laplas | 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11-06-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Size

1.7MB
MD5

a4aab901f5f4662d75a66bdb08971148
SHA1

9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
SHA256

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
SHA512

a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
SSDEEP

24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq

Score

10^/10

laplas redline xmrig 090623_11_red clipper evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

090623_11_red

goodlogs.neverever.ug:11615

Attributes

auth_value
ca62706abf6895102883ab0c8a86ddff

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2356 created 3156	2356	mtaskhost.exe	23
PID 2356 created 3156	2356	mtaskhost.exe	23
PID 2356 created 3156	2356	mtaskhost.exe	23
PID 2356 created 3156	2356	mtaskhost.exe	23
PID 2356 created 3156	2356	mtaskhost.exe	23
PID 1028 created 3156	1028	updater.exe	23
PID 1028 created 3156	1028	updater.exe	23
PID 1028 created 3156	1028	updater.exe	23
PID 1028 created 3156	1028	updater.exe	23
PID 1028 created 3156	1028	updater.exe	23
PID 1028 created 3156	1028	updater.exe	23

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mtaskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cltaskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1028-743-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	xmrig
behavioral2/memory/1028-745-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	xmrig
behavioral2/memory/3172-751-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp	xmrig
behavioral2/memory/3172-755-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp	xmrig
behavioral2/memory/3172-758-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp	xmrig
behavioral2/memory/3172-761-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	mtaskhost.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mtaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mtaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cltaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cltaskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 4 IoCs

pid	Process
2356	mtaskhost.exe
3680	cltaskhost.exe
3868	ntlhost.exe
1028	updater.exe

Themida packer 26 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001af21-143.dat	themida
behavioral2/memory/2356-144-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-145-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-146-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-147-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-148-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-151-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-155-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-163-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/memory/2356-187-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/files/0x000700000001af21-275.dat	themida
behavioral2/memory/2356-277-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp	themida
behavioral2/files/0x000800000001af3a-279.dat	themida
behavioral2/memory/1028-280-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-281-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-282-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-283-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-284-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-285-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-286-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-289-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-294-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-633-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/files/0x000800000001af3a-742.dat	themida
behavioral2/memory/1028-743-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida
behavioral2/memory/1028-745-0x00007FF621140000-0x00007FF621F3B000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	cltaskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cltaskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtaskhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2356	mtaskhost.exe
3680	cltaskhost.exe
3868	ntlhost.exe
1028	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 1028 set thread context of 3164	1028	updater.exe	109
PID 1028 set thread context of 3172	1028	updater.exe	110

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	mtaskhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1588	sc.exe
4384	sc.exe
4356	sc.exe
3748	sc.exe
2896	sc.exe
4372	sc.exe
4376	sc.exe
4984	sc.exe
3972	sc.exe
4792	sc.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	14	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	jsc.exe
2896	jsc.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
2356	mtaskhost.exe
2356	mtaskhost.exe
1028	updater.exe
1028	updater.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
3136	powershell.exe
3136	powershell.exe
3136	powershell.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
1028	updater.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe
3172	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Token: SeDebugPrivilege	2896	jsc.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeIncreaseQuotaPrivilege	4692	powershell.exe
Token: SeSecurityPrivilege	4692	powershell.exe
Token: SeTakeOwnershipPrivilege	4692	powershell.exe
Token: SeLoadDriverPrivilege	4692	powershell.exe
Token: SeSystemProfilePrivilege	4692	powershell.exe
Token: SeSystemtimePrivilege	4692	powershell.exe
Token: SeProfSingleProcessPrivilege	4692	powershell.exe
Token: SeIncBasePriorityPrivilege	4692	powershell.exe
Token: SeCreatePagefilePrivilege	4692	powershell.exe
Token: SeBackupPrivilege	4692	powershell.exe
Token: SeRestorePrivilege	4692	powershell.exe
Token: SeShutdownPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeSystemEnvironmentPrivilege	4692	powershell.exe
Token: SeRemoteShutdownPrivilege	4692	powershell.exe
Token: SeUndockPrivilege	4692	powershell.exe
Token: SeManageVolumePrivilege	4692	powershell.exe
Token: 33	4692	powershell.exe
Token: 34	4692	powershell.exe
Token: 35	4692	powershell.exe
Token: 36	4692	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	5072	powercfg.exe
Token: SeCreatePagefilePrivilege	5072	powercfg.exe
Token: SeShutdownPrivilege	5092	powercfg.exe
Token: SeCreatePagefilePrivilege	5092	powercfg.exe
Token: SeShutdownPrivilege	4996	powercfg.exe
Token: SeCreatePagefilePrivilege	4996	powercfg.exe
Token: SeShutdownPrivilege	4864	powercfg.exe
Token: SeCreatePagefilePrivilege	4864	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4980	powershell.exe
Token: SeSecurityPrivilege	4980	powershell.exe
Token: SeTakeOwnershipPrivilege	4980	powershell.exe
Token: SeLoadDriverPrivilege	4980	powershell.exe
Token: SeSystemProfilePrivilege	4980	powershell.exe
Token: SeSystemtimePrivilege	4980	powershell.exe
Token: SeProfSingleProcessPrivilege	4980	powershell.exe
Token: SeIncBasePriorityPrivilege	4980	powershell.exe
Token: SeCreatePagefilePrivilege	4980	powershell.exe
Token: SeBackupPrivilege	4980	powershell.exe
Token: SeRestorePrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeSystemEnvironmentPrivilege	4980	powershell.exe
Token: SeRemoteShutdownPrivilege	4980	powershell.exe
Token: SeUndockPrivilege	4980	powershell.exe
Token: SeManageVolumePrivilege	4980	powershell.exe
Token: 33	4980	powershell.exe
Token: 34	4980	powershell.exe
Token: 35	4980	powershell.exe
Token: 36	4980	powershell.exe
Token: SeIncreaseQuotaPrivilege	4980	powershell.exe
Token: SeSecurityPrivilege	4980	powershell.exe
Token: SeTakeOwnershipPrivilege	4980	powershell.exe
Token: SeLoadDriverPrivilege	4980	powershell.exe
Token: SeSystemProfilePrivilege	4980	powershell.exe
Token: SeSystemtimePrivilege	4980	powershell.exe
Token: SeProfSingleProcessPrivilege	4980	powershell.exe
Token: SeIncBasePriorityPrivilege	4980	powershell.exe
Token: SeCreatePagefilePrivilege	4980	powershell.exe
Token: SeBackupPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2468 wrote to memory of 2896	2468	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	66
PID 2896 wrote to memory of 2356	2896	jsc.exe	68
PID 2896 wrote to memory of 2356	2896	jsc.exe	68
PID 2896 wrote to memory of 3680	2896	jsc.exe	69
PID 2896 wrote to memory of 3680	2896	jsc.exe	69
PID 3352 wrote to memory of 4384	3352	cmd.exe	76
PID 3352 wrote to memory of 4384	3352	cmd.exe	76
PID 3352 wrote to memory of 4376	3352	cmd.exe	77
PID 3352 wrote to memory of 4376	3352	cmd.exe	77
PID 3352 wrote to memory of 4356	3352	cmd.exe	78
PID 3352 wrote to memory of 4356	3352	cmd.exe	78
PID 3352 wrote to memory of 3748	3352	cmd.exe	79
PID 3352 wrote to memory of 3748	3352	cmd.exe	79
PID 3352 wrote to memory of 4984	3352	cmd.exe	80
PID 3352 wrote to memory of 4984	3352	cmd.exe	80
PID 4024 wrote to memory of 5072	4024	cmd.exe	85
PID 4024 wrote to memory of 5072	4024	cmd.exe	85
PID 4024 wrote to memory of 5092	4024	cmd.exe	86
PID 4024 wrote to memory of 5092	4024	cmd.exe	86
PID 4024 wrote to memory of 4996	4024	cmd.exe	87
PID 4024 wrote to memory of 4996	4024	cmd.exe	87
PID 3680 wrote to memory of 3868	3680	cltaskhost.exe	70
PID 3680 wrote to memory of 3868	3680	cltaskhost.exe	70
PID 4024 wrote to memory of 4864	4024	cmd.exe	88
PID 4024 wrote to memory of 4864	4024	cmd.exe	88
PID 4584 wrote to memory of 2896	4584	cmd.exe	96
PID 4584 wrote to memory of 2896	4584	cmd.exe	96
PID 4584 wrote to memory of 4372	4584	cmd.exe	97
PID 4584 wrote to memory of 4372	4584	cmd.exe	97
PID 4584 wrote to memory of 1588	4584	cmd.exe	99
PID 4584 wrote to memory of 1588	4584	cmd.exe	99
PID 4584 wrote to memory of 3972	4584	cmd.exe	98
PID 4584 wrote to memory of 3972	4584	cmd.exe	98
PID 4584 wrote to memory of 4792	4584	cmd.exe	100
PID 4584 wrote to memory of 4792	4584	cmd.exe	100
PID 4528 wrote to memory of 4924	4528	cmd.exe	105
PID 4528 wrote to memory of 4924	4528	cmd.exe	105
PID 4528 wrote to memory of 3704	4528	cmd.exe	106
PID 4528 wrote to memory of 3704	4528	cmd.exe	106
PID 4528 wrote to memory of 4808	4528	cmd.exe	107
PID 4528 wrote to memory of 4808	4528	cmd.exe	107
PID 4528 wrote to memory of 4736	4528	cmd.exe	108
PID 4528 wrote to memory of 4736	4528	cmd.exe	108
PID 1028 wrote to memory of 3164	1028	updater.exe	109
PID 1028 wrote to memory of 3172	1028	updater.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
  "C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4384
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4376
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4356
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3748
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4372
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3704
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4808
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3164
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32ce93aeb9140c1d8582ff3f20579df1

SHA1
49a9bd32a726a0143e4059db46e3bae363c9db5f

SHA256
d816e33c09b4f827c8456f119e28a36f305158aeb4408ffe0090025fed0c22f6

SHA512
003477c797b5e9d057b3d7ec88622aa337c862a7340f225c6cdfbeb10381cd5957da21be7f558c094cdab036fb7358de8c15d3457efc617c968a19f30826557f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svgxaktj.0g1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe

Filesize
3.4MB

MD5
50859caa45e9d02823ae55b69fd7b645

SHA1
aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

SHA256
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

SHA512
78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe

Filesize
3.4MB

MD5
50859caa45e9d02823ae55b69fd7b645

SHA1
aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

SHA256
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

SHA512
78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe

Filesize
10.8MB

MD5
6e39a59c8f6c3f52f122f80fb0933c9f

SHA1
cb1e56e022de8660579a5812b97303529bdca5d5

SHA256
17f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671

SHA512
219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
726.4MB

MD5
589ea49c832bf701be0a01801871155a

SHA1
6061512327dd02c16d41fea1c4c6a2037fb1e43a

SHA256
bfcad67585722477d59168a217b03eb4b8f934b70c364501c93affddfdcebd1a

SHA512
fc9df6f824dbb8496e1f7b38855ea2de7ae549ea0e63a915c36a93b62562153d7287b855a83a133b67645cd0765f58b0aa2877e0b3a0c7d0063dfc544846eb8a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
726.4MB

MD5
589ea49c832bf701be0a01801871155a

SHA1
6061512327dd02c16d41fea1c4c6a2037fb1e43a

SHA256
bfcad67585722477d59168a217b03eb4b8f934b70c364501c93affddfdcebd1a

SHA512
fc9df6f824dbb8496e1f7b38855ea2de7ae549ea0e63a915c36a93b62562153d7287b855a83a133b67645cd0765f58b0aa2877e0b3a0c7d0063dfc544846eb8a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
726.4MB

MD5
589ea49c832bf701be0a01801871155a

SHA1
6061512327dd02c16d41fea1c4c6a2037fb1e43a

SHA256
bfcad67585722477d59168a217b03eb4b8f934b70c364501c93affddfdcebd1a

SHA512
fc9df6f824dbb8496e1f7b38855ea2de7ae549ea0e63a915c36a93b62562153d7287b855a83a133b67645cd0765f58b0aa2877e0b3a0c7d0063dfc544846eb8a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
10KB

MD5
46dd239c95c8186b5347a900ce231eae

SHA1
733674325a8ad34a0147479f0510bd8bc824e879

SHA256
e9abb69b1483c5e1c26d6fb755cd7147b885154a653e188f34401930d89c4116

SHA512
41ce13eee4ae7a3475e220ed224d44f2e6b03eedaea52a6119e5ebbc6751734a03cf059b94b24e052358166dca34a3a6890b626313f4b24b1d517057919941b6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/1012-328-0x00007FF73A5A0000-0x00007FF73A5B0000-memory.dmp

Filesize
64KB

Download
memory/1012-448-0x000001E3630B0000-0x000001E3630C0000-memory.dmp

Filesize
64KB

Download
memory/1012-318-0x000001E3631E0000-0x000001E3631FC000-memory.dmp

Filesize
112KB

Download
memory/1012-325-0x000001E3633C0000-0x000001E363479000-memory.dmp

Filesize
740KB

Download
memory/1012-362-0x000001E363200000-0x000001E36320A000-memory.dmp

Filesize
40KB

Download
memory/1012-327-0x000001E3630B0000-0x000001E3630C0000-memory.dmp

Filesize
64KB

Download
memory/1012-326-0x000001E3630B0000-0x000001E3630C0000-memory.dmp

Filesize
64KB

Download
memory/1012-449-0x000001E3630B0000-0x000001E3630C0000-memory.dmp

Filesize
64KB

Download
memory/1012-296-0x000001E3630B0000-0x000001E3630C0000-memory.dmp

Filesize
64KB

Download
memory/1028-282-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-633-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-745-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-294-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-280-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-289-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-281-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-283-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-284-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-285-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-286-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/1028-743-0x00007FF621140000-0x00007FF621F3B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-146-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-148-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-277-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-151-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-155-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-145-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-163-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-187-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-147-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2356-144-0x00007FF7D7D60000-0x00007FF7D8B5B000-memory.dmp

Filesize
14.0MB

Download
memory/2468-124-0x0000014F85F30000-0x0000014F85FA2000-memory.dmp

Filesize
456KB

Download
memory/2468-121-0x0000014F841F0000-0x0000014F843A6000-memory.dmp

Filesize
1.7MB

Download
memory/2468-123-0x0000014F9EEE0000-0x0000014F9F406000-memory.dmp

Filesize
5.1MB

Download
memory/2468-122-0x0000014F9E870000-0x0000014F9E880000-memory.dmp

Filesize
64KB

Download
memory/2896-131-0x000000000A4B0000-0x000000000A4EE000-memory.dmp

Filesize
248KB

Download
memory/2896-138-0x000000000CB20000-0x000000000CCE2000-memory.dmp

Filesize
1.8MB

Download
memory/2896-132-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2896-134-0x000000000A7E0000-0x000000000A856000-memory.dmp

Filesize
472KB

Download
memory/2896-135-0x000000000A900000-0x000000000A992000-memory.dmp

Filesize
584KB

Download
memory/2896-136-0x000000000B510000-0x000000000BA0E000-memory.dmp

Filesize
5.0MB

Download
memory/2896-137-0x000000000B010000-0x000000000B076000-memory.dmp

Filesize
408KB

Download
memory/2896-133-0x000000000A630000-0x000000000A67B000-memory.dmp

Filesize
300KB

Download
memory/2896-130-0x000000000A450000-0x000000000A462000-memory.dmp

Filesize
72KB

Download
memory/2896-139-0x000000000D220000-0x000000000D74C000-memory.dmp

Filesize
5.2MB

Download
memory/2896-129-0x000000000A520000-0x000000000A62A000-memory.dmp

Filesize
1.0MB

Download
memory/2896-128-0x000000000AA00000-0x000000000B006000-memory.dmp

Filesize
6.0MB

Download
memory/2896-127-0x0000000004FD0000-0x0000000004FD6000-memory.dmp

Filesize
24KB

Download
memory/2896-125-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3136-636-0x00007FF73A6F0000-0x00007FF73A700000-memory.dmp

Filesize
64KB

Download
memory/3136-451-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-638-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-692-0x000002346F120000-0x000002346F13C000-memory.dmp

Filesize
112KB

Download
memory/3136-717-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-718-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-722-0x00007FF73A6F0000-0x00007FF73A700000-memory.dmp

Filesize
64KB

Download
memory/3136-450-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-723-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3136-737-0x000002346EF60000-0x000002346EF70000-memory.dmp

Filesize
64KB

Download
memory/3164-757-0x00007FF7D85A0000-0x00007FF7D85CA000-memory.dmp

Filesize
168KB

Download
memory/3164-748-0x00007FF7D85A0000-0x00007FF7D85CA000-memory.dmp

Filesize
168KB

Download
memory/3172-790-0x00000000119E0000-0x0000000011A00000-memory.dmp

Filesize
128KB

Download
memory/3172-758-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp

Filesize
7.9MB

Download
memory/3172-761-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp

Filesize
7.9MB

Download
memory/3172-786-0x00000000119E0000-0x0000000011A00000-memory.dmp

Filesize
128KB

Download
memory/3172-755-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp

Filesize
7.9MB

Download
memory/3172-752-0x0000000011480000-0x00000000114C0000-memory.dmp

Filesize
256KB

Download
memory/3172-751-0x00007FF732FA0000-0x00007FF73378F000-memory.dmp

Filesize
7.9MB

Download
memory/3172-746-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/3680-160-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-161-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-162-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-164-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-165-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-166-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-172-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-158-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-233-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-157-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3680-159-0x0000000000260000-0x0000000000A58000-memory.dmp

Filesize
8.0MB

Download
memory/3868-261-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-288-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-255-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-701-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-252-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-249-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-246-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-268-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-324-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-759-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-265-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-278-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-724-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-308-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-726-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-756-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-290-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-747-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-287-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-259-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-447-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/3868-753-0x00000000003D0000-0x0000000000BC8000-memory.dmp

Filesize
8.0MB

Download
memory/4692-173-0x000002551E480000-0x000002551E490000-memory.dmp

Filesize
64KB

Download
memory/4692-174-0x000002551E480000-0x000002551E490000-memory.dmp

Filesize
64KB

Download
memory/4692-178-0x0000025536C90000-0x0000025536D06000-memory.dmp

Filesize
472KB

Download
memory/4692-208-0x000002551E480000-0x000002551E490000-memory.dmp

Filesize
64KB

Download
memory/4692-175-0x0000025536AE0000-0x0000025536B02000-memory.dmp

Filesize
136KB

Download
memory/4980-264-0x0000019BE2360000-0x0000019BE2370000-memory.dmp

Filesize
64KB

Download
memory/4980-225-0x0000019BE2360000-0x0000019BE2370000-memory.dmp

Filesize
64KB

Download
memory/4980-226-0x0000019BE2360000-0x0000019BE2370000-memory.dmp

Filesize
64KB

Download