Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 22:42
Behavioral task
behavioral1
Sample
1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe
Resource
win7-20240903-en
General
-
Target
1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe
-
Size
12.2MB
-
MD5
c619c99d873652c66f6fed3dde3c651f
-
SHA1
7974b95a82b1bc8e9a856db312f0d40733cd1b41
-
SHA256
1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25
-
SHA512
cc487ec97acb036bca68861b33b17ab0cd9fe31b1b954e1d7bfcc0dc781cbb0c42dbef48b906617516d69168a34409d4cbf8b7f3461ffcd9fb6bcf4c2577b8be
-
SSDEEP
196608:RU7Zu+p22zd1QrM36NC0wTVcC1uYove/bkhUlMQoAyfMY:RU78mrQQ36NC0wTVhOqICNoAq
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ valrjyxscerz.exe -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/380-69-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-70-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-74-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-76-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-78-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-77-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-75-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-79-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/380-80-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4692 powershell.exe 4304 powershell.exe -
Creates new service(s) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion valrjyxscerz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion valrjyxscerz.exe -
Executes dropped EXE 1 IoCs
pid Process 4396 valrjyxscerz.exe -
resource yara_rule behavioral2/memory/2388-0-0x0000000140000000-0x0000000140AC9000-memory.dmp themida behavioral2/memory/2388-2-0x0000000140000000-0x0000000140AC9000-memory.dmp themida behavioral2/memory/2388-23-0x0000000140000000-0x0000000140AC9000-memory.dmp themida behavioral2/files/0x00070000000234c3-24.dat themida behavioral2/memory/4396-26-0x0000000140000000-0x0000000140AC9000-memory.dmp themida behavioral2/memory/4396-73-0x0000000140000000-0x0000000140AC9000-memory.dmp themida -
resource yara_rule behavioral2/memory/380-68-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-65-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-64-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-69-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-67-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-66-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-70-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-74-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-76-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-78-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-77-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-75-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-79-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/380-80-0x0000000140000000-0x0000000140835000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA valrjyxscerz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3408 powercfg.exe 2376 powercfg.exe 4500 powercfg.exe 1780 powercfg.exe 3440 powercfg.exe 2712 powercfg.exe 4484 powercfg.exe 4424 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe valrjyxscerz.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 4396 valrjyxscerz.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4396 set thread context of 2240 4396 valrjyxscerz.exe 150 PID 4396 set thread context of 380 4396 valrjyxscerz.exe 153 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 936 sc.exe 4772 sc.exe 2748 sc.exe 1344 sc.exe 2392 sc.exe 4588 sc.exe 4944 sc.exe 3940 sc.exe 5084 sc.exe 640 sc.exe 3548 sc.exe 2476 sc.exe 4456 sc.exe 1320 sc.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 4692 powershell.exe 4692 powershell.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 2388 1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe 4396 valrjyxscerz.exe 4304 powershell.exe 4304 powershell.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 4396 valrjyxscerz.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe 380 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4692 powershell.exe Token: SeShutdownPrivilege 3440 powercfg.exe Token: SeCreatePagefilePrivilege 3440 powercfg.exe Token: SeShutdownPrivilege 4500 powercfg.exe Token: SeCreatePagefilePrivilege 4500 powercfg.exe Token: SeShutdownPrivilege 1780 powercfg.exe Token: SeCreatePagefilePrivilege 1780 powercfg.exe Token: SeShutdownPrivilege 2712 powercfg.exe Token: SeCreatePagefilePrivilege 2712 powercfg.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeLockMemoryPrivilege 380 explorer.exe Token: SeShutdownPrivilege 4424 powercfg.exe Token: SeCreatePagefilePrivilege 4424 powercfg.exe Token: SeShutdownPrivilege 3408 powercfg.exe Token: SeCreatePagefilePrivilege 3408 powercfg.exe Token: SeShutdownPrivilege 4484 powercfg.exe Token: SeCreatePagefilePrivilege 4484 powercfg.exe Token: SeShutdownPrivilege 2376 powercfg.exe Token: SeCreatePagefilePrivilege 2376 powercfg.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1408 3188 cmd.exe 104 PID 3188 wrote to memory of 1408 3188 cmd.exe 104 PID 1856 wrote to memory of 1844 1856 cmd.exe 129 PID 1856 wrote to memory of 1844 1856 cmd.exe 129 PID 4920 wrote to memory of 5044 4920 cmd.exe 137 PID 4920 wrote to memory of 5044 4920 cmd.exe 137 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 2240 4396 valrjyxscerz.exe 150 PID 4396 wrote to memory of 380 4396 valrjyxscerz.exe 153 PID 4396 wrote to memory of 380 4396 valrjyxscerz.exe 153 PID 4396 wrote to memory of 380 4396 valrjyxscerz.exe 153 PID 4396 wrote to memory of 380 4396 valrjyxscerz.exe 153 PID 4396 wrote to memory of 380 4396 valrjyxscerz.exe 153
Processes
-
C:\Users\Admin\AppData\Local\Temp\1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe"C:\Users\Admin\AppData\Local\Temp\1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1408
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3940
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:936
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1344
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "SZPNAYYI"2⤵
- Launches sc.exe
PID:2476
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "SZPNAYYI" binpath= "C:\ProgramData\bcxdqylpudnd\valrjyxscerz.exe" start= "auto"2⤵
- Launches sc.exe
PID:4588
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:4772
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "SZPNAYYI"2⤵
- Launches sc.exe
PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1844
-
-
-
C:\ProgramData\bcxdqylpudnd\valrjyxscerz.exeC:\ProgramData\bcxdqylpudnd\valrjyxscerz.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5044
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2748
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1320
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4944
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3548
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2240
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.2MB
MD5c619c99d873652c66f6fed3dde3c651f
SHA17974b95a82b1bc8e9a856db312f0d40733cd1b41
SHA2561783713f0093c0b6ba6112cc6bdae8cd2a91daa19c651efe7e4e4ac2b3fbad25
SHA512cc487ec97acb036bca68861b33b17ab0cd9fe31b1b954e1d7bfcc0dc781cbb0c42dbef48b906617516d69168a34409d4cbf8b7f3461ffcd9fb6bcf4c2577b8be
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82