Analysis
-
max time kernel
86s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
21-07-2023 01:19
Static task
static1
Behavioral task
behavioral1
Sample
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe
Resource
win10v2004-20230703-en
General
-
Target
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe
-
Size
2.1MB
-
MD5
58fc32b8dd5fecda153ec0275ac5ac85
-
SHA1
02bc5d590f413c10f1846eaad45db40b425351e6
-
SHA256
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c
-
SHA512
e2587504c51ddf524ddc8969bcbec21fad3c000936718db13b0105d403f8930f21fe939ac5c81865c8d483f9ff406dea7a4ccd221861a6786997bc3902eca228
-
SSDEEP
49152:2VRZIgNvEao5vRe22qrB2f2e5OUbR1S6LPYp39U0Ul/BlnjyHIG/L5LCOPA1:2VRZIgNvEao5vRe22qrB2f2e5OUb9gp2
Malware Config
Extracted
redline
140723_11_RED
85.209.3.7:11615
-
auth_value
3f34a491203d0fbe384ab2b527118c80
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Extracted
laplas
http://168.100.10.236
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2392 created 1196 2392 rdpcllp.exe 21 PID 2392 created 1196 2392 rdpcllp.exe 21 PID 2392 created 1196 2392 rdpcllp.exe 21 PID 2392 created 1196 2392 rdpcllp.exe 21 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostamd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostclp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oneetx.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe -
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x0006000000016d7f-231.dat net_reactor behavioral1/files/0x0006000000016d7f-232.dat net_reactor behavioral1/files/0x0006000000016d7f-228.dat net_reactor behavioral1/memory/2496-234-0x0000000000B00000-0x0000000000E70000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostamd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostamd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oneetx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oneetx.exe -
Executes dropped EXE 6 IoCs
pid Process 1480 taskhostamd.exe 3000 taskhostclp.exe 1984 oneetx.exe 2392 rdpcllp.exe 2496 taskmask.exe 2476 ntlhost.exe -
Loads dropped DLL 6 IoCs
pid Process 2860 MsBuild.exe 2860 MsBuild.exe 1480 taskhostamd.exe 2860 MsBuild.exe 2860 MsBuild.exe 3000 taskhostclp.exe -
resource yara_rule behavioral1/files/0x001b000000016c0a-102.dat themida behavioral1/files/0x001b000000016c0a-105.dat themida behavioral1/memory/1480-107-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1480-109-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1480-114-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1480-122-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1480-124-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/files/0x001b000000016c0a-140.dat themida behavioral1/files/0x0007000000016d46-141.dat themida behavioral1/files/0x0007000000016d46-150.dat themida behavioral1/files/0x0007000000016d46-147.dat themida behavioral1/memory/1480-145-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1984-152-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/memory/1984-153-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/memory/1984-155-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/memory/1480-160-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1984-161-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/memory/1480-162-0x0000000001250000-0x0000000001946000-memory.dmp themida behavioral1/memory/1984-159-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/files/0x0007000000016d46-170.dat themida behavioral1/memory/1984-176-0x0000000000ED0000-0x00000000015C6000-memory.dmp themida behavioral1/files/0x0007000000016d46-399.dat themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostamd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostclp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oneetx.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1480 taskhostamd.exe 3000 taskhostclp.exe 1984 oneetx.exe 2476 ntlhost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2596 set thread context of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2496 set thread context of 2596 2496 taskmask.exe 52 -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1436 sc.exe 1712 sc.exe 2304 sc.exe 1856 sc.exe 3024 sc.exe 2604 sc.exe 1788 sc.exe 2236 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 296 schtasks.exe 3060 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2860 MsBuild.exe 2860 MsBuild.exe 1480 taskhostamd.exe 1984 oneetx.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 1744 powershell.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 2596 MsBuild.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 2392 rdpcllp.exe 2392 rdpcllp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe Token: SeDebugPrivilege 2860 MsBuild.exe Token: SeDebugPrivilege 2496 taskmask.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2596 MsBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1480 taskhostamd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2596 wrote to memory of 2860 2596 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe 28 PID 2860 wrote to memory of 1480 2860 MsBuild.exe 32 PID 2860 wrote to memory of 1480 2860 MsBuild.exe 32 PID 2860 wrote to memory of 1480 2860 MsBuild.exe 32 PID 2860 wrote to memory of 1480 2860 MsBuild.exe 32 PID 2860 wrote to memory of 3000 2860 MsBuild.exe 33 PID 2860 wrote to memory of 3000 2860 MsBuild.exe 33 PID 2860 wrote to memory of 3000 2860 MsBuild.exe 33 PID 2860 wrote to memory of 3000 2860 MsBuild.exe 33 PID 1480 wrote to memory of 1984 1480 taskhostamd.exe 34 PID 1480 wrote to memory of 1984 1480 taskhostamd.exe 34 PID 1480 wrote to memory of 1984 1480 taskhostamd.exe 34 PID 1480 wrote to memory of 1984 1480 taskhostamd.exe 34 PID 1984 wrote to memory of 296 1984 oneetx.exe 35 PID 1984 wrote to memory of 296 1984 oneetx.exe 35 PID 1984 wrote to memory of 296 1984 oneetx.exe 35 PID 1984 wrote to memory of 296 1984 oneetx.exe 35 PID 1984 wrote to memory of 2052 1984 oneetx.exe 37 PID 1984 wrote to memory of 2052 1984 oneetx.exe 37 PID 1984 wrote to memory of 2052 1984 oneetx.exe 37 PID 1984 wrote to memory of 2052 1984 oneetx.exe 37 PID 2052 wrote to memory of 1580 2052 cmd.exe 39 PID 2052 wrote to memory of 1580 2052 cmd.exe 39 PID 2052 wrote to memory of 1580 2052 cmd.exe 39 PID 2052 wrote to memory of 1580 2052 cmd.exe 39 PID 2052 wrote to memory of 2536 2052 cmd.exe 40 PID 2052 wrote to memory of 2536 2052 cmd.exe 40 PID 2052 wrote to memory of 2536 2052 cmd.exe 40 PID 2052 wrote to memory of 2536 2052 cmd.exe 40 PID 2052 wrote to memory of 2612 2052 cmd.exe 41 PID 2052 wrote to memory of 2612 2052 cmd.exe 41 PID 2052 wrote to memory of 2612 2052 cmd.exe 41 PID 2052 wrote to memory of 2612 2052 cmd.exe 41 PID 2052 wrote to memory of 1516 2052 cmd.exe 43 PID 2052 wrote to memory of 1516 2052 cmd.exe 43 PID 2052 wrote to memory of 1516 2052 cmd.exe 43 PID 2052 wrote to memory of 1516 2052 cmd.exe 43 PID 2052 wrote to memory of 2080 2052 cmd.exe 42 PID 2052 wrote to memory of 2080 2052 cmd.exe 42 PID 2052 wrote to memory of 2080 2052 cmd.exe 42 PID 2052 wrote to memory of 2080 2052 cmd.exe 42 PID 2860 wrote to memory of 2392 2860 MsBuild.exe 44 PID 2860 wrote to memory of 2392 2860 MsBuild.exe 44 PID 2860 wrote to memory of 2392 2860 MsBuild.exe 44 PID 2860 wrote to memory of 2392 2860 MsBuild.exe 44 PID 2052 wrote to memory of 1104 2052 cmd.exe 45 PID 2052 wrote to memory of 1104 2052 cmd.exe 45 PID 2052 wrote to memory of 1104 2052 cmd.exe 45 PID 2052 wrote to memory of 1104 2052 cmd.exe 45 PID 2860 wrote to memory of 2496 2860 MsBuild.exe 48 PID 2860 wrote to memory of 2496 2860 MsBuild.exe 48 PID 2860 wrote to memory of 2496 2860 MsBuild.exe 48 PID 2860 wrote to memory of 2496 2860 MsBuild.exe 48 PID 3000 wrote to memory of 2476 3000 taskhostclp.exe 49 PID 3000 wrote to memory of 2476 3000 taskhostclp.exe 49 PID 3000 wrote to memory of 2476 3000 taskhostclp.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe"C:\Users\Admin\AppData\Local\Temp\0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\taskhostamd.exe"C:\Users\Admin\AppData\Local\Temp\taskhostamd.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F6⤵
- Creates scheduled task(s)
PID:296
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1580
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵PID:2536
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵PID:2612
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"7⤵PID:2080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1516
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E7⤵PID:1104
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\taskmask.exe"C:\Users\Admin\AppData\Local\Temp\taskmask.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2692
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1856
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3024
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1788
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2236
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1916
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2228
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2892
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1660
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:1848
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:3060
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:552
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2144
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1436
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1712
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2304
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {788EE288-8AB8-40EA-A05B-ED3E35064F27} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2468
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:1348
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E01E1316-F764-4208-86DD-A1C304B33AFC} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
63KB
MD5aed73c6ddbb8d401d499e7127a7c4ba5
SHA1d8a28666890ccbf3d364d03d116c34f9d90b7f72
SHA256d1ee832e73feb27349b363c46f5beaa68c55576905b3905ad5be4deddcb56df5
SHA5122645d7217402570595e6e2d65deba253b7c03c9848eaf0cfdc852b808da1ec1ce3b66ebd89bb5616784293bc21efa78864f5dbcd134f060896ec75d347f0fb75
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5961efbb57d1b6b964a0de064fd044f18
SHA1c09c1d2814d85b23225a2db4ac324d7657a5a08a
SHA2565f9ae52e3ccb79065f2b45caf244139ad50dfbb6c1181fa5f90a07fb9e60792d
SHA5125c5eec19c29ac26f0bc1ce0789b617c66d640d670a379bfef42602f175e2faee164c80584dd5d4113d81b0d9b0402a31f878fedff39e7361666a7bad48a31bc9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X2WPZOJF6FEFP811L02E.temp
Filesize7KB
MD5961efbb57d1b6b964a0de064fd044f18
SHA1c09c1d2814d85b23225a2db4ac324d7657a5a08a
SHA2565f9ae52e3ccb79065f2b45caf244139ad50dfbb6c1181fa5f90a07fb9e60792d
SHA5125c5eec19c29ac26f0bc1ce0789b617c66d640d670a379bfef42602f175e2faee164c80584dd5d4113d81b0d9b0402a31f878fedff39e7361666a7bad48a31bc9
-
Filesize
329.3MB
MD52d7eac9a995170478d3ee009e6609aa7
SHA18961e2ad84d381b8f4973c9203269a7b05d5d86d
SHA256b8f7c3e0b0b7301b48b9112db46321b9e91879060a65120a3018e530dd147a82
SHA512eb433218986ea33a27511fb5616e25695c185c27a26b20b51086458a3c0c1241e0ef8f7456b44727843002763e9d5327aa7f4f387404547ffdd284ae550c0c8e
-
Filesize
267.1MB
MD593c366214c4bfc8c153e02ff42ae855a
SHA19b1527e34be108884d3b1761fe03ddc1c314dbfd
SHA256a80ba57e789e888106ab4418c20a38dd83e7dde147dfff32e9cc9d73a345bdc2
SHA512dacb90ad7a9542849c78f2c5de1e309314ee8469a3ec98e806fe1da8b2492832396e34f99ecb15a180630a755aa84298dcac193e7bba4ea2df022c143939734c
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
Filesize
319.0MB
MD5ea6a435119ef87a67d7c8b9048bb91d8
SHA11c30bb443122821bfe61eb0a5a62e6c68b87e95e
SHA2560af9cbab4221adeef7e8f0478cab5351f0025fae7b8fe0ca6279c7cf0bacb8c8
SHA5122b1d946fc0aab1ea57dff0e540455a5ea3e8223175f3f211a05fd78ab66e6c573d5f32309b9df94c34da252216bbb6986531dfcbe9edf5516afacac4722dff35