amadey | dc17eaee2a8b3656a506655ba2a72ebc8b306c1f1a85d54d4b7a544f0baf2808

Analysis

max time kernel
73s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-06-2023 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Size

1.7MB
MD5

a4aab901f5f4662d75a66bdb08971148
SHA1

9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
SHA256

8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
SHA512

a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
SSDEEP

24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq

Score

10^/10

amadey laplas redline 090623_11_red meam clipper evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

090623_11_red

goodlogs.neverever.ug:11615

Attributes

auth_value
ca62706abf6895102883ab0c8a86ddff

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Extracted

Family

redline

Botnet

MeAm

165.22.100.96:81

Attributes

auth_value
a978b0ab23ddf47bb972278e7b486593

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1884 created 1264	1884	mnhosttask.exe	13
PID 1884 created 1264	1884	mnhosttask.exe	13

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clhosttask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mnhosttask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	clhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mnhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mnhosttask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 9 IoCs

pid	Process
1232	clhosttask.exe
1948	ntlhost.exe
1884	mnhosttask.exe
1364	metaskhost.exe
1716	metaskhost.exe
1764	oneetx.exe
2012	metaskhost.exe
1692	oneetx.exe
1416	oneetx.exe

Loads dropped DLL 11 IoCs

pid	Process
564	jsc.exe
1232	clhosttask.exe
564	jsc.exe
564	jsc.exe
564	jsc.exe
1364	metaskhost.exe
1364	metaskhost.exe
1716	metaskhost.exe
1716	metaskhost.exe
1764	oneetx.exe
1764	oneetx.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000012301-87.dat	themida
behavioral1/files/0x0008000000012301-89.dat	themida
behavioral1/memory/1884-104-0x000000013FDE0000-0x0000000140C37000-memory.dmp	themida
behavioral1/memory/1884-160-0x000000013FDE0000-0x0000000140C37000-memory.dmp	themida
behavioral1/memory/1884-172-0x000000013FDE0000-0x0000000140C37000-memory.dmp	themida
behavioral1/files/0x0008000000012301-200.dat	themida
behavioral1/memory/1884-202-0x000000013FDE0000-0x0000000140C37000-memory.dmp	themida
behavioral1/files/0x000700000001270f-213.dat	themida
behavioral1/files/0x000700000001270f-212.dat	themida
behavioral1/files/0x000700000001270f-211.dat	themida
behavioral1/memory/584-215-0x000000013F460000-0x00000001402B7000-memory.dmp	themida
behavioral1/memory/584-230-0x000000013F460000-0x00000001402B7000-memory.dmp	themida
behavioral1/memory/584-238-0x000000013F460000-0x00000001402B7000-memory.dmp	themida
behavioral1/memory/584-244-0x000000013F460000-0x00000001402B7000-memory.dmp	themida
behavioral1/files/0x000700000001270f-254.dat	themida
behavioral1/memory/584-257-0x000000013F460000-0x00000001402B7000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	clhosttask.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mnhosttask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	clhosttask.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1232	clhosttask.exe
1884	mnhosttask.exe
1948	ntlhost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1364 set thread context of 1716	1364	metaskhost.exe	34
PID 1364 set thread context of 2012	1364	metaskhost.exe	35
PID 1764 set thread context of 1692	1764	oneetx.exe	36
PID 1764 set thread context of 1416	1764	sc.exe	40

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
428	sc.exe
1764	sc.exe
1936	sc.exe
1724	sc.exe
1572	sc.exe
1936	sc.exe
952	sc.exe
1820	sc.exe
1600	sc.exe
564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1232	schtasks.exe
836	schtasks.exe
548	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
564	jsc.exe
564	jsc.exe
1884	mnhosttask.exe
1884	mnhosttask.exe
1564	powershell.exe
1884	mnhosttask.exe
1884	mnhosttask.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Token: SeDebugPrivilege	564	jsc.exe
Token: SeDebugPrivilege	1364	metaskhost.exe
Token: SeDebugPrivilege	1764	oneetx.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1716	metaskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 1708 wrote to memory of 564	1708	8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe	28
PID 564 wrote to memory of 1232	564	jsc.exe	30
PID 564 wrote to memory of 1232	564	jsc.exe	30
PID 564 wrote to memory of 1232	564	jsc.exe	30
PID 564 wrote to memory of 1232	564	jsc.exe	30
PID 1232 wrote to memory of 1948	1232	clhosttask.exe	31
PID 1232 wrote to memory of 1948	1232	clhosttask.exe	31
PID 1232 wrote to memory of 1948	1232	clhosttask.exe	31
PID 564 wrote to memory of 1884	564	jsc.exe	32
PID 564 wrote to memory of 1884	564	jsc.exe	32
PID 564 wrote to memory of 1884	564	jsc.exe	32
PID 564 wrote to memory of 1884	564	jsc.exe	32
PID 564 wrote to memory of 1364	564	jsc.exe	33
PID 564 wrote to memory of 1364	564	jsc.exe	33
PID 564 wrote to memory of 1364	564	jsc.exe	33
PID 564 wrote to memory of 1364	564	jsc.exe	33
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 1716	1364	metaskhost.exe	34
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1716 wrote to memory of 1764	1716	metaskhost.exe	37
PID 1716 wrote to memory of 1764	1716	metaskhost.exe	37
PID 1716 wrote to memory of 1764	1716	metaskhost.exe	37
PID 1716 wrote to memory of 1764	1716	metaskhost.exe	37
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1364 wrote to memory of 2012	1364	metaskhost.exe	35
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1692	1764	oneetx.exe	36
PID 1764 wrote to memory of 1416	1764	oneetx.exe	40
PID 1764 wrote to memory of 1416	1764	oneetx.exe	40
PID 1764 wrote to memory of 1416	1764	oneetx.exe	40
PID 1764 wrote to memory of 1416	1764	oneetx.exe	40
PID 1692 wrote to memory of 1232	1692	oneetx.exe	60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
  "C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\clhosttask.exe
      "C:\Users\Admin\AppData\Local\Temp\clhosttask.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe
      "C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\metaskhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
        7⤵
        Executes dropped EXE
        
        PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\metaskhost.exe
        5⤵
        Executes dropped EXE
        
        PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1992
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:428
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Suspicious use of SetThreadContext
    - Launches sc.exe
    PID:1764
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1936
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1232
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:836
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1488
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1532
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2040
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1192
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:796
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1820
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1600
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1572
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1936
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:564
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:328
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:872
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:548
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1740
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:628

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
  2⤵
  PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "oneetx.exe" /P "Admin:N"
    3⤵
    PID:688
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "oneetx.exe" /P "Admin:R" /E
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\eb0f58bce7" /P "Admin:N"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\eb0f58bce7" /P "Admin:R" /E
    3⤵
    PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-135535179410534164801190293504-731518265-390605468-98256747562068312807827650"
1⤵
PID:556

C:\Windows\system32\taskeng.exe
taskeng.exe {398197B3-0AB1-4E05-97BF-A25A2CE1F7FC} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
PID:572
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    3⤵
    PID:1064
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    3⤵
    PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {4348448F-15B6-442F-B43E-2838932B9E6E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:896
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.6MB

MD5
89d470dc313f4fab144272893051a224

SHA1
568af35831b680ec723d7f7ff37514ff6aa60f8c

SHA256
540d4474e3c6d2708a060656f228350072e757ced6cb7ef49cec5926289bcbc8

SHA512
81e6ecae6e95e045e127810cc5fbeca9fcb78b3c9baac4626b41a836d64e1c1e2b38fbddcd7db3fd30b16fbf2e8f7d8fe781472b251a1bce00b90375af7fa6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\499517378237

Filesize
70KB

MD5
15221554fd1af1e1485c7de112b37d3a

SHA1
1b376f585dc4a28687c0d431f676baebee3fbe57

SHA256
6491d4f49e862c36748f11b26336b9dc059f040884f2053b2b65be5d91409829

SHA512
c21ce4050999f9e62e9ded5fcac8114c74210e1199b4cae09c5306c1477e7de53fee38db48c4facce49a7f3deb62780cef17d649f6925b418a4bad8aafc26aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\clhosttask.exe

Filesize
3.4MB

MD5
1354442cb3869536df395a944a7720b7

SHA1
66fd1b7bc450f4d28d7ec64d0a59840882b72acf

SHA256
e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d

SHA512
b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\clhosttask.exe

Filesize
3.4MB

MD5
1354442cb3869536df395a944a7720b7

SHA1
66fd1b7bc450f4d28d7ec64d0a59840882b72acf

SHA256
e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d

SHA512
b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97cd1a187f8ed6325193ea3a2ee2150e

SHA1
e76e446daa6bb9ee5f2d737b92ba4c6c20285bc7

SHA256
cd551e38ba7c051dc4d832e93c32de425c180326069d406ed075f5c6720f298e

SHA512
ad2d9e09ba6edd43aa459a3fdb8484ac40163c240ec2a2fd89e8f599f3573e7d936d4c05c007d095ebc302b607932c7f6ae92a338c4aa25509b23ca3ff05a007

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IHPZQAWIYLJZI5W8RC9Z.temp

Filesize
7KB

MD5
97cd1a187f8ed6325193ea3a2ee2150e

SHA1
e76e446daa6bb9ee5f2d737b92ba4c6c20285bc7

SHA256
cd551e38ba7c051dc4d832e93c32de425c180326069d406ed075f5c6720f298e

SHA512
ad2d9e09ba6edd43aa459a3fdb8484ac40163c240ec2a2fd89e8f599f3573e7d936d4c05c007d095ebc302b607932c7f6ae92a338c4aa25509b23ca3ff05a007

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
288.5MB

MD5
ae4c516248f2d684d121bbaa789cafac

SHA1
42a7dab9c1ece8298c7f6edd22f0c1eb3eedad76

SHA256
ea316beb529fa4c1f320fba8322f107de4cf550f415ce572ccbc2d0c3157ac86

SHA512
3e6ecb69929d5434737f89a19dcc976aeee60dc91160a5e390124e4fded57905ad958f3071055e7c8e9a276475828d293eebbdd8b0e26fe7daf7036f535431c1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
301.1MB

MD5
554ed745801bb65c2515ccc24f20a300

SHA1
581126fa1c8ea30920352d05aa72ec90a086d299

SHA256
1754f5ec7385d0c486c3aaac167df88261b6c0b5a7d2cb83ebe44824aa87d115

SHA512
c6c2bf9023df39749d532ce28769e811e335b4579f1dd8960de50e8167b09e8e00e44a6485d3408dee79ee81981bcee269c9ac7ed65c5dd32087c498af016a7d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
\Users\Admin\AppData\Local\Temp\clhosttask.exe

Filesize
3.4MB

MD5
1354442cb3869536df395a944a7720b7

SHA1
66fd1b7bc450f4d28d7ec64d0a59840882b72acf

SHA256
e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d

SHA512
b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\metaskhost.exe

Filesize
225KB

MD5
d2e02fe7a199dbe5b469dc0b749dd493

SHA1
32fad1ef342cd4d207cd90fb687d3cb1fe886660

SHA256
0388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca

SHA512
d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd

Download Submit
\Users\Admin\AppData\Local\Temp\mnhosttask.exe

Filesize
13.2MB

MD5
4c8be1ac34612243d2306fa9adcc2fbc

SHA1
1028ba563065d4220130b35d4b0806ff4a749974

SHA256
f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960

SHA512
08b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
302.2MB

MD5
b70c59c0036db55169fc16c3084e0a1f

SHA1
9635ae06af5de0ab955690ca6549b9481117f9a6

SHA256
afb0d8d9ec8e1616df162594c651708a5d076a60d92f97df31a50e4d40dd22d7

SHA512
84bde641df1d510acd3c93c6e13c132b617e242310486f6520142f31c270b2bc7abad8403352c12e6df95c833ada86d9fcb49d4029b5e8768a5e51dadcf22afd

Download Submit
memory/564-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/564-63-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/564-62-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/564-64-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/564-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/564-90-0x0000000007130000-0x0000000007F87000-memory.dmp

Filesize
14.3MB

Download
memory/564-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/564-74-0x0000000007130000-0x0000000007948000-memory.dmp

Filesize
8.1MB

Download
memory/584-230-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/584-215-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/584-238-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/584-257-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/584-244-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/628-258-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/896-229-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/896-214-0x000000013F460000-0x00000001402B7000-memory.dmp

Filesize
14.3MB

Download
memory/1028-251-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1064-234-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/1064-222-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/1192-227-0x0000000019A90000-0x0000000019D72000-memory.dmp

Filesize
2.9MB

Download
memory/1192-236-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/1192-228-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1192-233-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/1192-232-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/1192-231-0x0000000000D30000-0x0000000000DB0000-memory.dmp

Filesize
512KB

Download
memory/1232-77-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-198-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1232-83-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-73-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-76-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-194-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1232-195-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1232-193-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1232-192-0x00000000026B0000-0x00000000026B8000-memory.dmp

Filesize
32KB

Download
memory/1232-191-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1232-71-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-75-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-70-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1232-72-0x00000000012D0000-0x0000000001AE8000-memory.dmp

Filesize
8.1MB

Download
memory/1364-102-0x0000000000EB0000-0x0000000000EEE000-memory.dmp

Filesize
248KB

Download
memory/1416-210-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/1416-174-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/1564-153-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/1564-161-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/1564-152-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/1564-150-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/1564-149-0x000000001AFE0000-0x000000001B2C2000-memory.dmp

Filesize
2.9MB

Download
memory/1564-156-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/1692-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1692-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1692-157-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1692-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-56-0x00000000010C0000-0x0000000001132000-memory.dmp

Filesize
456KB

Download
memory/1708-55-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/1708-54-0x00000000013D0000-0x0000000001586000-memory.dmp

Filesize
1.7MB

Download
memory/1716-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1764-132-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1884-104-0x000000013FDE0000-0x0000000140C37000-memory.dmp

Filesize
14.3MB

Download
memory/1884-202-0x000000013FDE0000-0x0000000140C37000-memory.dmp

Filesize
14.3MB

Download
memory/1884-172-0x000000013FDE0000-0x0000000140C37000-memory.dmp

Filesize
14.3MB

Download
memory/1884-160-0x000000013FDE0000-0x0000000140C37000-memory.dmp

Filesize
14.3MB

Download
memory/1948-111-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-183-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-151-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-86-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-92-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-205-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-225-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-223-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-154-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-249-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-103-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-237-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-109-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-108-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-241-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-105-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-106-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/1948-107-0x0000000001380000-0x0000000001B98000-memory.dmp

Filesize
8.1MB

Download
memory/2012-173-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2012-247-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2012-245-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2012-248-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2012-246-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2012-243-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2012-242-0x0000000019AF0000-0x0000000019DD2000-memory.dmp

Filesize
2.9MB

Download
memory/2012-209-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2012-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2012-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2012-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download