Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 16:11
Static task
static1
Behavioral task
behavioral1
Sample
61b72b2d4099b7ca2af5318b4ea6a668.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
61b72b2d4099b7ca2af5318b4ea6a668.exe
Resource
win10v2004-20241007-en
General
-
Target
61b72b2d4099b7ca2af5318b4ea6a668.exe
-
Size
704KB
-
MD5
61b72b2d4099b7ca2af5318b4ea6a668
-
SHA1
7c38e00060124176ae1b5ad7f17dd8a202445f26
-
SHA256
b3b766fc82f285fbdfdfd1246fa7a227e7e8d4228a0a13c6187c4aab2149d0be
-
SHA512
b764e2204f473c7d09186a1dd8f4111344066a5219c76fe08076c46053d2ff620c43257f09e249931b684f1c055be2db3cffac1d4543c062ca7f956aca7f8106
-
SSDEEP
12288:q3IbtEqk/k9aqG1G7uSuYC7QQhguHuM+hECDgLEoX5+rUKHRmc65L2Vl2:q3C+BMQqGESMAh/OMknD4jcrJHRmbOl
Malware Config
Extracted
stealc
LogsDiller
http://185.235.128.16
-
url_path
/562c1eb14955c897.php
Signatures
-
Stealc family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CGIDGCGIEG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 18 IoCs
resource yara_rule behavioral2/memory/1352-271-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-274-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-283-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-282-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-280-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-279-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-273-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-272-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-270-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-269-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-268-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-281-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-277-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-275-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-286-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-288-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-289-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1352-290-0x0000000140000000-0x000000014082C000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2536 powershell.exe 3292 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts CGIDGCGIEG.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 724 chrome.exe 2992 chrome.exe 2948 chrome.exe 4576 msedge.exe 2164 msedge.exe 1816 msedge.exe 5012 chrome.exe 2116 msedge.exe 2840 msedge.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CGIDGCGIEG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CGIDGCGIEG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 61b72b2d4099b7ca2af5318b4ea6a668.exe -
Executes dropped EXE 2 IoCs
pid Process 808 CGIDGCGIEG.exe 1668 updater.exe -
Loads dropped DLL 3 IoCs
pid Process 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0008000000023c41-198.dat themida behavioral2/memory/808-200-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/808-201-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/808-202-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/808-203-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/808-205-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/808-221-0x00007FF7B2F90000-0x00007FF7B3F16000-memory.dmp themida behavioral2/memory/1668-224-0x00007FF71D5A0000-0x00007FF71E526000-memory.dmp themida behavioral2/memory/1668-225-0x00007FF71D5A0000-0x00007FF71E526000-memory.dmp themida behavioral2/memory/1668-226-0x00007FF71D5A0000-0x00007FF71E526000-memory.dmp themida behavioral2/memory/1668-227-0x00007FF71D5A0000-0x00007FF71E526000-memory.dmp themida behavioral2/memory/1668-285-0x00007FF71D5A0000-0x00007FF71E526000-memory.dmp themida -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CGIDGCGIEG.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2168 powercfg.exe 1244 powercfg.exe 4132 powercfg.exe 2500 powercfg.exe 2600 powercfg.exe 2948 powercfg.exe 1020 powercfg.exe 3044 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\MRT.exe CGIDGCGIEG.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 808 CGIDGCGIEG.exe 1668 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1668 set thread context of 2564 1668 updater.exe 196 PID 1668 set thread context of 1352 1668 updater.exe 197 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1536 sc.exe 216 sc.exe 884 sc.exe 4548 sc.exe 4528 sc.exe 4408 sc.exe 1092 sc.exe 5080 sc.exe 3740 sc.exe 1752 sc.exe 4396 sc.exe 3568 sc.exe 4044 sc.exe 4880 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1368 1584 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61b72b2d4099b7ca2af5318b4ea6a668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 61b72b2d4099b7ca2af5318b4ea6a668.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 61b72b2d4099b7ca2af5318b4ea6a668.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133748646746582510" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 5012 chrome.exe 5012 chrome.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 3932 msedge.exe 3932 msedge.exe 2116 msedge.exe 2116 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 808 CGIDGCGIEG.exe 2536 powershell.exe 2536 powershell.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 808 CGIDGCGIEG.exe 1668 updater.exe 3292 powershell.exe 3292 powershell.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1668 updater.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeShutdownPrivilege 5012 chrome.exe Token: SeCreatePagefilePrivilege 5012 chrome.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeShutdownPrivilege 2948 powercfg.exe Token: SeCreatePagefilePrivilege 2948 powercfg.exe Token: SeShutdownPrivilege 2600 powercfg.exe Token: SeCreatePagefilePrivilege 2600 powercfg.exe Token: SeShutdownPrivilege 3044 powercfg.exe Token: SeCreatePagefilePrivilege 3044 powercfg.exe Token: SeShutdownPrivilege 1020 powercfg.exe Token: SeCreatePagefilePrivilege 1020 powercfg.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeShutdownPrivilege 2500 powercfg.exe Token: SeCreatePagefilePrivilege 2500 powercfg.exe Token: SeShutdownPrivilege 4132 powercfg.exe Token: SeCreatePagefilePrivilege 4132 powercfg.exe Token: SeShutdownPrivilege 2168 powercfg.exe Token: SeCreatePagefilePrivilege 2168 powercfg.exe Token: SeShutdownPrivilege 1244 powercfg.exe Token: SeCreatePagefilePrivilege 1244 powercfg.exe Token: SeLockMemoryPrivilege 1352 explorer.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 5012 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 87 PID 1584 wrote to memory of 5012 1584 61b72b2d4099b7ca2af5318b4ea6a668.exe 87 PID 5012 wrote to memory of 3640 5012 chrome.exe 88 PID 5012 wrote to memory of 3640 5012 chrome.exe 88 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 1852 5012 chrome.exe 90 PID 5012 wrote to memory of 2776 5012 chrome.exe 91 PID 5012 wrote to memory of 2776 5012 chrome.exe 91 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92 PID 5012 wrote to memory of 2008 5012 chrome.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\61b72b2d4099b7ca2af5318b4ea6a668.exe"C:\Users\Admin\AppData\Local\Temp\61b72b2d4099b7ca2af5318b4ea6a668.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa20d4cc40,0x7ffa20d4cc4c,0x7ffa20d4cc583⤵PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:23⤵PID:1852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:33⤵PID:2776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:83⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:13⤵
- Uses browser remote debugging
PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:13⤵
- Uses browser remote debugging
PID:724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:13⤵
- Uses browser remote debugging
PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:83⤵PID:796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4220,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:83⤵PID:468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:83⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:83⤵PID:3512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:83⤵PID:212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,180374262779941717,15997048353104495180,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:83⤵PID:1412
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa219b46f8,0x7ffa219b4708,0x7ffa219b47183⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:23⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:83⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:13⤵
- Uses browser remote debugging
PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
- Uses browser remote debugging
PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:13⤵
- Uses browser remote debugging
PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:13⤵
- Uses browser remote debugging
PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15983640285776558172,10100217345752069130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CGIDGCGIEG.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\ProgramData\CGIDGCGIEG.exe"C:\ProgramData\CGIDGCGIEG.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2408
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3892
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1752
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4396
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1092
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1536
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3568
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:5080
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:884
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:4548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 25442⤵
- Program crash
PID:1368
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1584 -ip 15841⤵PID:5076
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1668 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2556
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4808
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3740
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4880
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:216
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4408
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2564
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Modify Authentication Process
1Power Settings
1Defense Evasion
Impair Defenses
1Modify Authentication Process
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD5d9a5e741b1f67593422bfb1a165288bb
SHA10bc42e46e97fbf3b0754d26d88e43945edc31a0b
SHA256c81a924446d324b3aeb0772dfd9cbed34fb878aff823ba2888362a22f7328fe8
SHA5125a463b581c18e2a2076bbf888ee838745eb8fea6e718b5882951e18a213f530589cb5cf3d61e2cc4014556dc65a327b56b42b915bd9cea488adb4782af151ea4
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD583138fd0196e5303573c0433d6a3e374
SHA11f75213aa42df9b3411f648ade030e0fb7477f48
SHA256bef4c61ffda306511aaea481c41430ec240792200c047663ac6a90a8331f9673
SHA512921b015c2bb9d987abc9bcebe508e87d78ca00aa39961716fedb1fd3ef9fe6d6e0a577890c505ac58f5491105ccd84ece047bf736905efe8d043bac0851623bd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5aa4de6b-d72f-44e5-b67f-0564adb64305.dmp
Filesize826KB
MD56d7510d314e7f49ea7ce641b904d0894
SHA19f52ce5786c91797d0e10018ef26742fb1907968
SHA256ee3e4696502bef393eeaf8acb142e1b11c478fd3da991cb8855c53d3dfefbd82
SHA512a690ba080f7d8994fffa55b2136ea1d392182b7a5671fbe918563b214de42ee8d983cc400fc2a7bb42fcd7d7ce4c23c11c6706fb1245e3ec128fcbae6e7ce4eb
-
Filesize
152B
MD52c020b81ce381f90c34f791d7dc16492
SHA10889797280b8520f74eaeaf7610d66c6841958da
SHA2568ecd39b5d58815539a5a6a1f9aa31e2a125642f6c260b64f91e3254d8dbb70ae
SHA5129a18048252434cb6762f99db5bf5b19b44a9adaf08325a3c543269ae502ffd8fb3ab5194f9ac8ac3475b7e5603e9998c4331b3542e3b205a96274ab0516f3205
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
5KB
MD5f91404767eb794bb36dfb2963a2ad89e
SHA182af97c15e50f9b1c7a5dc44e4a4c0e32a83bbda
SHA2563e373d2fa32f2a7251be680df3cc63e82fd8c015ac8182e8b3593b6bc98da76f
SHA512ec113b0c16618677051d7ec9ee7a9811e47da53d3289dfb69d7060f0fe9e22794a67e97f39b3075f6770e36e161eb31defd9cac5680c42d4842e909b3a2d6b9a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62