stormkitty | 3e4cbe1810496aff2ef544d0aa0b5f8d1c69e2a4e86c21921348ede7a9db3967

Analysis

max time kernel
1800s
max time network
1795s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XwormLoader.exe
Size

7.8MB
MD5

f194b7e7fdbfe0fbf70673937337dc05
SHA1

ca1fb45e83d267ce039a4639181b5f790f5b3241
SHA256

3e4cbe1810496aff2ef544d0aa0b5f8d1c69e2a4e86c21921348ede7a9db3967
SHA512

d63a5d2c84b42944820622fae2bc1cb681ea1e709b9972c35bfca28e198bc18f86f63718b62e50aafa59005df13f2d0f6edd017947133a2cd53688a7cd5844e2
SSDEEP

196608:W7b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr5:W7yvRZBEP3xZi5Oso+PWbXooL4Sa

Score

10^/10

stormkitty xworm evasion execution rat spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3016-51-0x0000000000EA0000-0x0000000000EAE000-memory.dmp	disable_win_def

Detect Xworm Payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral1/memory/3016-9-0x0000000001080000-0x00000000010AA000-memory.dmp	family_xworm
behavioral1/memory/536-63-0x0000000000AC0000-0x0000000000AEA000-memory.dmp	family_xworm
behavioral1/memory/2208-91-0x0000000000D30000-0x0000000000D5A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\sozzao.exe	family_xworm
behavioral1/memory/1192-97-0x0000000000820000-0x000000000084A000-memory.dmp	family_xworm
behavioral1/memory/2496-127-0x00000000002F0000-0x000000000031A000-memory.dmp	family_xworm

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100	svchost.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-65-0x000000001C730000-0x000000001C850000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

Processes:

update.exeupdater.exe

description	pid	process	target process
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 2076 created 1380	2076	update.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE
PID 1704 created 1380	1704	updater.exe	Explorer.EXE

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
772	powershell.exe
2668	powershell.exe
2464	powershell.exe
1640	powershell.exe
2952	powershell.exe
1740	powershell.exe
1608	powershell.exe
2080	powershell.exe
112	powershell.exe
2592	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 7 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	net_reactor
behavioral1/memory/3016-9-0x0000000001080000-0x00000000010AA000-memory.dmp	net_reactor
behavioral1/memory/536-63-0x0000000000AC0000-0x0000000000AEA000-memory.dmp	net_reactor
behavioral1/memory/2208-91-0x0000000000D30000-0x0000000000D5A000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Local\Temp\sozzao.exe	net_reactor
behavioral1/memory/1192-97-0x0000000000820000-0x000000000084A000-memory.dmp	net_reactor
behavioral1/memory/2496-127-0x00000000002F0000-0x000000000031A000-memory.dmp	net_reactor

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2632 cmd.exe

pid	process
2632	cmd.exe

Drops startup file 2 IoCs

Processes:

sozzao.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ondrive.lnk	sozzao.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ondrive.lnk	sozzao.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exeXworm V5.6.exesvchost.exesvchost.exesozzao.exesvchost.exeupdate.exeupdater.exe

pid process

3016 svchost.exe
2616 Xworm V5.6.exe
536 svchost.exe
2208 svchost.exe
1192 sozzao.exe
2496 svchost.exe
2076 update.exe
1704 updater.exe
Loads dropped DLL 3 IoCs

Processes:

sozzao.exeservices.exe

pid process

1192 sozzao.exe
1192 sozzao.exe
484 services.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3016	svchost.exe
2616	Xworm V5.6.exe
536	svchost.exe
2208	svchost.exe
1192	sozzao.exe
2496	svchost.exe
2076	update.exe
1704	updater.exe

pid	process
1192	sozzao.exe
1192	sozzao.exe
484	services.exe

Drops file in System32 directory 7 IoCs

Processes:

svchost.exeservices.exepowershell.exesvchost.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\logfiles\scm\75a3b7aa-92b9-4678-8e26-4b5d84c6255a	services.exe
File opened for modification	C:\Windows\system32\logfiles\scm\75a3b7aa-92b9-4678-8e26-4b5d84c6255a	services.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

update.exeupdater.exe

description	pid	process	target process
PID 2076 set thread context of 380	2076	update.exe	dialer.exe
PID 1704 set thread context of 2520	1704	updater.exe	dialer.exe
PID 1704 set thread context of 2032	1704	updater.exe	dialer.exe
PID 1704 set thread context of 3044	1704	updater.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

sozzao.exeupdate.exe

description ioc process

File created C:\Program Files\Google\Chrome\update.exe sozzao.exe
File created C:\Program Files\Google\Chrome\updater.exe update.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\update.exe	sozzao.exe
File created	C:\Program Files\Google\Chrome\updater.exe	update.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exesppsvc.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat	sppsvc.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2872 sc.exe
2224 sc.exe
284 sc.exe
3036 sc.exe
1572 sc.exe
1184 sc.exe
1776 sc.exe
3008 sc.exe
2476 sc.exe
2864 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2872	sc.exe
2224	sc.exe
284	sc.exe
3036	sc.exe
1572	sc.exe
1184	sc.exe
1776	sc.exe
3008	sc.exe
2476	sc.exe
2864	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2852 schtasks.exe
1340 schtasks.exe
2900 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2148 timeout.exe
2776 timeout.exe

pid	process
2852	schtasks.exe
1340	schtasks.exe
2900	schtasks.exe

pid	process
2148	timeout.exe
2776	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40be55fd71abda01	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

svchost.exesozzao.exe

pid process

3016 svchost.exe
1192 sozzao.exe

pid	process
3016	svchost.exe
1192	sozzao.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exesozzao.exeupdate.exepowershell.exedialer.exeupdater.exepowershell.exe

pid	process
2952	powershell.exe
2592	powershell.exe
1740	powershell.exe
1608	powershell.exe
3016	svchost.exe
772	powershell.exe
2080	powershell.exe
2668	powershell.exe
2464	powershell.exe
1192	sozzao.exe
2076	update.exe
2076	update.exe
1640	powershell.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
2076	update.exe
2076	update.exe
2076	update.exe
2076	update.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
1704	updater.exe
1704	updater.exe
380	dialer.exe
380	dialer.exe
112	powershell.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe
380	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sozzao.exe

pid process

1192 sozzao.exe

pid	process
1192	sozzao.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exesozzao.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	536	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	1192	sozzao.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1192	sozzao.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeDebugPrivilege	380	dialer.exe
Token: SeShutdownPrivilege	2428	powercfg.exe
Token: SeShutdownPrivilege	2052	powercfg.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeShutdownPrivilege	1736	powercfg.exe
Token: SeDebugPrivilege	2520	dialer.exe
Token: SeShutdownPrivilege	2052	powercfg.exe
Token: SeShutdownPrivilege	452	powercfg.exe
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeLockMemoryPrivilege	3044	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesozzao.exe

pid process

3016 svchost.exe
1192 sozzao.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

868 svchost.exe

pid	process
3016	svchost.exe
1192	sozzao.exe

pid	process
868	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XwormLoader.execmd.exesvchost.exeXworm V5.6.exetaskeng.exesozzao.execmd.exe

description	pid	process	target process
PID 2848 wrote to memory of 3016	2848	XwormLoader.exe	svchost.exe
PID 2848 wrote to memory of 3016	2848	XwormLoader.exe	svchost.exe
PID 2848 wrote to memory of 3016	2848	XwormLoader.exe	svchost.exe
PID 2848 wrote to memory of 2616	2848	XwormLoader.exe	Xworm V5.6.exe
PID 2848 wrote to memory of 2616	2848	XwormLoader.exe	Xworm V5.6.exe
PID 2848 wrote to memory of 2616	2848	XwormLoader.exe	Xworm V5.6.exe
PID 2848 wrote to memory of 2632	2848	XwormLoader.exe	cmd.exe
PID 2848 wrote to memory of 2632	2848	XwormLoader.exe	cmd.exe
PID 2848 wrote to memory of 2632	2848	XwormLoader.exe	cmd.exe
PID 2632 wrote to memory of 2148	2632	cmd.exe	timeout.exe
PID 2632 wrote to memory of 2148	2632	cmd.exe	timeout.exe
PID 2632 wrote to memory of 2148	2632	cmd.exe	timeout.exe
PID 3016 wrote to memory of 2952	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2952	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2952	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2592	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2592	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2592	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1740	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1740	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1740	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1608	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1608	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1608	3016	svchost.exe	powershell.exe
PID 2616 wrote to memory of 1832	2616	Xworm V5.6.exe	WerFault.exe
PID 2616 wrote to memory of 1832	2616	Xworm V5.6.exe	WerFault.exe
PID 2616 wrote to memory of 1832	2616	Xworm V5.6.exe	WerFault.exe
PID 3016 wrote to memory of 2852	3016	svchost.exe	schtasks.exe
PID 3016 wrote to memory of 2852	3016	svchost.exe	schtasks.exe
PID 3016 wrote to memory of 2852	3016	svchost.exe	schtasks.exe
PID 1964 wrote to memory of 536	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 536	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 536	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2208	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2208	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2208	1964	taskeng.exe	svchost.exe
PID 3016 wrote to memory of 1192	3016	svchost.exe	sozzao.exe
PID 3016 wrote to memory of 1192	3016	svchost.exe	sozzao.exe
PID 3016 wrote to memory of 1192	3016	svchost.exe	sozzao.exe
PID 1192 wrote to memory of 772	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 772	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 772	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2080	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2080	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2080	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2668	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2668	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2668	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2464	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2464	1192	sozzao.exe	powershell.exe
PID 1192 wrote to memory of 2464	1192	sozzao.exe	powershell.exe
PID 1964 wrote to memory of 2496	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2496	1964	taskeng.exe	svchost.exe
PID 1964 wrote to memory of 2496	1964	taskeng.exe	svchost.exe
PID 3016 wrote to memory of 1760	3016	svchost.exe	schtasks.exe
PID 3016 wrote to memory of 1760	3016	svchost.exe	schtasks.exe
PID 3016 wrote to memory of 1760	3016	svchost.exe	schtasks.exe
PID 3016 wrote to memory of 1656	3016	svchost.exe	cmd.exe
PID 3016 wrote to memory of 1656	3016	svchost.exe	cmd.exe
PID 3016 wrote to memory of 1656	3016	svchost.exe	cmd.exe
PID 1656 wrote to memory of 2776	1656	cmd.exe	timeout.exe
PID 1656 wrote to memory of 2776	1656	cmd.exe	timeout.exe
PID 1656 wrote to memory of 2776	1656	cmd.exe	timeout.exe
PID 1192 wrote to memory of 2076	1192	sozzao.exe	update.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:612

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
3⤵
PID:1500

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
- Checks processor information in registry
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
- Drops file in System32 directory
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:868

C:\Windows\system32\taskeng.exe
taskeng.exe {8CEF7126-DCCB-4FCC-9580-6CEC9BF6D47E} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:356

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2324

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
- Drops file in Windows directory
PID:3024

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
4⤵
- Creates scheduled task(s)
PID:2852

C:\Users\Admin\AppData\Local\Temp\sozzao.exe
"C:\Users\Admin\AppData\Local\Temp\sozzao.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sozzao.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sozzao.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Ondrive.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\Google\Chrome\update.exe
"C:\Program Files\Google\Chrome\update.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
4⤵
PID:1760

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DEC.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2776

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2616 -s 732
4⤵
PID:1832

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp11AD.tmp.bat""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:1476

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2872

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1184

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2224

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1776

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3008

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2924

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1188

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\zdhuivwavzqu.xml"
2⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:1624

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2476

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:284

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3036

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1572

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2864

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1608

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\zdhuivwavzqu.xml"
2⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:2032

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-448444456-957244297877038612-2045505953-20168824881095505574-5782661802144695146"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5634283182112582000-166126394-162655148318632174071394229022-2573435211943600724"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1231666545-137022879220496855651447157343-1918331168-2042382737116287251342082053"
1⤵
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-437571097-18529927382095581640803684173-45747330114218455431682419604-525664497"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1203135661671385132-1525278695709114938-6303456032015526221-287446537-102353848"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1822313764-813580497-694655167-2569327661382875840-13630208651357693498-986473424"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2072069138-92610115962349453521423162001502399822-15555582461898796787708725882"
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
db51a102eab752762748a2dec8f7f67a

SHA1
194688ec1511b83063f7b0167ae250764b7591d1

SHA256
93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

SHA512
fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sozzao.exe

Filesize
140KB

MD5
b4d62774b44669cc345066a87a2b2a42

SHA1
2bc73ff9b130e10064194211871bc7f8ac4afa73

SHA256
b49b08890fbd098b29b47ff576fbc13548eb04434f9c8e73a9a683a17cd6a4bc

SHA512
bab65e9c63a94ef6b6625aea1ccc3016168f5f3bbad5c150f54cb83326ce74bdc1badf13451337263a8e69f26239c197b1e6b491508f807e2200131c39292235

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
144KB

MD5
4b90399888a12fb85ccc3d0190d5a1d3

SHA1
3326c027bac28b9480b0c7f621481a6cc033db4e

SHA256
cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

SHA512
899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11AD.tmp.bat

Filesize
163B

MD5
eb6f193a9f494642f718393ea7551630

SHA1
073ee2809090d1cacf5019f1da694c616dce79f0

SHA256
acf1d605ad20764e866a8e03d550d4fdf075cda6c10a6e8af1fb20aea7792c02

SHA512
bd997a760afad1987549660d085effef69201ed6c10cefe671b4e50191f78f14e0d832e5cea778865bd6b204557f2247821e2b851f217fa8cda2d9bb6d67385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DEC.tmp.bat

Filesize
159B

MD5
bd73fe40f73b460176d6f506fe2c461c

SHA1
5168cbcdf8755e9edae82986657970837086a5b6

SHA256
8f9ddee6d774f5ef0920fbe63a8ec9d2ea2d36d676c666239b9cd51dd8884c33

SHA512
87be2f4589b0c11ff892742ac65750ba0218e727cb57f0715255684d70ff48d2bcf2512ebd0a0511fa09022b3c823268725e1977313d99b52fd5697f3c74dee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdhuivwavzqu.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf5dc66ac04f86caa50549fbfcdc4229

SHA1
9402cf58c159fa87fc2ef80cb99d800b8ec74e7c

SHA256
67e12888cca6606e974cae37d87d2bccb15688ff1e9f243a110d8302e6ce827b

SHA512
fa85f08df9c15104e39a527bc08976e2038afb1616440b31da46ecb8d7c8d9c896f1095d6d36c8fe2616c2ca3bd32f61bba26db5e00b166607bd36193223fa61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b1c8c8e4f4bf5ab7da41960ee7999e05

SHA1
afcb1b717c8b9cc253d94f4ab43f9eb8dda519cf

SHA256
842ed44c5f8017e10d3f39baaced6bd3a859becb658b32797ebcf9096fe69e85

SHA512
0c95a48d78f4be6c49e62fb509cb5da704c4cad96bddc9f30bb9bbcd76377b72ad31368dd4bf3f1cebcb0d177137fa91b3b248402b1e7c3871df9fede3925d59

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
2KB

MD5
358e489c69a8521a66a403c7ad542b9c

SHA1
1377e6114996ec394de1045e6807f297e0879358

SHA256
a15b2504490e51391c99243904d37c299cb5aeab207b41c5463195ad4321dc75

SHA512
ac86aea08341604c8d9b9f0361b41dcae8c24aaef512b48e0ec9834a7c18ca8a21a885040c5ff397c015c8b74948fdc6771c10c807238a4947bdddae8daaa5bc

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\update.exe

Filesize
5.5MB

MD5
d581ba841dae5547c0b2bb9dd5f915c1

SHA1
901d757ce25e6d4dc838f702a7bd4d8b4d6654a9

SHA256
38311e5202dfa9b1f947920a64a53dd786e3265b12ee8b4d4ad8d55853530eec

SHA512
9af1ddf96a37021a6111b651deef74a7357316de9a69ef4e367f599fc7cfaee707d865f7fd0eab224d48b79759f61d2c76b473a36ec2a9e2c2da3e3d27b69623

Download Submit
\Users\Admin\AppData\Local\Temp\tmpC19A.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/380-156-0x0000000077380000-0x000000007749F000-memory.dmp

Filesize
1.1MB

Download
memory/380-155-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/436-164-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/436-163-0x0000000000DF0000-0x0000000000E1B000-memory.dmp

Filesize
172KB

Download
memory/436-157-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/436-165-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/436-159-0x0000000000C90000-0x0000000000CB4000-memory.dmp

Filesize
144KB

Download
memory/484-168-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/484-169-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/484-167-0x0000000000060000-0x000000000008B000-memory.dmp

Filesize
172KB

Download
memory/492-185-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/492-182-0x00000000009D0000-0x00000000009FB000-memory.dmp

Filesize
172KB

Download
memory/492-186-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/536-63-0x0000000000AC0000-0x0000000000AEA000-memory.dmp

Filesize
168KB

Download
memory/612-205-0x0000000000540000-0x000000000056B000-memory.dmp

Filesize
172KB

Download
memory/612-207-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/612-206-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/688-218-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/688-209-0x0000000000460000-0x000000000048B000-memory.dmp

Filesize
172KB

Download
memory/760-213-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/760-210-0x0000000000D60000-0x0000000000D8B000-memory.dmp

Filesize
172KB

Download
memory/760-212-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/772-104-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/828-215-0x000007FEBDFB0000-0x000007FEBDFC0000-memory.dmp

Filesize
64KB

Download
memory/828-211-0x0000000000BE0000-0x0000000000C0B000-memory.dmp

Filesize
172KB

Download
memory/828-216-0x00000000375E0000-0x00000000375F0000-memory.dmp

Filesize
64KB

Download
memory/1192-136-0x0000000002120000-0x000000000215A000-memory.dmp

Filesize
232KB

Download
memory/1192-142-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/1192-143-0x000000001C390000-0x000000001C440000-memory.dmp

Filesize
704KB

Download
memory/1192-97-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2208-91-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/2496-127-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/2592-36-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2592-37-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2616-22-0x0000000001120000-0x0000000002008000-memory.dmp

Filesize
14.9MB

Download
memory/2848-24-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-1-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-0-0x000007FEF5E9E000-0x000007FEF5E9F000-memory.dmp

Filesize
4KB

Download
memory/2952-29-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2952-30-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/3016-65-0x000000001C730000-0x000000001C850000-memory.dmp

Filesize
1.1MB

Download
memory/3016-52-0x000000001CF60000-0x000000001D242000-memory.dmp

Filesize
2.9MB

Download
memory/3016-53-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/3016-51-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/3016-50-0x000007FEF3543000-0x000007FEF3544000-memory.dmp

Filesize
4KB

Download
memory/3016-55-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download
memory/3016-54-0x0000000000ED0000-0x0000000000F18000-memory.dmp

Filesize
288KB

Download
memory/3016-56-0x000000001BA80000-0x000000001BB26000-memory.dmp

Filesize
664KB

Download
memory/3016-57-0x0000000001030000-0x0000000001064000-memory.dmp

Filesize
208KB

Download
memory/3016-58-0x000000001AC10000-0x000000001AC5A000-memory.dmp

Filesize
296KB

Download
memory/3016-59-0x000000001AB00000-0x000000001AB16000-memory.dmp

Filesize
88KB

Download
memory/3016-64-0x000000001D770000-0x000000001DAC0000-memory.dmp

Filesize
3.3MB

Download
memory/3016-9-0x0000000001080000-0x00000000010AA000-memory.dmp

Filesize
168KB

Download
memory/3016-8-0x000007FEF3543000-0x000007FEF3544000-memory.dmp

Filesize
4KB

Download
memory/3016-89-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download