Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546312
MD5:d9a5e741b1f67593422bfb1a165288bb
SHA1:0bc42e46e97fbf3b0754d26d88e43945edc31a0b
SHA256:c81a924446d324b3aeb0772dfd9cbed34fb878aff823ba2888362a22f7328fe8
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the hosts file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D9A5E741B1F67593422BFB1A165288BB)
    • powershell.exe (PID: 3176 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4592 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3092 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6176 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6768 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6392 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5420 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3176 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4256 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3868 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6488 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3092 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6412 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1124 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1276 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6648 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 6788 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: D9A5E741B1F67593422BFB1A165288BB)
  • svchost.exe (PID: 6444 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 4256, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3176, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3176, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 1124, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3176, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6444, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5536, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 1276, ProcessName: sc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-31T19:02:13.161990+010020229301A Network Trojan was detected172.202.163.200443192.168.2.549704TCP
2024-10-31T19:02:52.313706+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549884TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2092681805.00007FF722782000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2110604314.00007FF61F4D2000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2092681805.00007FF722782000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2110604314.00007FF61F4D2000.00000040.00000001.01000000.00000004.sdmp
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49704
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49884

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: Joe Sandbox ViewDropped File: C:\ProgramData\Google\Chrome\updater.exe C81A924446D324B3AEB0772DFD9CBED34FB878AFF823BA2888362A22F7328FE8
Source: updater.exe.0.drStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Number of sections : 14 > 10
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9913165758481279
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0022348638764729
Source: file.exeStatic PE information: Section: ZLIB complexity 1.0413533834586466
Source: file.exeStatic PE information: Section: ZLIB complexity 1.5625
Source: file.exeStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: file.exeStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: file.exeStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 0.9913165758481279
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0022348638764729
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.0413533834586466
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.5625
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 2.3333333333333335
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.030054644808743
Source: updater.exe.0.drStatic PE information: Section: ZLIB complexity 1.1047619047619048
Source: updater.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal100.adwa.spyw.evad.winEXE@50/7@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhg4u2sd.edt.ps1Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: file.exeReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: file.exeStatic file information: File size 8707480 > 1048576
Source: file.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x518d60
Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x326c00
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: file.exe, 00000000.00000002.2092681805.00007FF722782000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2110604314.00007FF61F4D2000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: file.exe, 00000000.00000002.2092681805.00007FF722782000.00000040.00000001.01000000.00000003.sdmp, updater.exe, 00000022.00000002.2110604314.00007FF61F4D2000.00000040.00000001.01000000.00000004.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .imports
Source: file.exeStatic PE information: section name: .themida
Source: file.exeStatic PE information: section name: .boot
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name:
Source: updater.exe.0.drStatic PE information: section name: .imports
Source: updater.exe.0.drStatic PE information: section name: .themida
Source: updater.exe.0.drStatic PE information: section name: .boot
Source: file.exeStatic PE information: section name: entropy: 7.966483454841862
Source: updater.exe.0.drStatic PE information: section name: entropy: 7.966483454841862
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6167Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3509Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5436Thread sleep count: 6167 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep count: 3509 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000000.00000002.2091950879.000001AB5123C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__t
Source: updater.exe, 00000022.00000002.2110026893.00000276B74AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: regmonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: procmon_window_class
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: filemonclass
Source: C:\ProgramData\Google\Chrome\updater.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exeNtQuerySystemInformation: Indirect: 0x7FF7229243B2Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF61F6B02FDJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtSetInformationThread: Indirect: 0x7FF61F68617EJump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQuerySystemInformation: Indirect: 0x7FF61F6743B2Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exeNtQueryInformationProcess: Indirect: 0x7FF61F6AB642Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF72295B642Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtSetInformationThread: Indirect: 0x7FF72293617EJump to behavior
Source: C:\Users\user\Desktop\file.exeNtQueryInformationProcess: Indirect: 0x7FF7229602FDJump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
File and Directory Permissions Modification		OS Credential Dumping621
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Abuse Elevation Control Mechanism		341
Virtualization/Sandbox Evasion		Security Account Manager341
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546312 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for submitted file 2->46 48 Sigma detected: Stop EventLog 2->48 50 Sigma detected: Disable power options 2->50 52 3 other signatures 2->52 7 file.exe 1 3 2->7         started        11 updater.exe 2->11         started        13 svchost.exe 2->13         started        process3 file4 42 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 7->42 dropped 44 C:\Windows\System32\drivers\etc\hosts, ASCII 7->44 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 Uses powercfg.exe to modify the power settings 7->56 58 Modifies the hosts file 7->58 66 5 other signatures 7->66 15 powershell.exe 23 7->15         started        18 cmd.exe 1 7->18         started        20 powercfg.exe 1 7->20         started        22 12 other processes 7->22 60 Multi AV Scanner detection for dropped file 11->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->62 64 Hides threads from debuggers 11->64 signatures5 process6 signatures7 68 Loading BitLocker PowerShell Module 15->68 24 WmiPrvSE.exe 15->24         started        26 conhost.exe 15->26         started        28 conhost.exe 18->28         started        30 wusa.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 22->38         started        40 9 other processes 22->40 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe34%ReversingLabsWin64.Trojan.Cerbu

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Google\Chrome\updater.exe34%ReversingLabsWin64.Trojan.Cerbu

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1546312
Start date and time:2024-10-31 19:01:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:38
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.adwa.spyw.evad.winEXE@50/7@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

TimeTypeDescription
14:01:54API Interceptor1x Sleep call for process: file.exe modified
14:01:56API Interceptor15x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\ProgramData\Google\Chrome\updater.exeWGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse

    Created / dropped Files

    C:\ProgramData\Google\Chrome\updater.exe

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):8707480
    Entropy (8bit):7.929778234534272
    Encrypted:false
    SSDEEP:196608:50ipMncd0lHU0kioa09gMC1tFKCnuvoMTQybYD+AvBjtO7:5VpBdxRej7nuPTH25tO
    MD5:D9A5E741B1F67593422BFB1A165288BB
    SHA1:0BC42E46E97FBF3B0754D26D88E43945EDC31A0B
    SHA-256:C81A924446D324B3AEB0772DFD9CBED34FB878AFF823BA2888362A22F7328FE8
    SHA-512:5A463B581C18E2A2076BBF888EE838745EB8FEA6E718B5882951E18A213F530589CB5CF3D61E2CC4014556DC65A327B56B42B915BD9CEA488ADB4782AF151EA4
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 34%
    Joe Sandbox View:
    • Filename: WGo3ga1AL9.exe, Detection: malicious, Browse
    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...Cb#g.........."...........l................@.............................`......-.....`.................................................B0n.d....Pn.H....................P..............................(@n.(................................................... .........o.................. ..` .*... ..:....t..............@..@ ..l..P..`.Q.................@... ......m.......R.............@..@ ......m.......R.............@..@ ......n.......R.............@... P.....n.n.....R.............@..@ x.... n.i.....R.............@..B.imports.....0n...... R.............@....tls.........@n......"R..................rsrc........Pn......$R.............@..@.themida..W..`n......(R.............`....boot....l2......l2..(R.............`..`.reloc.......P.........................@........................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):64
    Entropy (8bit):1.1628158735648508
    Encrypted:false
    SSDEEP:3:Nlllul5mxllp:NllU4x/
    MD5:3A925CB766CE4286E251C26E90B55CE8
    SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
    SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
    SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
    Malicious:false
    Preview:@...e................................................@..........

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2onzafnc.qa5.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ppgzy3k.pvg.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhg4u2sd.edt.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mohdy1o3.mhh.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Windows\System32\drivers\etc\hosts

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2748
    Entropy (8bit):4.269302338623222
    Encrypted:false
    SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
    MD5:7B1D6A1E1228728A16B66C3714AA9A23
    SHA1:8B59677A3560777593B1FA7D67465BBD7B3BC548
    SHA-256:3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
    SHA-512:573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
    Malicious:true
    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):7.929778234534272
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:8'707'480 bytes
    MD5:d9a5e741b1f67593422bfb1a165288bb
    SHA1:0bc42e46e97fbf3b0754d26d88e43945edc31a0b
    SHA256:c81a924446d324b3aeb0772dfd9cbed34fb878aff823ba2888362a22f7328fe8
    SHA512:5a463b581c18e2a2076bbf888ee838745eb8fea6e718b5882951e18a213f530589cb5cf3d61e2cc4014556dc65a327b56b42b915bd9cea488adb4782af151ea4
    SSDEEP:196608:50ipMncd0lHU0kioa09gMC1tFKCnuvoMTQybYD+AvBjtO7:5VpBdxRej7nuPTH25tO
    TLSH:5B9633B0475515F3E6B0C3B314BB73208A1D676588E843C8A96DE2858EF7E8F44A5EF1
    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...Cb#g.........."...........l................@.............................`......-.....`........................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x140c5e0b0
    Entrypoint Section:.boot
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x67236243 [Thu Oct 31 10:56:03 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:35a81d16af9f2ba6d515f11152d0364b

    Entrypoint Preview

    Instruction
    call 00007F36C4807B07h
    inc ecx
    push edx
    dec ecx
    mov edx, esp
    inc ecx
    push edx
    dec ecx
    mov esi, dword ptr [edx+10h]
    dec ecx
    mov edi, dword ptr [edx+20h]
    cld
    mov dl, 80h
    mov al, byte ptr [esi]
    dec eax
    inc esi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007F36C4807966h
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007F36C48079E0h
    xor eax, eax
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jnc 00007F36C4807A88h
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    je 00007F36C480798Bh
    push edi
    mov eax, eax
    dec eax
    sub edi, eax
    mov al, byte ptr [edi]
    pop edi
    mov byte ptr [edi], al
    dec eax
    inc edi
    mov ebx, 00000002h
    jmp 00007F36C480790Ah
    mov eax, 00000001h
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    adc eax, eax
    add dl, dl
    jne 00007F36C4807989h
    mov dl, byte ptr [esi]
    dec eax
    inc esi
    adc dl, dl
    jc 00007F36C4807968h
    sub eax, ebx
    mov ebx, 00000001h
    jne 00007F36C48079B0h
    mov ecx, 00000001h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x6e30420x64.imports
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e50000x348.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc2c7d80x1a4.themida
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf850000x10.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x6e40280x28.tls
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x10000x10e860x6f1d0b1e42f9aaf4386549b5ced8e5ee91b4False0.9913165758481279data7.966483454841862IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    0x120000x2a8c0x133a9a95609c7209a2b093de54ac4eea839cFalse1.0022348638764729data7.930134694283744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x150000x6c83100x518d603d366fae8e1974ed8d6c6c2c16f0fd32unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6de0000x1980x10ab7823523bed9b84ebc6e133cb76eca91False1.0413533834586466data6.948635904196757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6df0000x100x10c5ea92a2291537aa4175328ef0ed64b3False1.5625Non-ISO extended-ASCII text, with CR line terminators4.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e00000x100x676f27bdab5990e75288b48094655f9b0False2.3333333333333335data2.584962500721156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0x6e10000x3500x16ee1754922657dfa6158c41327c4de33e2False1.030054644808743data7.388549727691579IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    0x6e20000x780x69f5cf44af4698e06098e06bd79740b858False1.1047619047619048data6.09114149894973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .imports0x6e30000x10000x20046be7d863a64363f8b65a25ee833d78fFalse0.1796875data1.2657209021050075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x6e40000x10000x200ec0ffde6834be88667d15ede52ae8b07False0.060546875data0.31592487960959603IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x6e50000x10000x4002468ef38b7adebb983068c293c71e313False0.369140625data2.858717175514925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .themida0x6e60000x5780000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .boot0xc5e0000x326c000x326c00eaaee786eb318a0a46c873fee4563b1eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .reloc0xf850000x10000x10a2277de4b751aa34049f7464db99f5a7False1.5GLS_BINARY_LSB_FIRST2.6493974703476995IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x6e50580x2f0SysEx File - IDPEnglishUnited States0.45611702127659576

    Imports

    DLLImport
    kernel32.dllGetModuleHandleA
    msvcrt.dll__C_specific_handler

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:01:53
    Start date:31/10/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x7ff721da0000
    File size:8'707'480 bytes
    MD5 hash:D9A5E741B1F67593422BFB1A165288BB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:2
    Start time:14:01:54
    Start date:31/10/2024
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    Imagebase:0x7ff7be880000
    File size:452'608 bytes
    MD5 hash:04029E121A0CFA5991749937DD22A1D9
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:14:01:54
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    Imagebase:0x7ff6ef0c0000
    File size:496'640 bytes
    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff654920000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:6
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:7
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\wusa.exe
    Wow64 process (32bit):false
    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
    Imagebase:0x7ff6f54c0000
    File size:345'088 bytes
    MD5 hash:FBDA2B8987895780375FE0E6254F6198
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:10
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:12
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop wuauserv
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:13
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:14
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop bits
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:15
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:16
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop dosvc
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    Imagebase:0x7ff6d3000000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    Imagebase:0x7ff6d3000000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    Imagebase:0x7ff6d3000000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\powercfg.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    Imagebase:0x7ff6d3000000
    File size:96'256 bytes
    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:25
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:26
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:27
    Start time:14:01:58
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:28
    Start time:14:01:59
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:29
    Start time:14:01:59
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:30
    Start time:14:02:00
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe stop eventlog
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:31
    Start time:14:02:00
    Start date:31/10/2024
    Path:C:\Windows\System32\sc.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    Imagebase:0x7ff7d6310000
    File size:72'192 bytes
    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:32
    Start time:14:02:00
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:33
    Start time:14:02:00
    Start date:31/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:34
    Start time:14:02:00
    Start date:31/10/2024
    Path:C:\ProgramData\Google\Chrome\updater.exe
    Wow64 process (32bit):false
    Commandline:C:\ProgramData\Google\Chrome\updater.exe
    Imagebase:0x7ff61eaf0000
    File size:8'707'480 bytes
    MD5 hash:D9A5E741B1F67593422BFB1A165288BB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 34%, ReversingLabs
    Has exited:true

    General

    Target ID:36
    Start time:14:02:39
    Start date:31/10/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    Imagebase:0x7ff7e52b0000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Has exited:false

    Disassembly

    No disassembly