amadey | 2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

Resubmissions

15-06-2023 04:44

230615-fda9msef7s 10

15-06-2023 04:22

230615-ezhp6sef24 10

Analysis

max time kernel
280s
max time network
302s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Size

5.0MB
MD5

890e29d78179dc4611286b863c50df53
SHA1

7bee367b02f66898b9ffb0f2569ca79c04edc19a
SHA256

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734
SHA512

3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08
SSDEEP

98304:I95KeVzJFLYDAQlsumF2SEGKhq1v/28fV4AAc0cq9FcFzUkKm:ArQm2FGKq28tIbWzSm

Score

10^/10

amadey laplas redline xmrig load_am_130623 clipper discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Extracted

Family

redline

Botnet

Load_Am_130623

165.22.100.96:81

Attributes

auth_value
c7e984e13f7f42d18969a2259aeadc52

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1704 created 1356	1704	mntaskost.exe	20
PID 1704 created 1356	1704	mntaskost.exe	20
PID 1704 created 1356	1704	mntaskost.exe	20
PID 1704 created 1356	1704	mntaskost.exe	20
PID 1704 created 1356	1704	mntaskost.exe	20
PID 588 created 1356	588	updater.exe	20
PID 588 created 1356	588	updater.exe	20
PID 588 created 1356	588	updater.exe	20
PID 588 created 1356	588	updater.exe	20
PID 588 created 1356	588	updater.exe	20
PID 588 created 1356	588	updater.exe	20

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cltaskost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mntaskost.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/588-313-0x000000013F560000-0x0000000140325000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	mntaskost.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 12 IoCs

pid	Process
268	oneetx.exe
1576	metaskhost.exe
520	metaskhost.exe
1468	oneetx.exe
1704	mntaskost.exe
1184	cltaskost.exe
1580	ntlhost.exe
588	updater.exe
1820	oneetx.exe
1184	oneetx.exe
1164	oneetx.exe
316	oneetx.exe

Loads dropped DLL 8 IoCs

pid	Process
2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
268	oneetx.exe
268	oneetx.exe
1576	metaskhost.exe
268	oneetx.exe
268	oneetx.exe
1184	cltaskost.exe
668	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00080000000122ec-149.dat	themida
behavioral1/files/0x00080000000122ec-178.dat	themida
behavioral1/files/0x00080000000122ec-176.dat	themida
behavioral1/memory/1704-180-0x000000013F150000-0x000000013FF15000-memory.dmp	themida
behavioral1/memory/1704-215-0x000000013F150000-0x000000013FF15000-memory.dmp	themida
behavioral1/files/0x00080000000122ec-251.dat	themida
behavioral1/files/0x000a000000012312-254.dat	themida
behavioral1/memory/1704-256-0x000000013F150000-0x000000013FF15000-memory.dmp	themida
behavioral1/files/0x000a000000012312-257.dat	themida
behavioral1/memory/588-258-0x000000013F560000-0x0000000140325000-memory.dmp	themida
behavioral1/memory/588-266-0x000000013F560000-0x0000000140325000-memory.dmp	themida
behavioral1/files/0x000a000000012312-311.dat	themida
behavioral1/memory/588-313-0x000000013F560000-0x0000000140325000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	cltaskost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1704	mntaskost.exe
1184	cltaskost.exe
1580	ntlhost.exe
588	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 520	1576	metaskhost.exe	42
PID 588 set thread context of 1608	588	updater.exe	90
PID 588 set thread context of 900	588	updater.exe	91

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	mntaskost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
804	sc.exe
1200	sc.exe
1624	sc.exe
1140	sc.exe
1612	sc.exe
1972	sc.exe
1980	sc.exe
1620	sc.exe
1476	sc.exe
2016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1468	schtasks.exe
552	schtasks.exe
340	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40076538419fd901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
268	oneetx.exe
520	metaskhost.exe
520	metaskhost.exe
1468	oneetx.exe
1704	mntaskost.exe
1704	mntaskost.exe
1792	powershell.exe
1704	mntaskost.exe
1704	mntaskost.exe
1704	mntaskost.exe
1704	mntaskost.exe
1704	mntaskost.exe
1704	mntaskost.exe
1184	powershell.exe
1704	mntaskost.exe
1704	mntaskost.exe
1820	oneetx.exe
588	updater.exe
588	updater.exe
1500	powershell.exe
588	updater.exe
588	updater.exe
588	updater.exe
588	updater.exe
588	updater.exe
588	updater.exe
1616	powershell.exe
588	updater.exe
588	updater.exe
588	updater.exe
588	updater.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
1184	oneetx.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe
900	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	metaskhost.exe
Token: SeDebugPrivilege	520	metaskhost.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeShutdownPrivilege	2008	powercfg.exe
Token: SeShutdownPrivilege	1484	powercfg.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeShutdownPrivilege	1828	powercfg.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeShutdownPrivilege	2036	powercfg.exe
Token: SeShutdownPrivilege	1896	powercfg.exe
Token: SeShutdownPrivilege	1768	powercfg.exe
Token: SeDebugPrivilege	588	updater.exe
Token: SeLockMemoryPrivilege	900	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 268	2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 2036 wrote to memory of 268	2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 2036 wrote to memory of 268	2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 2036 wrote to memory of 268	2036	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 268 wrote to memory of 1468	268	oneetx.exe	29
PID 268 wrote to memory of 1468	268	oneetx.exe	29
PID 268 wrote to memory of 1468	268	oneetx.exe	29
PID 268 wrote to memory of 1468	268	oneetx.exe	29
PID 268 wrote to memory of 984	268	oneetx.exe	31
PID 268 wrote to memory of 984	268	oneetx.exe	31
PID 268 wrote to memory of 984	268	oneetx.exe	31
PID 268 wrote to memory of 984	268	oneetx.exe	31
PID 984 wrote to memory of 1108	984	cmd.exe	33
PID 984 wrote to memory of 1108	984	cmd.exe	33
PID 984 wrote to memory of 1108	984	cmd.exe	33
PID 984 wrote to memory of 1108	984	cmd.exe	33
PID 984 wrote to memory of 1088	984	cmd.exe	34
PID 984 wrote to memory of 1088	984	cmd.exe	34
PID 984 wrote to memory of 1088	984	cmd.exe	34
PID 984 wrote to memory of 1088	984	cmd.exe	34
PID 984 wrote to memory of 1972	984	cmd.exe	35
PID 984 wrote to memory of 1972	984	cmd.exe	35
PID 984 wrote to memory of 1972	984	cmd.exe	35
PID 984 wrote to memory of 1972	984	cmd.exe	35
PID 984 wrote to memory of 1428	984	cmd.exe	36
PID 984 wrote to memory of 1428	984	cmd.exe	36
PID 984 wrote to memory of 1428	984	cmd.exe	36
PID 984 wrote to memory of 1428	984	cmd.exe	36
PID 984 wrote to memory of 1768	984	cmd.exe	37
PID 984 wrote to memory of 1768	984	cmd.exe	37
PID 984 wrote to memory of 1768	984	cmd.exe	37
PID 984 wrote to memory of 1768	984	cmd.exe	37
PID 984 wrote to memory of 280	984	cmd.exe	38
PID 984 wrote to memory of 280	984	cmd.exe	38
PID 984 wrote to memory of 280	984	cmd.exe	38
PID 984 wrote to memory of 280	984	cmd.exe	38
PID 268 wrote to memory of 1576	268	oneetx.exe	41
PID 268 wrote to memory of 1576	268	oneetx.exe	41
PID 268 wrote to memory of 1576	268	oneetx.exe	41
PID 268 wrote to memory of 1576	268	oneetx.exe	41
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1576 wrote to memory of 520	1576	metaskhost.exe	42
PID 1000 wrote to memory of 1468	1000	taskeng.exe	45
PID 1000 wrote to memory of 1468	1000	taskeng.exe	45
PID 1000 wrote to memory of 1468	1000	taskeng.exe	45
PID 1000 wrote to memory of 1468	1000	taskeng.exe	45
PID 268 wrote to memory of 1704	268	oneetx.exe	46
PID 268 wrote to memory of 1704	268	oneetx.exe	46
PID 268 wrote to memory of 1704	268	oneetx.exe	46
PID 268 wrote to memory of 1704	268	oneetx.exe	46
PID 268 wrote to memory of 1184	268	oneetx.exe	47
PID 268 wrote to memory of 1184	268	oneetx.exe	47
PID 268 wrote to memory of 1184	268	oneetx.exe	47
PID 268 wrote to memory of 1184	268	oneetx.exe	47
PID 1184 wrote to memory of 1580	1184	cltaskost.exe	48
PID 1184 wrote to memory of 1580	1184	cltaskost.exe	48
PID 1184 wrote to memory of 1580	1184	cltaskost.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
  "C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1108
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:N"
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:R" /E
        5⤵
        
        PID:280
  - - C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
  - - C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1200
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2016
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1972
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:552
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1652
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:804
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1624
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:340
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1608
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900

C:\Windows\system32\taskeng.exe
taskeng.exe {CB1C30F2-6066-4746-A6DC-588619421977} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {5B36527E-83C0-437B-8193-DD592DE84DB5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:668
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\283023626844

Filesize
65KB

MD5
02d6a029414475f4aa737d2801ecaaad

SHA1
6bffdac3dfcb544eb76d0de4b2d314e19c16ade2

SHA256
06b137faa06a748e83bf0399487e3ac725e342e6b719131fe1cde2f4c00cd665

SHA512
ce046eb5eb3d5366c9792277759474a41ab1713b79bd7aaaea5802174ad73300771315e6d8102bbd586137e8862f21d730d678b3595e4a915333808badd6dc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d943720b52bfa0d5c37ea445e543ef7a

SHA1
38fc220c5e92d1754e32b1533ce8fc8215c4051d

SHA256
5fbbf7ac7befc10bfa8081fde02b300b3e3d65194301100f55ab52eb2acbd0a5

SHA512
6ba222bf51373d2af3a09e5c4093fe57495b10003f9c0a3e99b67b643ec51a0d2f9d71bcbe69cf5364d46cd4ad0f8ae4cb17fd5cfa90f530a584534e83b6cf4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MTF719Q3T3IVZMDQJBFA.temp

Filesize
7KB

MD5
d943720b52bfa0d5c37ea445e543ef7a

SHA1
38fc220c5e92d1754e32b1533ce8fc8215c4051d

SHA256
5fbbf7ac7befc10bfa8081fde02b300b3e3d65194301100f55ab52eb2acbd0a5

SHA512
6ba222bf51373d2af3a09e5c4093fe57495b10003f9c0a3e99b67b643ec51a0d2f9d71bcbe69cf5364d46cd4ad0f8ae4cb17fd5cfa90f530a584534e83b6cf4f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
750.4MB

MD5
b694043c3705650404854c0921f7676d

SHA1
44745aab1970b96bdc4a0083564a349aa8fceeef

SHA256
56b33d557135d316d3c63c502b7f5575aa360982637e8174a2c689a4f738af67

SHA512
f3f03bbff018beb06dcb5550f6d2c0d1895144ac00e3d83762a2d04c75a12440f399b283384875ee3cdc6bc3acf408a4891e8238bada724affed486aad0953ba

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
750.4MB

MD5
b694043c3705650404854c0921f7676d

SHA1
44745aab1970b96bdc4a0083564a349aa8fceeef

SHA256
56b33d557135d316d3c63c502b7f5575aa360982637e8174a2c689a4f738af67

SHA512
f3f03bbff018beb06dcb5550f6d2c0d1895144ac00e3d83762a2d04c75a12440f399b283384875ee3cdc6bc3acf408a4891e8238bada724affed486aad0953ba

Download Submit
memory/268-179-0x00000000044E0000-0x00000000052A5000-memory.dmp

Filesize
13.8MB

Download
memory/268-222-0x00000000044E0000-0x00000000052A5000-memory.dmp

Filesize
13.8MB

Download
memory/268-99-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/268-94-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/268-91-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/268-88-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/268-101-0x0000000000280000-0x0000000000AC7000-memory.dmp

Filesize
8.3MB

Download
memory/268-100-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/268-194-0x00000000044E0000-0x0000000004CF4000-memory.dmp

Filesize
8.1MB

Download
memory/268-97-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/268-85-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/268-233-0x00000000044E0000-0x0000000004CF4000-memory.dmp

Filesize
8.1MB

Download
memory/520-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/520-205-0x0000000000E70000-0x0000000000EB0000-memory.dmp

Filesize
256KB

Download
memory/520-143-0x0000000000E70000-0x0000000000EB0000-memory.dmp

Filesize
256KB

Download
memory/520-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/520-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/588-258-0x000000013F560000-0x0000000140325000-memory.dmp

Filesize
13.8MB

Download
memory/588-266-0x000000013F560000-0x0000000140325000-memory.dmp

Filesize
13.8MB

Download
memory/588-313-0x000000013F560000-0x0000000140325000-memory.dmp

Filesize
13.8MB

Download
memory/668-265-0x000000013F560000-0x0000000140325000-memory.dmp

Filesize
13.8MB

Download
memory/900-325-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/900-318-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1184-212-0x0000000000970000-0x0000000001184000-memory.dmp

Filesize
8.1MB

Download
memory/1184-244-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1184-246-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1184-247-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1184-245-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1184-248-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1184-203-0x0000000000970000-0x0000000001184000-memory.dmp

Filesize
8.1MB

Download
memory/1184-249-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1468-166-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1468-156-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1468-157-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1468-159-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1468-162-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1468-163-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1468-165-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1468-168-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1468-169-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1468-171-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1468-160-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1500-294-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1500-295-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1500-293-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1500-292-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/1500-290-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1500-289-0x0000000019A20000-0x0000000019D02000-memory.dmp

Filesize
2.9MB

Download
memory/1576-135-0x0000000001320000-0x0000000001344000-memory.dmp

Filesize
144KB

Download
memory/1580-213-0x0000000001260000-0x0000000001A74000-memory.dmp

Filesize
8.1MB

Download
memory/1580-239-0x0000000001260000-0x0000000001A74000-memory.dmp

Filesize
8.1MB

Download
memory/1616-302-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1616-304-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1616-306-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1616-303-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/1704-256-0x000000013F150000-0x000000013FF15000-memory.dmp

Filesize
13.8MB

Download
memory/1704-180-0x000000013F150000-0x000000013FF15000-memory.dmp

Filesize
13.8MB

Download
memory/1704-215-0x000000013F150000-0x000000013FF15000-memory.dmp

Filesize
13.8MB

Download
memory/1792-232-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1792-228-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1792-229-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1792-230-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1792-231-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2036-70-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2036-62-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2036-61-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2036-57-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-55-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2036-71-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2036-67-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2036-65-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2036-59-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-68-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2036-72-0x0000000001290000-0x0000000001AD7000-memory.dmp

Filesize
8.3MB

Download
memory/2036-58-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-64-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2036-54-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2036-56-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download