Malware Analysis Report

2024-11-13 15:39

Sample ID 220928-lmdzsagfep
Target tmp
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex

Windows security bypass

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-28 09:38

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-28 09:38

Reported

2022-09-28 09:41

Platform

win7-20220901-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\sysrdsvms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\sysrdsvms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysrdsvms.exe" C:\Users\Admin\AppData\Local\Temp\2720910907.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File created C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe N/A
File opened for modification C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 1760 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 1760 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 1760 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 1220 wrote to memory of 1344 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1546029693.exe
PID 1220 wrote to memory of 1344 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1546029693.exe
PID 1220 wrote to memory of 1344 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1546029693.exe
PID 1220 wrote to memory of 1344 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1546029693.exe
PID 1344 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1546029693.exe C:\Windows\System32\cmd.exe
PID 1912 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1912 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1912 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1052 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1052 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1052 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2024 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\267013931.exe
PID 1220 wrote to memory of 2024 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\267013931.exe
PID 1220 wrote to memory of 2024 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\267013931.exe
PID 1220 wrote to memory of 2024 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\267013931.exe
PID 1220 wrote to memory of 1228 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe
PID 1220 wrote to memory of 1228 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe
PID 1220 wrote to memory of 1228 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe
PID 1220 wrote to memory of 1228 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2720910907.exe
PID 1228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2720910907.exe C:\Windows\sysrdsvms.exe
PID 1228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2720910907.exe C:\Windows\sysrdsvms.exe
PID 1228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2720910907.exe C:\Windows\sysrdsvms.exe
PID 1228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2720910907.exe C:\Windows\sysrdsvms.exe
PID 2024 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\267013931.exe C:\Users\Admin\AppData\Local\Temp\1176812100.exe
PID 2024 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\267013931.exe C:\Users\Admin\AppData\Local\Temp\1176812100.exe
PID 2024 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\267013931.exe C:\Users\Admin\AppData\Local\Temp\1176812100.exe
PID 2024 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\267013931.exe C:\Users\Admin\AppData\Local\Temp\1176812100.exe
PID 944 wrote to memory of 1532 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\394619085.exe
PID 944 wrote to memory of 1532 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\394619085.exe
PID 944 wrote to memory of 1532 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\394619085.exe
PID 944 wrote to memory of 1532 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\394619085.exe
PID 1532 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\394619085.exe C:\Windows\System32\cmd.exe
PID 828 wrote to memory of 616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 828 wrote to memory of 616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 828 wrote to memory of 616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1360 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1360 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1360 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2032 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2032 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1176812100.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1940 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\734023711.exe
PID 944 wrote to memory of 1940 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\734023711.exe
PID 944 wrote to memory of 1940 N/A C:\Windows\sysrdsvms.exe C:\Users\Admin\AppData\Local\Temp\734023711.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\1546029693.exe

C:\Users\Admin\AppData\Local\Temp\1546029693.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "User Configuration"

C:\Users\Admin\AppData\Local\Temp\267013931.exe

C:\Users\Admin\AppData\Local\Temp\267013931.exe

C:\Users\Admin\AppData\Local\Temp\2720910907.exe

C:\Users\Admin\AppData\Local\Temp\2720910907.exe

C:\Windows\sysrdsvms.exe

C:\Windows\sysrdsvms.exe

C:\Users\Admin\AppData\Local\Temp\1176812100.exe

C:\Users\Admin\AppData\Local\Temp\1176812100.exe

C:\Users\Admin\AppData\Local\Temp\394619085.exe

C:\Users\Admin\AppData\Local\Temp\394619085.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "User Configuration"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }

C:\Users\Admin\AppData\Local\Temp\734023711.exe

C:\Users\Admin\AppData\Local\Temp\734023711.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC

C:\Windows\system32\taskeng.exe

taskeng.exe {4FCE7D72-71EF-4E8D-933B-3745F908F74E} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'

C:\Windows\system32\cmd.exe

cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"

C:\Windows\system32\cmd.exe

cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
UZ 94.141.68.136:40500 udp
IR 2.184.54.70:40500 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
IN 14.139.242.251:40500 udp
HK 74.119.193.54:40500 udp
IR 188.211.85.37:40500 udp
IR 89.219.213.197:40500 udp
IR 80.210.24.47:40500 udp
UZ 185.4.160.252:40500 tcp
YE 5.255.14.166:40500 udp
AM 94.228.28.169:40500 udp
KZ 88.204.242.226:40500 udp
KZ 92.47.122.155:40500 udp
UZ 213.230.127.60:40500 udp
IR 2.185.153.12:40500 tcp
IR 151.242.43.249:40500 udp
RU 185.215.113.66:80 185.215.113.66 tcp
IR 2.180.243.38:40500 udp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
UZ 87.237.234.222:40500 udp
IN 117.247.17.27:40500 tcp
RU 109.191.166.61:40500 udp
RU 185.215.113.66:80 185.215.113.66 tcp
N/A 100.115.152.96:40500 udp

Files

memory/1760-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

memory/1220-55-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/1344-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1546029693.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

\Users\Admin\AppData\Local\Temp\1546029693.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

C:\Users\Admin\AppData\Local\Temp\1546029693.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

memory/1344-63-0x000000013F920000-0x000000013F926000-memory.dmp

memory/1344-64-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

memory/1912-65-0x0000000000000000-mapping.dmp

memory/1052-66-0x0000000000000000-mapping.dmp

memory/968-68-0x0000000000000000-mapping.dmp

memory/1532-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\267013931.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

memory/2024-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\267013931.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

\Users\Admin\AppData\Local\Temp\2720910907.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

\Users\Admin\AppData\Local\Temp\2720910907.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

memory/1228-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2720910907.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

C:\Users\Admin\AppData\Local\Temp\2720910907.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

memory/944-79-0x0000000000000000-mapping.dmp

C:\Windows\sysrdsvms.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

C:\Windows\sysrdsvms.exe

MD5 3d1212389bfcdc91be084e6c093a32a1
SHA1 4f26c5cd52f148af9e40da1daf916e7e86620db9
SHA256 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512 b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\1[1]

MD5 1f1b20c870a2dc3f79ee75bbedf9d04b
SHA1 a1035a7cda7175e3860d68c6419961ac019a1853
SHA256 8f7fce104fa87321cd25d98bd3b26579eedd314487369d7e18a9009f5fb7b5a6
SHA512 81c74e8a27980b0460bc15f6745d5a4d4ff9c310bfd32c6e59e7acfc098ddbf06a399e3e6eebd77c3f9953fbe7cda92df63668d3e374329c5a5379eeea9fc51e

\Users\Admin\AppData\Local\Temp\1176812100.exe

MD5 f6fd2a4333007f65beef7609077ec14d
SHA1 3740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA512 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

C:\Users\Admin\AppData\Local\Temp\1176812100.exe

MD5 f6fd2a4333007f65beef7609077ec14d
SHA1 3740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA512 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

memory/2032-85-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\394619085.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

memory/1532-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\394619085.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

C:\Users\Admin\AppData\Local\Temp\394619085.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

memory/1532-91-0x000000013FD00000-0x000000013FD06000-memory.dmp

memory/828-93-0x0000000000000000-mapping.dmp

memory/1360-94-0x0000000000000000-mapping.dmp

memory/616-95-0x0000000000000000-mapping.dmp

memory/1108-96-0x0000000000000000-mapping.dmp

C:\Users\Admin\tncmds.dat

MD5 e50407aedd7733dd624b0000b557961d
SHA1 e7990c92d876c434a36ef55ae175eade594d0a74
SHA256 896ce7dac39bb013ef24d3ad0aa67b7871ee676b0951613f9a0a31686adea34c
SHA512 307c507312ad447c735624442423552a96a4f9c6b839460b68bf1ef07a14404ca21bc99b5c40597790c9091784e734c7750428a98036a05affbd3b1047469596

C:\Users\Admin\tnnodes.dat

MD5 4fa104e9ad7b04d440579ff06af9f698
SHA1 5b1b8be4f3092408399a9e11cc2d1ca58b81fcc6
SHA256 28e970fce79c5d14035fdf1def7a92cc475e6ec4bf8d950b89d4841ce774bd74
SHA512 b6c891399c2620d71c94be6ac1f380f875d3ef299d28d53dcad7f8e9ab886caea1908bad7e8ecd632391580a071cd622fbfade8a32249a8c59f75a0de538e3d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\2[1]

MD5 65983066e843be01675a7ee2d80e0786
SHA1 d87ea8b288d8b065ab9550b93fb4a74fea721dad
SHA256 74769851ee802da9f7fce48c4dfadc1fb55fbdf99affa309b76050cb52c3afac
SHA512 5d1b1e2d8669f3ed77c458ac82f0ad94197eb4fdb87ee8e62396ef5ed137e25f7484caa3bf694c2c4693b09f7a48c65c4aad15c9be77606c2162c8300c4df511

memory/1072-100-0x0000000000000000-mapping.dmp

memory/1072-102-0x000007FEF3800000-0x000007FEF4223000-memory.dmp

memory/1072-104-0x0000000002A24000-0x0000000002A27000-memory.dmp

memory/1072-103-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

memory/1072-105-0x000000001B770000-0x000000001BA6F000-memory.dmp

memory/640-106-0x0000000000000000-mapping.dmp

memory/1072-108-0x0000000002A2B000-0x0000000002A4A000-memory.dmp

memory/1072-107-0x0000000002A24000-0x0000000002A27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1176812100.exe

MD5 f6fd2a4333007f65beef7609077ec14d
SHA1 3740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA512 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

memory/1228-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2d1d7d994e64eeeb2d96f4b256054080
SHA1 be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA256 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512 f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f

memory/1228-113-0x000007FEF2E60000-0x000007FEF3883000-memory.dmp

memory/1228-114-0x000007FEEE5A0000-0x000007FEEF0FD000-memory.dmp

\Users\Admin\AppData\Local\Temp\734023711.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

C:\Users\Admin\AppData\Local\Temp\734023711.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

memory/1940-116-0x0000000000000000-mapping.dmp

memory/1228-119-0x0000000002634000-0x0000000002637000-memory.dmp

memory/1648-120-0x0000000000000000-mapping.dmp

memory/1228-121-0x0000000002634000-0x0000000002637000-memory.dmp

memory/1228-122-0x000000000263B000-0x000000000265A000-memory.dmp

\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

MD5 d081ded7aeebd495ea24b5531168f315
SHA1 21db4bae653ece87474e7121a8b60d9fd08208c9
SHA256 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA512 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

MD5 d081ded7aeebd495ea24b5531168f315
SHA1 21db4bae653ece87474e7121a8b60d9fd08208c9
SHA256 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA512 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

memory/1516-124-0x0000000000000000-mapping.dmp

memory/2024-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

MD5 d081ded7aeebd495ea24b5531168f315
SHA1 21db4bae653ece87474e7121a8b60d9fd08208c9
SHA256 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA512 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

memory/1472-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2d1d7d994e64eeeb2d96f4b256054080
SHA1 be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA256 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512 f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f

memory/1472-131-0x000007FEF3800000-0x000007FEF4223000-memory.dmp

memory/1472-132-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

memory/1620-133-0x0000000000000000-mapping.dmp

memory/1472-135-0x00000000025CB000-0x00000000025EA000-memory.dmp

memory/1472-134-0x00000000025C4000-0x00000000025C7000-memory.dmp

memory/268-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2d1d7d994e64eeeb2d96f4b256054080
SHA1 be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA256 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512 f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1620-140-0x000007FEF3800000-0x000007FEF4223000-memory.dmp

memory/1620-141-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

memory/1472-142-0x00000000025C4000-0x00000000025C7000-memory.dmp

memory/1472-143-0x00000000025CB000-0x00000000025EA000-memory.dmp

memory/1620-144-0x0000000002404000-0x0000000002407000-memory.dmp

memory/1148-145-0x0000000000000000-mapping.dmp

memory/1620-146-0x0000000002404000-0x0000000002407000-memory.dmp

memory/1620-147-0x000000000240B000-0x000000000242A000-memory.dmp

memory/1388-148-0x0000000000000000-mapping.dmp

memory/1500-149-0x0000000000000000-mapping.dmp

memory/616-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

MD5 37dd19b2be4fa7635ad6a2f3238c4af1
SHA1 e5b2c034636b434faee84e82e3bce3a3d3561943
SHA256 8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA512 86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-28 09:38

Reported

2022-09-28 09:41

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85692162.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85692162.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 4400 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 4400 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\winrecsv.exe
PID 896 wrote to memory of 260 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\85692162.exe
PID 896 wrote to memory of 260 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\85692162.exe
PID 260 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\85692162.exe C:\Windows\System32\cmd.exe
PID 260 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\85692162.exe C:\Windows\System32\cmd.exe
PID 260 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\85692162.exe C:\Windows\System32\cmd.exe
PID 260 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\85692162.exe C:\Windows\System32\cmd.exe
PID 1388 wrote to memory of 3652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1388 wrote to memory of 3652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2544 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2544 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 896 wrote to memory of 4128 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\625122879.exe
PID 896 wrote to memory of 4128 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\625122879.exe
PID 896 wrote to memory of 4128 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\625122879.exe
PID 4128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\625122879.exe C:\Users\Admin\AppData\Local\Temp\1125717888.exe
PID 4128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\625122879.exe C:\Users\Admin\AppData\Local\Temp\1125717888.exe
PID 2724 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\1125717888.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\1125717888.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1125717888.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1125717888.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 4356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 4356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\85692162.exe

C:\Users\Admin\AppData\Local\Temp\85692162.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "User Configuration"

C:\Users\Admin\AppData\Local\Temp\625122879.exe

C:\Users\Admin\AppData\Local\Temp\625122879.exe

C:\Users\Admin\AppData\Local\Temp\1125717888.exe

C:\Users\Admin\AppData\Local\Temp\1125717888.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
NL 104.80.225.205:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
IR 2.176.39.58:40500 udp
IR 151.235.50.104:40500 tcp
IR 5.235.166.1:40500 udp
UZ 91.188.148.14:40500 udp
FR 40.79.150.121:443 tcp
UA 78.137.21.80:40500 udp
UZ 217.30.161.235:40500 udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
RU 31.8.51.159:40500 udp
IN 45.248.160.159:40500 tcp
UZ 80.80.213.18:40500 udp
VE 190.199.230.103:40500 udp
SY 82.137.205.75:40500 udp
US 93.184.220.29:80 tcp
IR 2.178.82.108:40500 udp
SY 82.137.244.124:40500 udp
SY 46.53.16.41:40500 tcp
KZ 95.56.0.15:40500 udp
IR 151.242.43.249:40500 udp
IR 5.75.125.149:40500 udp
IR 5.75.77.231:40500 udp
AM 46.71.107.63:40500 udp
AO 102.130.206.220:40500 tcp
IR 37.254.50.176:40500 udp
IR 77.42.75.249:40500 udp
IR 185.124.156.70:40500 udp
IR 2.180.76.5:40500 udp
IR 5.74.57.165:40500 udp
IR 77.42.78.120:40500 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
IR 84.47.220.42:40500 udp
RU 176.194.22.84:40500 udp
US 69.67.151.122:40500 udp

Files

memory/896-132-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/260-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\85692162.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

C:\Users\Admin\AppData\Local\Temp\85692162.exe

MD5 66bbb99fb92a3688d31a899992f73cdf
SHA1 836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA256 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA512 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

memory/260-138-0x00000000007D0000-0x00000000007D6000-memory.dmp

memory/1388-139-0x0000000000000000-mapping.dmp

memory/2544-140-0x0000000000000000-mapping.dmp

memory/3652-141-0x0000000000000000-mapping.dmp

memory/3572-142-0x0000000000000000-mapping.dmp

memory/260-143-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp

memory/260-144-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp

memory/4128-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\625122879.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

C:\Users\Admin\AppData\Local\Temp\625122879.exe

MD5 f99a026691957a1490c606890021a4db
SHA1 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256 db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512 e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

memory/2724-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1125717888.exe

MD5 f6fd2a4333007f65beef7609077ec14d
SHA1 3740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA512 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

memory/3300-150-0x0000000000000000-mapping.dmp

memory/3300-151-0x000001C715610000-0x000001C715632000-memory.dmp

memory/3300-152-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

memory/3300-153-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1125717888.exe

MD5 f6fd2a4333007f65beef7609077ec14d
SHA1 3740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA512 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

memory/1476-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 00e7da020005370a518c26d5deb40691
SHA1 389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256 a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA512 9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0f3eff52698c0eab8a2c8bd1d9f7c18
SHA1 4292ae775443749c6c2281dac800d86b4bdde07e
SHA256 b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6
SHA512 642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd

memory/4356-158-0x0000000000000000-mapping.dmp

memory/1476-159-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

MD5 d081ded7aeebd495ea24b5531168f315
SHA1 21db4bae653ece87474e7121a8b60d9fd08208c9
SHA256 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA512 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

memory/1476-161-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp