e90545239c19c768c0b6
-
Filesize
944B
MD5e70d51b7df8fa37bc73c0e70b4e82d34
SHA1b342ac333afab91ec92ce0ab690f17e43d87d661
SHA2561bd613817d479000e6e248c022b3521a8d64484b0e755ded0a2d043c32945730
SHA5126cd05079ba29b479347cac367987c12e97cdb78f547ac3f95f5e84575e7df2bbe4f721fa3c9cda48fb7194f7f765cdbd3898b4c3b9fe646d90549ec726f1cff8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
803B
MD5098a4d2f0cd389fba73e1d6c3af141b1
SHA1037159c15da97fc78ff31bc26398d31329e4522c
SHA25617fe59c7611d9fb2a5d3d7cfaaa31276f06b19ec0bac3c3fd2721bad4981da1f
SHA512b5b6b3fb71f236826f192653929ab6aad007fdc35cef936470eaa86f7bdf20e5265e6ecda2d4b8357b40a1057da285b1ce77eecc8ee2b7885899a4cc64cb2c26
-
Filesize
289KB
MD5b0cc9c8ebff00267407dbe987c1afa16
SHA103602c8e30331fb298e93e3a509d10e143cb79d4
SHA2569af52592476aef1e492a4ddea56cf6be617ee60b82c673bea29f4ee7a7d83718
SHA5127e3510442d889a87f819e811c5f55c08667ee05bd020c8e422fae3a095779dfc8b011730bc82900216e0478fbcf3c6221a31ec41994ef2efacbc5404a71dc9d2
-
Filesize
2.5MB
MD5cef0ae1ab544e40b659261a4e07fe48f
SHA1e5ff855ce3c7726a50eb50a634ff9f406b3df093
SHA256713263085499ae626a6148fab67932c9a69611b21ac3d04cf52a5e23495f902e
SHA5121fb23b385e6cff3653f0b4b397d092c7be4df62899c97e18f675df2024e5f06ef2596fb626b85ae2ef7d7583c5bf54b00dba1a5ad566c2707a669a48d9814ba8
-
Filesize
61B
MD55be1c4cacb5ae37c43527e99a097dc7a
SHA11b2f00fefde9d601764d5d26d5e0fb2b9f58074c
SHA256235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609
SHA51220a9e18bc397fe86514875af4213a02a5831a27671370849f05c2f3ba048bc29fc41ca96f0cb1cc08aaff27bbebf637f30d2ee798cb80ed03080e8c7d8f2d9a1
-
Filesize
2KB
MD566f38c96a4901e7b345787c447842b3e
SHA12aa9b4d1bd2edd5d81bd9725e9318edaee67531f
SHA2562b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec
SHA51271757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f
-
Filesize
44B
MD5eaf3a00cc0465f8af471b849ada29843
SHA13042e97874706189aa9704d77c9e74a94e519106
SHA2568e70ef38fe14a2ee2848df3d6f7e260d1caf8cfc15de694d678b8af151d62333
SHA51256b9f3991ae4bad5e06097d095931e746e6b2ac955649a5c793d9f4f6861c6ffc9316b063c34d7a8079af201354c87bf3008bc0fd4321e59b27e1d8120b078cf
-
Filesize
6.1MB
MD5c0f8959614ae06561216158d78a787e5
SHA173167d1fd0cee1c96a6505606d21cbfe4369eb00
SHA256e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0
SHA512a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746
-
Filesize
10.8MB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB