Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542910
MD5:a87924e1faf359cab02caa3eb4476ce2
SHA1:501a117721b19d74daf8ee59423cf9a5651670df
SHA256:0ebdd19e9c54387639ba7462ab39fc823351bc7bc73ac937ff3764e587a0be27
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the hosts file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 356 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A87924E1FAF359CAB02CAA3EB4476CE2)
    • powershell.exe (PID: 5448 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3992 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 3744 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6968 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 3492 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3236 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2672 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2760 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4620 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4072 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4560 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5580 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6556 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5980 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2436 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1484 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 616 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 7040 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: A87924E1FAF359CAB02CAA3EB4476CE2)
  • svchost.exe (PID: 6888 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 4072, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5448, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5448, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 2436, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5448, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6888, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 356, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 1484, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Google\Chrome\updater.exeAvira: detection malicious, Label: HEUR/AGEN.1362845
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2234282421.00007FF7A708C000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2250877294.00007FF76C5EC000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2234282421.00007FF7A708C000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2250877294.00007FF76C5EC000.00000040.00000001.01000000.00000004.sdmp

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: Joe Sandbox ViewDropped File: C:\ProgramData\Google\Chrome\updater.exe 0EBDD19E9C54387639BA7462AB39FC823351BC7BC73AC937FF3764E587A0BE27
Source: updater.exe.0.drStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9925289372150122
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0022394136807817
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0418250950570342
Source: file.exeStatic PE information: Section: ZLIB complexity 1.5
Source: file.exeStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: file.exeStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: file.exeStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 0.9925289372150122
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0022394136807817
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0418250950570342
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.5
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: updater.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal100.adwa.spyw.evad.winEXE@51/7@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqcv2kii.ovj.ps1Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: file.exeReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: file.exeStatic file information: File size 8592792 > 1048576
Source: file.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x5185fe
Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x30b400
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2234282421.00007FF7A708C000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2250877294.00007FF76C5EC000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2234282421.00007FF7A708C000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2250877294.00007FF76C5EC000.00000040.00000001.01000000.00000004.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .imports
Source: file.exeStatic PE information: section name: .themida
Source: file.exeStatic PE information: section name: .boot
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name: .imports
Source: updater.exe.0.drStatic PE information: section name: .themida
Source: updater.exe.0.drStatic PE information: section name: .boot
Source: file.exeStatic PE information: section name: entropy: 7.960189349571651
Source: updater.exe.0.drStatic PE information: section name: entropy: 7.960189349571651
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5274Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4534Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2248Thread sleep count: 5274 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep count: 4534 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000000.00000002.2233092924.000001C8A1B6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: updater.exe, 00000022.00000002.2250059973.0000016671A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__9Nn
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: regmonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: procmon_window_class
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: filemonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF7A721C672Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQuerySystemInformation: Indirect: 0x7FF76C738010Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF76C77C672Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtSetInformationThread: Indirect: 0x7FF7A72525CFJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtSetInformationThread: Indirect: 0x7FF76C7B25CFJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF76C7714D8Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtQuerySystemInformation: Indirect: 0x7FF7A71D8010Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF7A72114D8Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
File and Directory Permissions Modification		OS Credential Dumping621
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Abuse Elevation Control Mechanism		341
Virtualization/Sandbox Evasion		Security Account Manager341
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542910 Sample: file.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Sigma detected: Stop EventLog 2->50 52 4 other signatures 2->52 7 file.exe 1 3 2->7         started        11 updater.exe 2->11         started        13 svchost.exe 2->13         started        process3 file4 42 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 7->42 dropped 44 C:\Windows\System32\drivers\etc\hosts, ASCII 7->44 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 Uses powercfg.exe to modify the power settings 7->56 58 Modifies the hosts file 7->58 66 6 other signatures 7->66 15 powershell.exe 20 7->15         started        18 cmd.exe 1 7->18         started        20 powercfg.exe 1 7->20         started        22 12 other processes 7->22 60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->64 signatures5 process6 signatures7 68 Loading BitLocker PowerShell Module 15->68 24 WmiPrvSE.exe 15->24         started        26 conhost.exe 15->26         started        28 conhost.exe 18->28         started        30 wusa.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 22->38         started        40 9 other processes 22->40 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe45%ReversingLabsWin64.Trojan.Cerbu
file.exe100%AviraHEUR/AGEN.1362845

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Google\Chrome\updater.exe100%AviraHEUR/AGEN.1362845
C:\ProgramData\Google\Chrome\updater.exe45%ReversingLabsWin64.Trojan.Cerbu

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542910
Start date and time:2024-10-26 20:01:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.adwa.spyw.evad.winEXE@51/7@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

TimeTypeDescription
14:02:00API Interceptor1x Sleep call for process: file.exe modified
14:02:02API Interceptor19x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\ProgramData\Google\Chrome\updater.exeae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exeGet hashmaliciousStealc, VidarBrowse

    Created / dropped Files

    C:\ProgramData\Google\Chrome\updater.exe

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):8592792
    Entropy (8bit):7.924445628093195
    Encrypted:false
    SSDEEP:196608:BpVa77yru9Vram1nHD1bKJ+3ElG1D8n00NnkjZwGoHD:BpV0/xD1mo1a00dmwGy
    MD5:A87924E1FAF359CAB02CAA3EB4476CE2
    SHA1:501A117721B19D74DAF8EE59423CF9A5651670DF
    SHA-256:0EBDD19E9C54387639BA7462AB39FC823351BC7BC73AC937FF3764E587A0BE27
    SHA-512:82AE66FC63BDD16B64D5D2A2F2193A3758A8D532F965ED3F74C5BFAA550EE38EDFE41F2035CD1403D1AE9579D7BB749802979EFAD9328CB161DC898A6892AEFA
    Malicious:true
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 45%
    Joe Sandbox View:
    • Filename: ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exe, Detection: malicious, Browse
    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."...........l................@..........................................`.................................................B0n.d....Pn.H...<...............................................(@n.(................................................... f.......^o.................. ..` l*... ..0....t..............@..@ ..l..P....Q.................@... ......m.......R.............@..@ ......m.......R.............@..@ ......n.......R.............@... P.....n.n.....R.............@..@ x.... n.i.....R.............@..B.imports.....0n.......R.............@....tls.........@n.......R..................rsrc........Pn.......R.............@..@.themida..W..`n...... R.............`....boot.....0.......0.. R.............`..`.reloc................................@........................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):64
    Entropy (8bit):1.1940658735648508
    Encrypted:false
    SSDEEP:3:NlllulJnp/p:NllU
    MD5:BC6DB77EB243BF62DC31267706650173
    SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
    SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
    SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
    Malicious:false
    Preview:@...e.................................X..............@..........

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atx1kxze.b3p.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dttdhj3x.tsb.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouxzafp2.mzc.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqcv2kii.ovj.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Windows\System32\drivers\etc\hosts

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2748
    Entropy (8bit):4.269302338623222
    Encrypted:false
    SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
    MD5:7B1D6A1E1228728A16B66C3714AA9A23
    SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
    SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
    SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
    Malicious:true
    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):7.924445628093195
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:8'592'792 bytes
    MD5:a87924e1faf359cab02caa3eb4476ce2
    SHA1:501a117721b19d74daf8ee59423cf9a5651670df
    SHA256:0ebdd19e9c54387639ba7462ab39fc823351bc7bc73ac937ff3764e587a0be27
    SHA512:82ae66fc63bdd16b64d5d2a2f2193a3758a8d532f965ed3f74c5bfaa550ee38edfe41f2035cd1403d1ae9579d7bb749802979efad9328cb161dc898a6892aefa
    SSDEEP:196608:BpVa77yru9Vram1nHD1bKJ+3ElG1D8n00NnkjZwGoHD:BpV0/xD1mo1a00dmwGy
    TLSH:DB86331CFDA93F2CCDE499B314A2237E95A1DE1C593CA4D9C0341E58BEC3E4B1B62691
    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."...........l................@..........................................`........................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x140c5e790
    Entrypoint Section:.boot
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x671CD3D4 [Sat Oct 26 11:34:44 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:35a81d16af9f2ba6d515f11152d0364b

    Entrypoint Preview

    Instruction
    call 00007FE014B387E7h
    inc ecx
    push edx
    dec ecx
    mov edx, esp
    inc ecx
    push edx
    dec ecx
    mov esi, dword ptr [edx+10h]
    dec ecx
    mov edi, dword ptr [edx+20h]
    cld
    mov dl, 80h
    mov al, byte ptr [esi]
    dec eax
    inc esi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FE014B38646h
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FE014B386C0h
    xor eax, eax
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007FE014B38768h
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    je 00007FE014B3866Bh
    push edi
    mov eax, eax
    dec eax
    sub edi, eax
    mov al, byte ptr [edi]
    pop edi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    jmp 00007FE014B385EAh
    mov eax, 00000001h
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007FE014B38669h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jc 00007FE014B38648h
    sub eax, ebx
    mov ebx, 00000001h
    jne 00007FE014B38690h
    mov ecx, 00000001h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x6e30420x64.imports
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e50000x348.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc39c3c0x1a4.themida
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf6a0000x10.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x6e40280x28.tls
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x10000x10f660x6f5e376f1cce4301ba7f37b482e960dc24beFalse0.9925289372150122data7.960189349571651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    0x120000x2a6c0x133003a751cd425dc70caaf6dd9c3e784540False1.0022394136807817data7.92619791030994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x150000x6c82f00x5185fe677386c255154e3971dba6eafede2ec2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6de0000x1980x10713808c9b584dc410996d20bf68c36159False1.0418250950570342data6.8916578315393915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6df0000x100x100e2287bbe2b3d9b3db0cb8497644e1f5False1.5data4.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e00000x100x6f8219398ce4b0d1217fa63573569be43False2.3333333333333335data2.584962500721156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6e10000x3500x16e9b895fbc291958b096e33f81bc13cdfcFalse1.030054644808743data7.317036341376676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e20000x780x69150737abaab12b92993911d10d794341False1.1047619047619048data5.959157779426648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .imports0x6e30000x10000x20046be7d863a64363f8b65a25ee833d78fFalse0.1796875data1.2657209021050075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x6e40000x10000x200ec0ffde6834be88667d15ede52ae8b07False0.060546875data0.31592487960959603IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x6e50000x10000x4002468ef38b7adebb983068c293c71e313False0.369140625data2.858717175514925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .themida0x6e60000x5780000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .boot0xc5e0000x30b4000x30b4008a4fa644c9bafde05dab12145ee85b97unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .reloc0xf6a0000x10000x10a2277de4b751aa34049f7464db99f5a7False1.5GLS_BINARY_LSB_FIRST2.6493974703476995IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x6e50580x2f0SysEx File - IDPEnglishUnited States0.45611702127659576

    Imports

    DLLImport
    kernel32.dllGetModuleHandleA
    msvcrt.dll__C_specific_handler

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:02:00
    Start date:26/10/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x7ff7a6670000
    File size:8'592'792 bytes
    MD5 hash:A87924E1FAF359CAB02CAA3EB4476CE2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:2
    Start time:14:02:00
    Start date:26/10/2024
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    Imagebase:0x7ff6e3d50000
    File size:452'608 bytes
    MD5 hash:04029E121A0CFA5991749937DD22A1D9
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:14:02:00
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:14:02:04
    Start date:26/10/2024
    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    Imagebase:0x7ff717f30000
    File size:496'640 bytes
    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff7026b0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:6
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:7
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\wusa.exe
    Wow64 process (32bit):false
    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff6f2680000
    File size:345'088 bytes
    MD5 hash:FBDA2B8987895780375FE0E6254F6198
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:10
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:11
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop wuauserv
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:13
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:14
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop bits
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:15
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:16
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop dosvc
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    Imagebase:0x7ff623be0000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    Imagebase:0x7ff623be0000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    Imagebase:0x7ff623be0000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    Imagebase:0x7ff623be0000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:25
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:26
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:27
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:28
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:29
    Start time:14:02:05
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:30
    Start time:14:02:06
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop eventlog
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:31
    Start time:14:02:06
    Start date:26/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff78d6f0000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:32
    Start time:14:02:06
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:33
    Start time:14:02:06
    Start date:26/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff66e660000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:34
    Start time:14:02:06
    Start date:26/10/2024
    Path:C:\ProgramData\Google\Chrome\updater.exe
    Wow64 process (32bit):false
    Commandline:C:\ProgramData\Google\Chrome\updater.exe
    Imagebase:0x7ff76bbd0000
    File size:8'592'792 bytes
    MD5 hash:A87924E1FAF359CAB02CAA3EB4476CE2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 100%, Avira
    • Detection: 45%, ReversingLabs
    Has exited:true

    General

    Target ID:37
    Start time:14:02:44
    Start date:26/10/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    Imagebase:0x7ff7403e0000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Has exited:false

    Disassembly

    No disassembly