Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
runme.exe
Resource
win10v2004-20240709-en
General
-
Target
runme.exe
-
Size
6.2MB
-
MD5
89f99b96ddd54a813fb0719f972ce962
-
SHA1
a37b8e8579a21deb4fece12f6d9a8538d7293f14
-
SHA256
8736514ffd25ec6121a53f017e6bd524bdc840f54f246d10953ed129905a828a
-
SHA512
57d4c3eabd9baba5b89c6a22e66cb5fb472e98cd0ceb6b3f300d85d00c5f0070d0c449243ef7bfee1c932231068758fc4f427465d8259706ba5b82132901f5f4
-
SSDEEP
98304:hTcD5a29JQu1lfjFzjtQZzN+aKHtv+5iUyB2:+M2X/VHQHb5iUyB2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4456 Bt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3136 set thread context of 3040 3136 tcpsvcs.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcpsvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662863513453977" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN\\Bt.exe" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6} Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\VZHTLWEYLNHMN\\Bt.exe" Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} Bt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" Bt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION Bt.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3576 vlc.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3136 tcpsvcs.exe 3136 tcpsvcs.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 3040 more.com 3040 more.com 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 3776 chrome.exe 3776 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3576 vlc.exe -
Suspicious behavior: MapViewOfSection 16 IoCs
pid Process 3136 tcpsvcs.exe 3136 tcpsvcs.exe 3136 tcpsvcs.exe 4456 Bt.exe 4456 Bt.exe 4456 Bt.exe 4456 Bt.exe 4456 Bt.exe 4456 Bt.exe 3040 more.com 3040 more.com 3136 tcpsvcs.exe 4172 SearchIndexer.exe 4172 SearchIndexer.exe 4172 SearchIndexer.exe 3040 more.com -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2604 taskmgr.exe Token: SeSystemProfilePrivilege 2604 taskmgr.exe Token: SeCreateGlobalPrivilege 2604 taskmgr.exe Token: 33 2604 taskmgr.exe Token: SeIncBasePriorityPrivilege 2604 taskmgr.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe Token: SeShutdownPrivilege 3776 chrome.exe Token: SeCreatePagefilePrivilege 3776 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4456 Bt.exe 3576 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3572 4568 runme.exe 84 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 4568 wrote to memory of 3136 4568 runme.exe 85 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 4456 3136 tcpsvcs.exe 88 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3136 wrote to memory of 3040 3136 tcpsvcs.exe 97 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3040 wrote to memory of 4172 3040 more.com 102 PID 3776 wrote to memory of 552 3776 chrome.exe 106 PID 3776 wrote to memory of 552 3776 chrome.exe 106 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107 PID 3776 wrote to memory of 1044 3776 chrome.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\runme.exe"C:\Users\Admin\AppData\Local\Temp\runme.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\tcpsvcs.exe"C:\Users\Admin\AppData\Local\Temp\runme.exe"2⤵PID:3572
-
-
C:\Windows\SysWOW64\tcpsvcs.exe"C:\Users\Admin\AppData\Local\Temp\runme.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Roaming\GcDownload\VZHTLWEYLNHMN\Bt.exeC:\Users\Admin\AppData\Roaming\GcDownload\VZHTLWEYLNHMN\Bt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4456
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:4172
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe9607cc40,0x7ffe9607cc4c,0x7ffe9607cc582⤵PID:552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1868 /prefetch:22⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2180 /prefetch:32⤵PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2440 /prefetch:82⤵PID:2124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3400,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:1440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4564 /prefetch:12⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:1968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,6073985372467423551,7647815235408353239,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4872 /prefetch:82⤵PID:8
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3680
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5485c0b79ff6419005da9b909072a30e7
SHA1f8e17bc9fc21d166dd7f5b93f2f36e261cbaac9a
SHA256c177a382b28050e9b612ea884bd9e9414adb4f4ff8eb785927ff8e9987fb4cb2
SHA5120286a8e41c471bb68bba68b89d2545a60e10e773c077b7899cd33199878900f6f6353722a5d2aebc3ba2674db7ae48200b5c731bcfa78ddbd98b49ac55a3de95
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\98becd63-e3dc-4efa-b298-b783ddf38d7e.tmp
Filesize1KB
MD5c1a072d5b38638ff76e4275b17d4e349
SHA16ed20303878753e05fafe4b179eccfb605013331
SHA25682bf0a86815eb55e2bb62f70cc7a9ab43bc112ac35ba747a7e83100676414ada
SHA512da1c9960567342330df773b14c25b3f49b596445c229f198ec581d01785f92506ab32a18b69824e42851d39fac385080ae2fedaa40f0c6b6fe7fb2c4166c1b6c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD50ae5ad66e357eb595f8442f3a2482f21
SHA1587fc39dec3f32f494147d2efba37eea91a472fb
SHA256ab3eac386aa27f99dc404304868d291d8e34d9ee4c1f5ab1964aae2efdd5950c
SHA512949cdb4284dd2f68b92cfad3f462ba6dcf1b9eb43240d958ae6608b47530bcbe769edf04c9e5ffd60e8e2ca0b8de4a830a129ebc2e36b49851dfa375eb3a6373
-
Filesize
9KB
MD5bc0e0c7c418e4ad073ae3ce9af91413f
SHA15787e6d1fda4ab1d4b09a1e663645bb16d32c37a
SHA2565327fe73e979c7a7b63ccd44428c093d338f1c6af48790ad42c24d05f77c1f11
SHA512268c5ab38377c0f6b25ab9d90b991be4f76958794308dfb7d5aeaa11ff478ca60d3e6e2608642fb6453c2faeaff90da19d1c3f3126eb16bd3c9e9a7a071e1122
-
Filesize
15KB
MD5b534dd950d929db27cbb970d62e491c4
SHA18c00bea9fe3eb30abfd5b26472fc6ab347f33df4
SHA2563777d36b8e9668f4309e2a1d183ddad0aacb0fde347b9cf185e936051276d7b0
SHA512cf18ad9e1458eebbec2d4b9b66a4337c71eb3eb4a49c8fb2cb11d22b7f8b5f45b819ad48617ab237b594927dcaa3ac383d1bd1bf505044fd16277ae82d946a20
-
Filesize
187KB
MD52ec02c6db8b60edf4ee63191c6dd6f2d
SHA15e7b9f00951d2062f24033fcdc8c5f7cf51c60d0
SHA2568f1f21a3308e93f8961d06a2e449b0abaaf64f0befe5adfdc1cd49cd1c0f6a8e
SHA512d2a05c47ff01fc8aff0cd209cd07595c7364b3971928b258cc30019a8a3c387073cc2a26ee1f477abe1ee2fd2d16fe95ecfd9a0f97a96084dd7504b333dfcf56
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.1MB
MD5a445da645fb9aa52b2bf33c0948a3741
SHA1ff043462ab8b50341aad656168e6cb9db139093b
SHA2564d4e49273a61513035ad5d7ca0416f0450b9d2ad1073052ad48bdfbc098626e6
SHA5127903850530f1debb53b698809815e4782006ac9305a7a7b6153eb7015aff09495075c1a745813cc478cca152aa4b0f4fe33d49bdf5741f70b4d679e5dbf61d94
-
Filesize
47KB
MD5916d7425a559aaa77f640710a65f9182
SHA123d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc