Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541186
MD5:cc966bdad155dceb3dca2a8f30735c77
SHA1:f68759ee0fe3b9b20be0112139058418919d7373
SHA256:18c96bd577f15c92a89a17ee3a768a581b050ec34fcfa72823e624336291170b
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the hosts file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CC966BDAD155DCEB3DCA2A8F30735C77)
    • powershell.exe (PID: 1680 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1772 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 5484 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 2128 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 5136 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4324 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 348 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2928 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1396 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1440 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1472 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1524 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 348 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5476 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6020 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5240 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6112 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 6692 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: CC966BDAD155DCEB3DCA2A8F30735C77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 1440, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1680, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1680, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 6020, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1680, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6220, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5240, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2306454187.00007FF6635C6000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2323452742.00007FF7CF696000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2306454187.00007FF6635C6000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2323452742.00007FF7CF696000.00000040.00000001.01000000.00000004.sdmp

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: updater.exe.0.drStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9912363725593297
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0022490288284605
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0416666666666667
Source: file.exeStatic PE information: Section: ZLIB complexity 1.5625
Source: file.exeStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: file.exeStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: file.exeStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 0.9912363725593297
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0022490288284605
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0416666666666667
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.5625
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: updater.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal100.adwa.spyw.evad.winEXE@47/7@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d245st2.f03.ps1Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: file.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: file.exeStatic file information: File size 8530840 > 1048576
Source: file.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x51986e
Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2fae00
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2306454187.00007FF6635C6000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2323452742.00007FF7CF696000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2306454187.00007FF6635C6000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2323452742.00007FF7CF696000.00000040.00000001.01000000.00000004.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .imports
Source: file.exeStatic PE information: section name: .themida
Source: file.exeStatic PE information: section name: .boot
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name: .imports
Source: updater.exe.0.drStatic PE information: section name: .themida
Source: updater.exe.0.drStatic PE information: section name: .boot
Source: file.exeStatic PE information: section name: entropy: 7.96908005213028
Source: updater.exe.0.drStatic PE information: section name: entropy: 7.96908005213028
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5566Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4235Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5300Thread sleep count: 5566 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928Thread sleep count: 4235 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000000.00000002.2305497883.0000021B10CDC000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000022.00000002.2322310528.000001F7C19EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: regmonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: procmon_window_class
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: filemonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exeNtQuerySystemInformation: Indirect: 0x7FF6636E3BBDJump to behavior
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF66370A04DJump to behavior
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF663717323Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQuerySystemInformation: Indirect: 0x7FF7CF7B3BBDJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF7CF7E7323Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtSetInformationThread: Indirect: 0x7FF7CF7EFE24Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtSetInformationThread: Indirect: 0x7FF66371FE24Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF7CF7DA04DJump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
File and Directory Permissions Modification		OS Credential Dumping621
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Abuse Elevation Control Mechanism		341
Virtualization/Sandbox Evasion		Security Account Manager341
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541186 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for submitted file 2->44 46 Sigma detected: Stop EventLog 2->46 48 Sigma detected: Disable power options 2->48 50 3 other signatures 2->50 7 file.exe 1 3 2->7         started        11 updater.exe 2->11         started        process3 file4 40 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 7->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 7->42 dropped 52 Query firmware table information (likely to detect VMs) 7->52 54 Uses powercfg.exe to modify the power settings 7->54 56 Modifies the hosts file 7->56 64 5 other signatures 7->64 13 powershell.exe 23 7->13         started        16 cmd.exe 1 7->16         started        18 powercfg.exe 1 7->18         started        20 12 other processes 7->20 58 Multi AV Scanner detection for dropped file 11->58 60 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->60 62 Hides threads from debuggers 11->62 signatures5 process6 signatures7 66 Loading BitLocker PowerShell Module 13->66 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        26 conhost.exe 16->26         started        28 wusa.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 9 other processes 20->38 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe37%ReversingLabsWin64.Trojan.Cerbu

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Google\Chrome\updater.exe37%ReversingLabsWin64.Trojan.Cerbu

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1541186
    Start date and time:2024-10-24 15:03:06 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 30s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:37
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.adwa.spyw.evad.winEXE@47/7@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 40.126.32.134, 40.126.32.138, 20.190.160.17, 20.190.160.20, 20.190.160.22, 40.126.32.136, 40.126.32.76, 40.126.32.68
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtCreateKey calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    09:04:15API Interceptor1x Sleep call for process: file.exe modified
    09:04:18API Interceptor17x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    bg.microsoft.map.fastly.nethttps://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUnGet hashmaliciousHtmlDropperBrowse
    • 199.232.214.172
    praxisbackup.exeGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.comGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    1863415243647.exeGet hashmaliciousAgentTeslaBrowse
    • 199.232.214.172
    11625182393171315806.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    17233137582802518545.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    197524037151051602.jsGet hashmaliciousStrela DownloaderBrowse
    • 199.232.210.172
    https://t.co/yXelyYqHRkGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    https://linkednnn.weebly.com/Get hashmaliciousUnknownBrowse
    • 199.232.214.172

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Google\Chrome\updater.exe

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):8530840
    Entropy (8bit):7.919455819398224
    Encrypted:false
    SSDEEP:196608:hRoogBLbAVkOn6naqZnpxu1dudreT1e10IJlZr:0ogBLbIkg6naqZnnuPudST4OIJ
    MD5:CC966BDAD155DCEB3DCA2A8F30735C77
    SHA1:F68759EE0FE3B9B20BE0112139058418919D7373
    SHA-256:18C96BD577F15C92A89A17EE3A768A581B050EC34FCFA72823E624336291170B
    SHA-512:C81A289A58799330C53373C03F386005DE16F41488FA39AD813BE9B708AA3EB0D8ABDADF1BFC443CE3A0D8C7EADACBE953E8B8F8647DF693721E94375315B467
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 37%
    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....<.g.........."...........l.....8..........@..........................................`.................................................B0n.d....Pn.H....................p..............................(@n.(................................................... v.......oo.................. ..` d*... .......t..............@..@ ..l..P..n.Q.................@... ......m......"R.............@..@ ......m......$R.............@..@ ......n......&R.............@... P.....n.n....(R.............@..@ x.... n.i....*R.............@..B.imports.....0n......,R.............@....tls.........@n.......R..................rsrc........Pn......0R.............@..@.themida.`T..`n......4R.............`....boot...../......./..4R.............`..`.reloc.......p........................@........................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):64
    Entropy (8bit):1.1940658735648508
    Encrypted:false
    SSDEEP:3:Nlllulbnolz:NllUc
    MD5:F23953D4A58E404FCB67ADD0C45EB27A
    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
    Malicious:false
    Preview:@...e................................................@..........

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d245st2.f03.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1ndhks.u4t.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4i3bxw0.wii.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjpnm1vs.e5r.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Windows\System32\drivers\etc\hosts

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2748
    Entropy (8bit):4.269302338623222
    Encrypted:false
    SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
    MD5:7B1D6A1E1228728A16B66C3714AA9A23
    SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
    SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
    SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
    Malicious:true
    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):7.919455819398224
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:8'530'840 bytes
    MD5:cc966bdad155dceb3dca2a8f30735c77
    SHA1:f68759ee0fe3b9b20be0112139058418919d7373
    SHA256:18c96bd577f15c92a89a17ee3a768a581b050ec34fcfa72823e624336291170b
    SHA512:c81a289a58799330c53373c03f386005de16f41488fa39ad813be9b708aa3eb0d8abdadf1bfc443ce3a0d8c7eadacbe953e8b8f8647df693721e94375315b467
    SSDEEP:196608:hRoogBLbAVkOn6naqZnpxu1dudreT1e10IJlZr:0ogBLbIkg6naqZnnuPudST4OIJ
    TLSH:2E86337368508D1CEEAA52F3250E4D3597B697B094C14F8415FEEB307B9061EBA3EE21
    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....<.g.........."...........l.....8..........@..........................................`........................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x140c2c738
    Entrypoint Section:.boot
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x671A3C89 [Thu Oct 24 12:24:41 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:35a81d16af9f2ba6d515f11152d0364b

    Entrypoint Preview

    Instruction
    call 00007FC6C1150437h
    inc ecx
    push edx
    dec ecx
    mov edx, esp
    inc ecx
    push edx
    dec ecx
    mov esi, dword ptr [edx+10h]
    dec ecx
    mov edi, dword ptr [edx+20h]
    cld
    mov dl, 80h
    mov al, byte ptr [esi]
    dec eax
    inc esi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FC6C1150296h
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FC6C1150310h
    xor eax, eax
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FC6C11503B8h
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    je 00007FC6C11502BBh
    push edi
    mov eax, eax
    dec eax
    sub edi, eax
    mov al, byte ptr [edi]
    pop edi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    jmp 00007FC6C115023Ah
    mov eax, 00000001h
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FC6C11502B9h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jc 00007FC6C1150298h
    sub eax, ebx
    mov ebx, 00000001h
    jne 00007FC6C11502E0h
    mov ecx, 00000001h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x6e30420x64.imports
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e50000x348.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc0dac80x1a4.themida
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf270000x10.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x6e40280x28.tls
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x10000x10f760x6f6fc946ed7ab6535400f8d891afc9ce7313False0.9912363725593297DOS executable (COM)7.96908005213028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    0x120000x2a640x131bd1956b5f8d05073381eba68e71171609False1.0022490288284605data7.932569043537678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x150000x6c82e00x51986e43ce323024f387ed7f694f6d530d295eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6de0000x1980x1080a590cfe48d2733afc0434722db8a3b2False1.0416666666666667data6.710415592487811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6df0000x100x107be0025c7534c316e5a59b4527ed130aFalse1.5625Non-ISO extended-ASCII text, with no line terminators4.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e00000x100x6491872cf84d6c90a616ef749d7c9e84eFalse2.3333333333333335data2.2516291673878226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6e10000x3500x16ea74ab623dbd25092f6eee03127a78501False1.030054644808743data7.418594706987617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e20000x780x69c09b3f8b222733c3a558a64e0008a909False1.1047619047619048data6.123218313752117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .imports0x6e30000x10000x20046be7d863a64363f8b65a25ee833d78fFalse0.1796875data1.2657209021050075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x6e40000x10000x200ec0ffde6834be88667d15ede52ae8b07False0.060546875data0.31592487960959603IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x6e50000x10000x4002468ef38b7adebb983068c293c71e313False0.369140625data2.858717175514925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .themida0x6e60000x5460000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .boot0xc2c0000x2fae000x2fae0078e43accb5a2d040d95a420f599dd87aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .reloc0xf270000x10000x10a2277de4b751aa34049f7464db99f5a7False1.5GLS_BINARY_LSB_FIRST2.6493974703476995IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x6e50580x2f0SysEx File - IDPEnglishUnited States0.45611702127659576

    Imports

    DLLImport
    kernel32.dllGetModuleHandleA
    msvcrt.dll__C_specific_handler

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 24, 2024 15:04:11.891885042 CEST1.1.1.1192.168.2.50xd0f6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
    Oct 24, 2024 15:04:11.891885042 CEST1.1.1.1192.168.2.50xd0f6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:09:04:15
    Start date:24/10/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x7ff662b60000
    File size:8'530'840 bytes
    MD5 hash:CC966BDAD155DCEB3DCA2A8F30735C77
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:2
    Start time:09:04:15
    Start date:24/10/2024
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    Imagebase:0x7ff7be880000
    File size:452'608 bytes
    MD5 hash:04029E121A0CFA5991749937DD22A1D9
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:09:04:15
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:09:04:19
    Start date:24/10/2024
    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    Imagebase:0x7ff6ef0c0000
    File size:496'640 bytes
    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff7698c0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:6
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:7
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\wusa.exe
    Wow64 process (32bit):false
    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff787460000
    File size:345'088 bytes
    MD5 hash:FBDA2B8987895780375FE0E6254F6198
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:10
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:11
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop wuauserv
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:13
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:14
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop bits
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:15
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:16
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop dosvc
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    Imagebase:0x7ff686420000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    Imagebase:0x7ff686420000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    Imagebase:0x7ff686420000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    Imagebase:0x7ff686420000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:25
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:26
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:27
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:28
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:29
    Start time:09:04:20
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:30
    Start time:09:04:21
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop eventlog
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:31
    Start time:09:04:21
    Start date:24/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff7889f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:32
    Start time:09:04:21
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:33
    Start time:09:04:21
    Start date:24/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:34
    Start time:09:04:21
    Start date:24/10/2024
    Path:C:\ProgramData\Google\Chrome\updater.exe
    Wow64 process (32bit):false
    Commandline:C:\ProgramData\Google\Chrome\updater.exe
    Imagebase:0x7ff7cec30000
    File size:8'530'840 bytes
    MD5 hash:CC966BDAD155DCEB3DCA2A8F30735C77
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 37%, ReversingLabs
    Has exited:true

    Disassembly

    No disassembly