laplas | 4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea

Analysis

max time kernel
298s
max time network
302s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2023 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe
Size

2.7MB
MD5

f9641c1b7583d49ab5d23b89fee3b5a9
SHA1

11e6ba6c1177b0923fccb907805ff6b6b9da674f
SHA256

4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea
SHA512

689f4fe3f3c05f9b54556236862008555a3a2ca5f205344f6635bb661ab970325d7155bbe959443b58f549bd6342d5cec316b7cda3e3e23f0add95664c3fc415
SSDEEP

49152:HwP1G8AJ8GTh4bimxjg35JN5i/R9E1DWC5K7czXPZiAQFOlmmbKDtCYXUz:EG8AXq1wDiZuDWCMczXPZiAQFOlmmbK0

Score

10^/10

laplas redline xmrig 100623_11_red meam clipper discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

100623_11_red

goodlogs.neverever.ug:11615

Attributes

auth_value
d577b491cdc8c8d4548b1bf2542f3468

Extracted

Family

redline

Botnet

MeAm

165.22.100.96:81

Attributes

auth_value
a978b0ab23ddf47bb972278e7b486593

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 3540 created 3188	3540	mnhosttask.exe	26
PID 3540 created 3188	3540	mnhosttask.exe	26
PID 3540 created 3188	3540	mnhosttask.exe	26
PID 3540 created 3188	3540	mnhosttask.exe	26
PID 3540 created 3188	3540	mnhosttask.exe	26
PID 1864 created 3188	1864	updater.exe	26
PID 1864 created 3188	1864	updater.exe	26
PID 1864 created 3188	1864	updater.exe	26
PID 1864 created 3188	1864	updater.exe	26
PID 1864 created 3188	1864	updater.exe	26
PID 1864 created 3188	1864	updater.exe	26

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clhosttask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mnhosttask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/1864-753-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	mnhosttask.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mnhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mnhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	clhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 7 IoCs

pid	Process
4436	clhosttask.exe
2096	ntlhost.exe
3540	mnhosttask.exe
3068	metaskhost.exe
3896	metaskhost.exe
4060	metaskhost.exe
1864	updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001af55-195.dat	themida
behavioral2/memory/3540-203-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp	themida
behavioral2/memory/3540-215-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp	themida
behavioral2/memory/3540-257-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp	themida
behavioral2/memory/3540-277-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp	themida
behavioral2/files/0x000800000001af55-314.dat	themida
behavioral2/memory/3540-316-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp	themida
behavioral2/files/0x000600000001af65-317.dat	themida
behavioral2/memory/1864-318-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp	themida
behavioral2/memory/1864-342-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp	themida
behavioral2/memory/1864-517-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp	themida
behavioral2/files/0x000600000001af65-750.dat	themida
behavioral2/memory/1864-753-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	clhosttask.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	clhosttask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mnhosttask.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4436	clhosttask.exe
2096	ntlhost.exe
3540	mnhosttask.exe
1864	updater.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 3068 set thread context of 3896	3068	metaskhost.exe	73
PID 3068 set thread context of 4060	3068	metaskhost.exe	74
PID 1864 set thread context of 3736	1864	updater.exe	113
PID 1864 set thread context of 3664	1864	updater.exe	114

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	mnhosttask.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1788	sc.exe
3464	sc.exe
4468	sc.exe
4968	sc.exe
5060	sc.exe
4144	sc.exe
4368	sc.exe
4756	sc.exe
4904	sc.exe
5052	sc.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe
2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe
4976	RegSvcs.exe
4976	RegSvcs.exe
4060	metaskhost.exe
4060	metaskhost.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
3540	mnhosttask.exe
3540	mnhosttask.exe
1864	updater.exe
1864	updater.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
1864	updater.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe
3664	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe
Token: SeDebugPrivilege	4976	RegSvcs.exe
Token: SeDebugPrivilege	3068	metaskhost.exe
Token: SeDebugPrivilege	4060	metaskhost.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeSystemEnvironmentPrivilege	4428	powershell.exe
Token: SeRemoteShutdownPrivilege	4428	powershell.exe
Token: SeUndockPrivilege	4428	powershell.exe
Token: SeManageVolumePrivilege	4428	powershell.exe
Token: 33	4428	powershell.exe
Token: 34	4428	powershell.exe
Token: 35	4428	powershell.exe
Token: 36	4428	powershell.exe
Token: SeShutdownPrivilege	940	powercfg.exe
Token: SeCreatePagefilePrivilege	940	powercfg.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe
Token: SeShutdownPrivilege	1120	powercfg.exe
Token: SeCreatePagefilePrivilege	1120	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeCreatePagefilePrivilege	1316	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4132	powershell.exe
Token: SeSecurityPrivilege	4132	powershell.exe
Token: SeTakeOwnershipPrivilege	4132	powershell.exe
Token: SeLoadDriverPrivilege	4132	powershell.exe
Token: SeSystemProfilePrivilege	4132	powershell.exe
Token: SeSystemtimePrivilege	4132	powershell.exe
Token: SeProfSingleProcessPrivilege	4132	powershell.exe
Token: SeIncBasePriorityPrivilege	4132	powershell.exe
Token: SeCreatePagefilePrivilege	4132	powershell.exe
Token: SeBackupPrivilege	4132	powershell.exe
Token: SeRestorePrivilege	4132	powershell.exe
Token: SeShutdownPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeSystemEnvironmentPrivilege	4132	powershell.exe
Token: SeRemoteShutdownPrivilege	4132	powershell.exe
Token: SeUndockPrivilege	4132	powershell.exe
Token: SeManageVolumePrivilege	4132	powershell.exe
Token: 33	4132	powershell.exe
Token: 34	4132	powershell.exe
Token: 35	4132	powershell.exe
Token: 36	4132	powershell.exe
Token: SeIncreaseQuotaPrivilege	4132	powershell.exe
Token: SeSecurityPrivilege	4132	powershell.exe
Token: SeTakeOwnershipPrivilege	4132	powershell.exe
Token: SeLoadDriverPrivilege	4132	powershell.exe
Token: SeSystemProfilePrivilege	4132	powershell.exe
Token: SeSystemtimePrivilege	4132	powershell.exe
Token: SeProfSingleProcessPrivilege	4132	powershell.exe
Token: SeIncBasePriorityPrivilege	4132	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4268	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	66
PID 2492 wrote to memory of 4268	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	66
PID 2492 wrote to memory of 4268	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	66
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 2492 wrote to memory of 4976	2492	4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe	67
PID 4976 wrote to memory of 4436	4976	RegSvcs.exe	69
PID 4976 wrote to memory of 4436	4976	RegSvcs.exe	69
PID 4436 wrote to memory of 2096	4436	clhosttask.exe	70
PID 4436 wrote to memory of 2096	4436	clhosttask.exe	70
PID 4976 wrote to memory of 3540	4976	RegSvcs.exe	71
PID 4976 wrote to memory of 3540	4976	RegSvcs.exe	71
PID 4976 wrote to memory of 3068	4976	RegSvcs.exe	72
PID 4976 wrote to memory of 3068	4976	RegSvcs.exe	72
PID 4976 wrote to memory of 3068	4976	RegSvcs.exe	72
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 3896	3068	metaskhost.exe	73
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 3068 wrote to memory of 4060	3068	metaskhost.exe	74
PID 4820 wrote to memory of 5052	4820	cmd.exe	80
PID 4820 wrote to memory of 5052	4820	cmd.exe	80
PID 4820 wrote to memory of 5060	4820	cmd.exe	81
PID 4820 wrote to memory of 5060	4820	cmd.exe	81
PID 4820 wrote to memory of 1788	4820	cmd.exe	82
PID 4820 wrote to memory of 1788	4820	cmd.exe	82
PID 4820 wrote to memory of 4144	4820	cmd.exe	83
PID 4820 wrote to memory of 4144	4820	cmd.exe	83
PID 4820 wrote to memory of 3464	4820	cmd.exe	84
PID 4820 wrote to memory of 3464	4820	cmd.exe	84
PID 4492 wrote to memory of 940	4492	cmd.exe	89
PID 4492 wrote to memory of 940	4492	cmd.exe	89
PID 4492 wrote to memory of 5088	4492	cmd.exe	90
PID 4492 wrote to memory of 5088	4492	cmd.exe	90
PID 4492 wrote to memory of 1120	4492	cmd.exe	91
PID 4492 wrote to memory of 1120	4492	cmd.exe	91
PID 4492 wrote to memory of 1316	4492	cmd.exe	92
PID 4492 wrote to memory of 1316	4492	cmd.exe	92
PID 3980 wrote to memory of 4468	3980	cmd.exe	100
PID 3980 wrote to memory of 4468	3980	cmd.exe	100
PID 3980 wrote to memory of 4368	3980	cmd.exe	101
PID 3980 wrote to memory of 4368	3980	cmd.exe	101
PID 3980 wrote to memory of 4756	3980	cmd.exe	102
PID 3980 wrote to memory of 4756	3980	cmd.exe	102
PID 3980 wrote to memory of 4968	3980	cmd.exe	108
PID 3980 wrote to memory of 4968	3980	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe
  "C:\Users\Admin\AppData\Local\Temp\4c457d9a5596353607fe4020629c43af4414f7540cec3693e5db6e5724fcb3ea.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\clhosttask.exe
      "C:\Users\Admin\AppData\Local\Temp\clhosttask.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe
      "C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\metaskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        5⤵
        Executes dropped EXE
        
        PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5052
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5060
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1788
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4144
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4468
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4368
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4756
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4904
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4968
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5068
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4388
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1152
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3736
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\metaskhost.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
546b5e0d077a02e22b1727a551403d08

SHA1
c3bace2d5b1565b243b600cce9f101e12992cf98

SHA256
4a54a8043d532a3866f13898f8bcc6624034498a87c0434e5476e196e1bee923

SHA512
fad208c27d44ff87785a6504e69a536c46dcc0c2350f1d156ff9475fa4c1f34a18db9ed747e697cd90682213a36822ca84d312dd956b9e5a4f8268f03ab10a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsp0pxpj.fyf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\clhosttask.exe

Filesize
3.4MB

MD5
1354442cb3869536df395a944a7720b7

SHA1
66fd1b7bc450f4d28d7ec64d0a59840882b72acf

SHA256
e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d

SHA512
b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\clhosttask.exe

Filesize
3.4MB

MD5
1354442cb3869536df395a944a7720b7

SHA1
66fd1b7bc450f4d28d7ec64d0a59840882b72acf

SHA256
e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d

SHA512
b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
734.4MB

MD5
22f4b987cb434b7442028a99b0e6d395

SHA1
e83af3ea1c9fd498af36780aa709f9ad942109aa

SHA256
360c8a72c073305c43a9245141a044c552ca3d331f6150fe146f34c9ad206b36

SHA512
7c097fd283f594cf7ed1658e5bf2481fa17c9851ee9795ffd897b1fbb023957ac83e8c03c4f1fe4b0c1e6aa65128ab27267f2545c868620d1b67bf4e6a9302fc

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
734.4MB

MD5
22f4b987cb434b7442028a99b0e6d395

SHA1
e83af3ea1c9fd498af36780aa709f9ad942109aa

SHA256
360c8a72c073305c43a9245141a044c552ca3d331f6150fe146f34c9ad206b36

SHA512
7c097fd283f594cf7ed1658e5bf2481fa17c9851ee9795ffd897b1fbb023957ac83e8c03c4f1fe4b0c1e6aa65128ab27267f2545c868620d1b67bf4e6a9302fc

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
734.4MB

MD5
22f4b987cb434b7442028a99b0e6d395

SHA1
e83af3ea1c9fd498af36780aa709f9ad942109aa

SHA256
360c8a72c073305c43a9245141a044c552ca3d331f6150fe146f34c9ad206b36

SHA512
7c097fd283f594cf7ed1658e5bf2481fa17c9851ee9795ffd897b1fbb023957ac83e8c03c4f1fe4b0c1e6aa65128ab27267f2545c868620d1b67bf4e6a9302fc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/1864-517-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp

Filesize
14.3MB

Download
memory/1864-342-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp

Filesize
14.3MB

Download
memory/1864-318-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp

Filesize
14.3MB

Download
memory/1864-753-0x00007FF664DE0000-0x00007FF665C37000-memory.dmp

Filesize
14.3MB

Download
memory/2096-751-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-189-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-540-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-679-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-319-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-196-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-213-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-193-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-192-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-507-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-188-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-187-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-391-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-186-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-185-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-184-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-214-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-327-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-276-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-256-0x0000000000AD0000-0x00000000012E8000-memory.dmp

Filesize
8.1MB

Download
memory/2492-121-0x0000000000030000-0x00000000002E2000-memory.dmp

Filesize
2.7MB

Download
memory/2492-130-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-124-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/2492-142-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-144-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-126-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-146-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-123-0x0000000004C90000-0x0000000004CE6000-memory.dmp

Filesize
344KB

Download
memory/2492-136-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-138-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-140-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-148-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-122-0x0000000004B90000-0x0000000004C2C000-memory.dmp

Filesize
624KB

Download
memory/2492-134-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-125-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-128-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2492-132-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/2648-450-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-396-0x00007FF774070000-0x00007FF774080000-memory.dmp

Filesize
64KB

Download
memory/2648-326-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-448-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-476-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-347-0x000001C6A3D50000-0x000001C6A3D6C000-memory.dmp

Filesize
112KB

Download
memory/2648-353-0x000001C6A3F00000-0x000001C6A3FB9000-memory.dmp

Filesize
740KB

Download
memory/2648-474-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-325-0x000001C68B560000-0x000001C68B570000-memory.dmp

Filesize
64KB

Download
memory/2648-386-0x000001C6A3D70000-0x000001C6A3D7A000-memory.dmp

Filesize
40KB

Download
memory/3068-202-0x0000000000680000-0x00000000006BE000-memory.dmp

Filesize
248KB

Download
memory/3540-277-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp

Filesize
14.3MB

Download
memory/3540-215-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp

Filesize
14.3MB

Download
memory/3540-316-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp

Filesize
14.3MB

Download
memory/3540-257-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp

Filesize
14.3MB

Download
memory/3540-203-0x00007FF610CA0000-0x00007FF611AF7000-memory.dmp

Filesize
14.3MB

Download
memory/3664-813-0x00000000010F0000-0x0000000001110000-memory.dmp

Filesize
128KB

Download
memory/3664-817-0x00000000010F0000-0x0000000001110000-memory.dmp

Filesize
128KB

Download
memory/3664-777-0x00000000017D0000-0x0000000001810000-memory.dmp

Filesize
256KB

Download
memory/4060-207-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4060-262-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4060-211-0x0000000005480000-0x00000000054CB000-memory.dmp

Filesize
300KB

Download
memory/4060-212-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4060-216-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/4132-307-0x000001B5572E0000-0x000001B5572F0000-memory.dmp

Filesize
64KB

Download
memory/4132-289-0x000001B5572E0000-0x000001B5572F0000-memory.dmp

Filesize
64KB

Download
memory/4132-287-0x000001B5572E0000-0x000001B5572F0000-memory.dmp

Filesize
64KB

Download
memory/4428-223-0x0000025D75C60000-0x0000025D75C82000-memory.dmp

Filesize
136KB

Download
memory/4428-222-0x0000025D75D30000-0x0000025D75D40000-memory.dmp

Filesize
64KB

Download
memory/4428-226-0x0000025D75F40000-0x0000025D75FB6000-memory.dmp

Filesize
472KB

Download
memory/4428-255-0x0000025D75D30000-0x0000025D75D40000-memory.dmp

Filesize
64KB

Download
memory/4428-221-0x0000025D75D30000-0x0000025D75D40000-memory.dmp

Filesize
64KB

Download
memory/4436-177-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-179-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-176-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-175-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-174-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-173-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-172-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-171-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-170-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4436-182-0x0000000000DD0000-0x00000000015E8000-memory.dmp

Filesize
8.1MB

Download
memory/4944-616-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-601-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-775-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-776-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-739-0x000002B1A7650000-0x000002B1A766C000-memory.dmp

Filesize
112KB

Download
memory/4944-501-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-502-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-677-0x00007FF7741E0000-0x00007FF7741F0000-memory.dmp

Filesize
64KB

Download
memory/4944-614-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4944-520-0x00007FF7741E0000-0x00007FF7741F0000-memory.dmp

Filesize
64KB

Download
memory/4944-603-0x000002B18E850000-0x000002B18E860000-memory.dmp

Filesize
64KB

Download
memory/4976-158-0x000000000AC70000-0x000000000ACE6000-memory.dmp

Filesize
472KB

Download
memory/4976-154-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

Filesize
72KB

Download
memory/4976-157-0x000000000AAC0000-0x000000000AB0B000-memory.dmp

Filesize
300KB

Download
memory/4976-163-0x000000000C830000-0x000000000CD5C000-memory.dmp

Filesize
5.2MB

Download
memory/4976-162-0x000000000C130000-0x000000000C2F2000-memory.dmp

Filesize
1.8MB

Download
memory/4976-155-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4976-159-0x000000000AD90000-0x000000000AE22000-memory.dmp

Filesize
584KB

Download
memory/4976-156-0x000000000A940000-0x000000000A97E000-memory.dmp

Filesize
248KB

Download
memory/4976-153-0x000000000A9B0000-0x000000000AABA000-memory.dmp

Filesize
1.0MB

Download
memory/4976-152-0x000000000AE50000-0x000000000B456000-memory.dmp

Filesize
6.0MB

Download
memory/4976-160-0x000000000B960000-0x000000000BE5E000-memory.dmp

Filesize
5.0MB

Download
memory/4976-151-0x0000000001400000-0x0000000001406000-memory.dmp

Filesize
24KB

Download
memory/4976-161-0x000000000B460000-0x000000000B4C6000-memory.dmp

Filesize
408KB

Download
memory/4976-164-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4976-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download