Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
12/10/2023, 01:27
Static task
static1
General
-
Target
696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe
-
Size
5.2MB
-
MD5
1c03c03c559f45cd292ebfd073201dd5
-
SHA1
f90581a94254d7957c8672994a8c636b33236f75
-
SHA256
696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768
-
SHA512
41066db969cafd24508f7cc75c4a60bbba3772546e6c255b767130556294abe805d649272f48e739f4d56132c48970d47d5e18488fd9ebabe10ece048ec450f0
-
SSDEEP
98304:/fBrF6F59tdDZRL19sH6Gk5W5DPios5bWpm8E0TCMc+geQf8n0+iAORP/:3xF6L9tdDZRZeHVk5g1MbWpm8E0G9+Pu
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 4372 created 2296 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 30 PID 3752 created 2296 3752 updater.exe 30 PID 3752 created 2296 3752 updater.exe 30 PID 3752 created 2296 3752 updater.exe 30 PID 3752 created 2296 3752 updater.exe 30 PID 3752 created 2296 3752 updater.exe 30 PID 3752 created 2296 3752 updater.exe 30 -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/3332-229-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-231-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-233-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-235-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-237-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-239-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-241-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-243-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-245-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig behavioral1/memory/3332-247-0x00007FF785CE0000-0x00007FF786520000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3752 updater.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3752 set thread context of 4044 3752 updater.exe 110 PID 3752 set thread context of 3332 3752 updater.exe 111 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4116 sc.exe 2620 sc.exe 4680 sc.exe 4156 sc.exe 2860 sc.exe 3908 sc.exe 3544 sc.exe 2624 sc.exe 3688 sc.exe 2948 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4424 schtasks.exe 2724 schtasks.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 3292 powershell.exe 3292 powershell.exe 3292 powershell.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 4372 696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe 3752 updater.exe 3752 updater.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3752 updater.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe 3332 explorer.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeDebugPrivilege 3292 powershell.exe Token: SeIncreaseQuotaPrivilege 3292 powershell.exe Token: SeSecurityPrivilege 3292 powershell.exe Token: SeTakeOwnershipPrivilege 3292 powershell.exe Token: SeLoadDriverPrivilege 3292 powershell.exe Token: SeSystemProfilePrivilege 3292 powershell.exe Token: SeSystemtimePrivilege 3292 powershell.exe Token: SeProfSingleProcessPrivilege 3292 powershell.exe Token: SeIncBasePriorityPrivilege 3292 powershell.exe Token: SeCreatePagefilePrivilege 3292 powershell.exe Token: SeBackupPrivilege 3292 powershell.exe Token: SeRestorePrivilege 3292 powershell.exe Token: SeShutdownPrivilege 3292 powershell.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeSystemEnvironmentPrivilege 3292 powershell.exe Token: SeRemoteShutdownPrivilege 3292 powershell.exe Token: SeUndockPrivilege 3292 powershell.exe Token: SeManageVolumePrivilege 3292 powershell.exe Token: 33 3292 powershell.exe Token: 34 3292 powershell.exe Token: 35 3292 powershell.exe Token: 36 3292 powershell.exe Token: SeShutdownPrivilege 4408 powercfg.exe Token: SeCreatePagefilePrivilege 4408 powercfg.exe Token: SeShutdownPrivilege 4360 powercfg.exe Token: SeCreatePagefilePrivilege 4360 powercfg.exe Token: SeShutdownPrivilege 4724 powercfg.exe Token: SeCreatePagefilePrivilege 4724 powercfg.exe Token: SeShutdownPrivilege 3956 powercfg.exe Token: SeCreatePagefilePrivilege 3956 powercfg.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeAssignPrimaryTokenPrivilege 208 powershell.exe Token: SeIncreaseQuotaPrivilege 208 powershell.exe Token: SeSecurityPrivilege 208 powershell.exe Token: SeTakeOwnershipPrivilege 208 powershell.exe Token: SeLoadDriverPrivilege 208 powershell.exe Token: SeSystemtimePrivilege 208 powershell.exe Token: SeBackupPrivilege 208 powershell.exe Token: SeRestorePrivilege 208 powershell.exe Token: SeShutdownPrivilege 208 powershell.exe Token: SeSystemEnvironmentPrivilege 208 powershell.exe Token: SeUndockPrivilege 208 powershell.exe Token: SeManageVolumePrivilege 208 powershell.exe Token: SeShutdownPrivilege 3660 powercfg.exe Token: SeCreatePagefilePrivilege 3660 powercfg.exe Token: SeShutdownPrivilege 4624 powercfg.exe Token: SeCreatePagefilePrivilege 4624 powercfg.exe Token: SeShutdownPrivilege 2464 powercfg.exe Token: SeCreatePagefilePrivilege 2464 powercfg.exe Token: SeShutdownPrivilege 4052 powercfg.exe Token: SeCreatePagefilePrivilege 4052 powercfg.exe Token: SeDebugPrivilege 3752 updater.exe Token: SeLockMemoryPrivilege 3332 explorer.exe Token: SeLockMemoryPrivilege 3332 explorer.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4464 wrote to memory of 3688 4464 cmd.exe 75 PID 4464 wrote to memory of 3688 4464 cmd.exe 75 PID 4464 wrote to memory of 4680 4464 cmd.exe 76 PID 4464 wrote to memory of 4680 4464 cmd.exe 76 PID 4464 wrote to memory of 2948 4464 cmd.exe 77 PID 4464 wrote to memory of 2948 4464 cmd.exe 77 PID 4464 wrote to memory of 2860 4464 cmd.exe 78 PID 4464 wrote to memory of 2860 4464 cmd.exe 78 PID 4464 wrote to memory of 3908 4464 cmd.exe 79 PID 4464 wrote to memory of 3908 4464 cmd.exe 79 PID 4808 wrote to memory of 4408 4808 cmd.exe 82 PID 4808 wrote to memory of 4408 4808 cmd.exe 82 PID 4808 wrote to memory of 4360 4808 cmd.exe 84 PID 4808 wrote to memory of 4360 4808 cmd.exe 84 PID 4808 wrote to memory of 4724 4808 cmd.exe 85 PID 4808 wrote to memory of 4724 4808 cmd.exe 85 PID 4808 wrote to memory of 3956 4808 cmd.exe 87 PID 4808 wrote to memory of 3956 4808 cmd.exe 87 PID 1196 wrote to memory of 4156 1196 cmd.exe 97 PID 1196 wrote to memory of 4156 1196 cmd.exe 97 PID 1196 wrote to memory of 4116 1196 cmd.exe 98 PID 1196 wrote to memory of 4116 1196 cmd.exe 98 PID 1196 wrote to memory of 3544 1196 cmd.exe 99 PID 1196 wrote to memory of 3544 1196 cmd.exe 99 PID 1196 wrote to memory of 2620 1196 cmd.exe 100 PID 1196 wrote to memory of 2620 1196 cmd.exe 100 PID 1196 wrote to memory of 2624 1196 cmd.exe 101 PID 1196 wrote to memory of 2624 1196 cmd.exe 101 PID 4860 wrote to memory of 3660 4860 cmd.exe 106 PID 4860 wrote to memory of 3660 4860 cmd.exe 106 PID 4860 wrote to memory of 4624 4860 cmd.exe 107 PID 4860 wrote to memory of 4624 4860 cmd.exe 107 PID 4860 wrote to memory of 2464 4860 cmd.exe 108 PID 4860 wrote to memory of 2464 4860 cmd.exe 108 PID 4860 wrote to memory of 4052 4860 cmd.exe 109 PID 4860 wrote to memory of 4052 4860 cmd.exe 109 PID 3752 wrote to memory of 4044 3752 updater.exe 110 PID 3752 wrote to memory of 3332 3752 updater.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe"C:\Users\Admin\AppData\Local\Temp\696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3688
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4680
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2860
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3908
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:4028
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\qdckzafhhrqu.xml"2⤵
- Creates scheduled task(s)
PID:4424
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4156
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4116
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3544
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2620
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2624
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\qdckzafhhrqu.xml"2⤵
- Creates scheduled task(s)
PID:2724
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4044
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD51c03c03c559f45cd292ebfd073201dd5
SHA1f90581a94254d7957c8672994a8c636b33236f75
SHA256696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768
SHA51241066db969cafd24508f7cc75c4a60bbba3772546e6c255b767130556294abe805d649272f48e739f4d56132c48970d47d5e18488fd9ebabe10ece048ec450f0
-
Filesize
5.2MB
MD51c03c03c559f45cd292ebfd073201dd5
SHA1f90581a94254d7957c8672994a8c636b33236f75
SHA256696dba35ecabffa21188d3717683a9206d13adf25d2b0fa4330787fd1b5de768
SHA51241066db969cafd24508f7cc75c4a60bbba3772546e6c255b767130556294abe805d649272f48e739f4d56132c48970d47d5e18488fd9ebabe10ece048ec450f0
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe