amadey | 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

Analysis

max time kernel
142s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
01-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.5MB
MD5

89e9bc7a5d97370a0f4a35041a54a696
SHA1

c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256

9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512

12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
SSDEEP

196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS

Score

10^/10

amadey laplas redline clipper evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Extracted

Family

laplas

http://206.189.229.43

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2952-116-0x0000000000020000-0x00000000001F7000-memory.dmp	family_redline
behavioral1/memory/3040-118-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/3040-124-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/3040-125-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

rdpcllp.exeupdater.exe

description	pid	process	target process
PID 2404 created 1228	2404	rdpcllp.exe	Explorer.EXE
PID 2404 created 1228	2404	rdpcllp.exe	Explorer.EXE
PID 2404 created 1228	2404	rdpcllp.exe	Explorer.EXE
PID 2404 created 1228	2404	rdpcllp.exe	Explorer.EXE
PID 2404 created 1228	2404	rdpcllp.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE
PID 640 created 1228	640	updater.exe	Explorer.EXE

Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

rdpcllp.exeupdater.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe
File created C:\Windows\System32\drivers\etc\hosts updater.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 8 IoCs

Processes:

oneetx.exetaskmask.exerdpcllp.exetaskhostclp.exentlhost.exeoneetx.exeupdater.exeoneetx.exe

pid process

2824 oneetx.exe
2952 taskmask.exe
2404 rdpcllp.exe
1772 taskhostclp.exe
1612 ntlhost.exe
1944 oneetx.exe
640 updater.exe
1644 oneetx.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	rdpcllp.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

pid	process
2824	oneetx.exe
2952	taskmask.exe
2404	rdpcllp.exe
1772	taskhostclp.exe
1612	ntlhost.exe
1944	oneetx.exe
640	updater.exe
1644	oneetx.exe

Loads dropped DLL 10 IoCs

Processes:

tmp.exeoneetx.exeWerFault.exetaskhostclp.exetaskeng.exe

pid	process
3020	tmp.exe
2824	oneetx.exe
2824	oneetx.exe
2896	WerFault.exe
2896	WerFault.exe
2824	oneetx.exe
2896	WerFault.exe
2824	oneetx.exe
1772	taskhostclp.exe
2720	taskeng.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe	themida
\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe	themida
behavioral1/memory/2404-144-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-143-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-156-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-158-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-159-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-160-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-165-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-179-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-190-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
behavioral1/memory/2404-229-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe	themida
behavioral1/memory/2404-265-0x000000013FED0000-0x0000000140D1A000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/2720-269-0x000000013F9E0000-0x000000014082A000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/640-271-0x000000013F9E0000-0x000000014082A000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

taskhostclp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	taskhostclp.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

rdpcllp.exetaskhostclp.exentlhost.exeupdater.exe

pid process

2404 rdpcllp.exe
1772 taskhostclp.exe
1612 ntlhost.exe
640 updater.exe

pid	process
2404	rdpcllp.exe
1772	taskhostclp.exe
1612	ntlhost.exe
640	updater.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

taskmask.exeupdater.exe

description	pid	process	target process
PID 2952 set thread context of 3040	2952	taskmask.exe	AppLaunch.exe
PID 640 set thread context of 2268	640	updater.exe	conhost.exe
PID 640 set thread context of 1852	640	updater.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

updater.exerdpcllp.exe

description ioc process

File created C:\Program Files\Google\Libs\WR64.sys updater.exe
File created C:\Program Files\Google\Chrome\updater.exe rdpcllp.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1404 sc.exe
2240 sc.exe
588 sc.exe
2808 sc.exe
1036 sc.exe
992 sc.exe
1528 sc.exe
2332 sc.exe
1556 sc.exe
1156 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2896 2952 WerFault.exe taskmask.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2888 schtasks.exe
2832 schtasks.exe
1324 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 9 Go-http-client/1.1

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	rdpcllp.exe

pid	process
1404	sc.exe
2240	sc.exe
588	sc.exe
2808	sc.exe
1036	sc.exe
992	sc.exe
1528	sc.exe
2332	sc.exe
1556	sc.exe
1156	sc.exe

pid	pid_target	process	target process
2896	2952	WerFault.exe	taskmask.exe

pid	process
2888	schtasks.exe
2832	schtasks.exe
1324	schtasks.exe

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50145b4e4dc4d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

tmp.exeoneetx.exerdpcllp.exepowershell.exeoneetx.exepowershell.exeAppLaunch.exeupdater.exepowershell.exepowershell.exeoneetx.exeexplorer.exe

pid	process
3020	tmp.exe
2824	oneetx.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
112	powershell.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
1944	oneetx.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
2144	powershell.exe
3040	AppLaunch.exe
2404	rdpcllp.exe
2404	rdpcllp.exe
3040	AppLaunch.exe
640	updater.exe
640	updater.exe
1792	powershell.exe
640	updater.exe
640	updater.exe
640	updater.exe
640	updater.exe
640	updater.exe
640	updater.exe
2452	powershell.exe
1644	oneetx.exe
640	updater.exe
640	updater.exe
640	updater.exe
640	updater.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeAppLaunch.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeupdater.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	3040	AppLaunch.exe
Token: SeShutdownPrivilege	2852	powercfg.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeShutdownPrivilege	3028	powercfg.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeShutdownPrivilege	2116	powercfg.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	1936	powercfg.exe
Token: SeShutdownPrivilege	2036	powercfg.exe
Token: SeDebugPrivilege	640	updater.exe
Token: SeLockMemoryPrivilege	1852	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

3020 tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeoneetx.execmd.exetaskmask.exe

description	pid	process	target process
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 3020 wrote to memory of 2824	3020	tmp.exe	oneetx.exe
PID 2824 wrote to memory of 2888	2824	oneetx.exe	schtasks.exe
PID 2824 wrote to memory of 2888	2824	oneetx.exe	schtasks.exe
PID 2824 wrote to memory of 2888	2824	oneetx.exe	schtasks.exe
PID 2824 wrote to memory of 2888	2824	oneetx.exe	schtasks.exe
PID 2824 wrote to memory of 2984	2824	oneetx.exe	cmd.exe
PID 2824 wrote to memory of 2984	2824	oneetx.exe	cmd.exe
PID 2824 wrote to memory of 2984	2824	oneetx.exe	cmd.exe
PID 2824 wrote to memory of 2984	2824	oneetx.exe	cmd.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2788	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2788	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2788	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2788	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 1140	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 1140	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 1140	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 1140	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2052	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2052	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2052	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2052	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2468	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2468	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2468	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2468	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2276	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2276	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2276	2984	cmd.exe	cacls.exe
PID 2984 wrote to memory of 2276	2984	cmd.exe	cacls.exe
PID 2824 wrote to memory of 2952	2824	oneetx.exe	taskmask.exe
PID 2824 wrote to memory of 2952	2824	oneetx.exe	taskmask.exe
PID 2824 wrote to memory of 2952	2824	oneetx.exe	taskmask.exe
PID 2824 wrote to memory of 2952	2824	oneetx.exe	taskmask.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 3040	2952	taskmask.exe	AppLaunch.exe
PID 2952 wrote to memory of 2896	2952	taskmask.exe	WerFault.exe
PID 2952 wrote to memory of 2896	2952	taskmask.exe	WerFault.exe
PID 2952 wrote to memory of 2896	2952	taskmask.exe	WerFault.exe
PID 2952 wrote to memory of 2896	2952	taskmask.exe	WerFault.exe
PID 2824 wrote to memory of 2404	2824	oneetx.exe	rdpcllp.exe
PID 2824 wrote to memory of 2404	2824	oneetx.exe	rdpcllp.exe
PID 2824 wrote to memory of 2404	2824	oneetx.exe	rdpcllp.exe
PID 2824 wrote to memory of 2404	2824	oneetx.exe	rdpcllp.exe
PID 2824 wrote to memory of 1772	2824	oneetx.exe	taskhostclp.exe
PID 2824 wrote to memory of 1772	2824	oneetx.exe	taskhostclp.exe
PID 2824 wrote to memory of 1772	2824	oneetx.exe	taskhostclp.exe
PID 2824 wrote to memory of 1772	2824	oneetx.exe	taskhostclp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:N"
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:R" /E
        5⤵
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
      "C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1772
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1732
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:588
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1528
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2808
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2832
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3032
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1556
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1036
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1404
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1156
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:992
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2692
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1324
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2268
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {427875FE-C1E7-498F-BF01-C8FC8EBACC2F} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {02FA4BCC-B3E4-4C46-9F5A-18C19A0AE212} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2720
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Filesize
4.0MB

MD5
3258deefff3ca70f3dfa3e67067ca611

SHA1
a28ec103c22b03f381dd72073cf620b11881b7b7

SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

SHA512
541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Filesize
4.0MB

MD5
3258deefff3ca70f3dfa3e67067ca611

SHA1
a28ec103c22b03f381dd72073cf620b11881b7b7

SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

SHA512
541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Filesize
4.0MB

MD5
3258deefff3ca70f3dfa3e67067ca611

SHA1
a28ec103c22b03f381dd72073cf620b11881b7b7

SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

SHA512
541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\408354897116

Filesize
70KB

MD5
efb6ebc2a900e6cc24768e118f0f20c5

SHA1
52469f10f4c30fcb5e8b5be81f14e07db616bb8f

SHA256
8b3667f8727a415af57dedcd0676654eed265987a3f025d55bcafa9325f7ac8d

SHA512
cbb79bf1b70f18fcc1c0d0b3902e711180ed09c77a435b43e59f5292bf461075447c4535961e3e3320197ebc8c513098fb5f9b028e330b0da7239c52913c1c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd17d73652822a53d0462028c1a82a3b

SHA1
4a63c90dcf70bab6a4222ec3de7764ab1c311282

SHA256
848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722

SHA512
f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KBACVLQ2X0YUKO6HZ5P4.temp

Filesize
7KB

MD5
dd17d73652822a53d0462028c1a82a3b

SHA1
4a63c90dcf70bab6a4222ec3de7764ab1c311282

SHA256
848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722

SHA512
f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
498.2MB

MD5
7dac03689ad2c4a751541ce40c6b4984

SHA1
3b3232db2585f1a6286d4cd9c4af1c395372172b

SHA256
0d96815852011078c015ef9cc09d1616a787c367f57b626a5251f27ad7f9fc8f

SHA512
25083286030e2419c1727b1ae9a11750ea33fd6379868113c6c54d7d692689b3d11db60bf74672d1fa98d019c4ed911085eb13d181f430612d6d3389eb9ed100

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

Filesize
1.8MB

MD5
5538392914fc8bc5abbc165f87993ffa

SHA1
c8ab809922cfb2992d7abf93eb9e2836c5b913c1

SHA256
c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2

SHA512
a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

Download Submit
\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

Filesize
8.4MB

MD5
768200a76def472e675539094047bed9

SHA1
24bc17689541656a8a12902c7f19bd991193ca50

SHA256
79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af

SHA512
143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Download Submit
\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Filesize
4.0MB

MD5
3258deefff3ca70f3dfa3e67067ca611

SHA1
a28ec103c22b03f381dd72073cf620b11881b7b7

SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

SHA512
541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.5MB

MD5
89e9bc7a5d97370a0f4a35041a54a696

SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029

SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
489.0MB

MD5
9e44b0fcc6d9c618e284a08c11a1f483

SHA1
da04d3bd6c2a066652843d0fefdcebbe77757d41

SHA256
1fe18168913b9ff846a6682137121583ee7be53ea507accbc40f71d7a0dbe57b

SHA512
c1d1a0f9f9afece76af7ed153687aafb62a16a91d06d5b4e3ffbc654ee0800f32a804e8c1a3238c45013852e6dd7ae4a55f19567c209fe8a06a5e9ce3e9fe9af

Download Submit
memory/112-199-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/112-201-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/112-200-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/112-203-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/112-216-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/112-198-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/112-196-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/112-210-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/112-195-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/112-219-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/640-272-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/640-271-0x000000013F9E0000-0x000000014082A000-memory.dmp

Filesize
14.3MB

Download
memory/1612-217-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-226-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-215-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-214-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-213-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1612-218-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-220-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-208-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-221-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-222-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-233-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-231-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-223-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-230-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1612-228-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-224-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1612-225-0x0000000000100000-0x0000000000A43000-memory.dmp

Filesize
9.3MB

Download
memory/1772-187-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1772-171-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-211-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1772-180-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-166-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-209-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-167-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/1772-185-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-186-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-168-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-169-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-189-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-170-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-176-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-175-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-197-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-174-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-173-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1772-172-0x0000000000DE0000-0x0000000001723000-memory.dmp

Filesize
9.3MB

Download
memory/1944-252-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1944-249-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1944-234-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/1944-251-0x0000000077C30000-0x0000000077C31000-memory.dmp

Filesize
4KB

Download
memory/1944-257-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/1944-254-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/2144-258-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2144-260-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2144-246-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2144-245-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2144-244-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2144-243-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2144-242-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2144-241-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2144-240-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-143-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-229-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-144-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-158-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-159-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-265-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-264-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2404-146-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2404-190-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-182-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2404-156-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-179-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-165-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2404-160-0x000000013FED0000-0x0000000140D1A000-memory.dmp

Filesize
14.3MB

Download
memory/2720-269-0x000000013F9E0000-0x000000014082A000-memory.dmp

Filesize
14.3MB

Download
memory/2720-278-0x000000013F9E0000-0x000000014082A000-memory.dmp

Filesize
14.3MB

Download
memory/2824-77-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/2824-178-0x0000000004520000-0x000000000536A000-memory.dmp

Filesize
14.3MB

Download
memory/2824-80-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/2824-142-0x0000000004520000-0x000000000536A000-memory.dmp

Filesize
14.3MB

Download
memory/2824-82-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2824-164-0x00000000044C0000-0x0000000004E03000-memory.dmp

Filesize
9.3MB

Download
memory/2824-84-0x0000000077C30000-0x0000000077C31000-memory.dmp

Filesize
4KB

Download
memory/2824-78-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2824-128-0x00000000003B0000-0x0000000000E51000-memory.dmp

Filesize
10.6MB

Download
memory/2952-116-0x0000000000020000-0x00000000001F7000-memory.dmp

Filesize
1.8MB

Download
memory/3020-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3020-53-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3020-73-0x0000000000270000-0x0000000000D11000-memory.dmp

Filesize
10.6MB

Download
memory/3020-56-0x0000000000270000-0x0000000000D11000-memory.dmp

Filesize
10.6MB

Download
memory/3020-55-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3020-59-0x0000000000270000-0x0000000000D11000-memory.dmp

Filesize
10.6MB

Download
memory/3020-61-0x0000000077C30000-0x0000000077C31000-memory.dmp

Filesize
4KB

Download
memory/3020-64-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3040-118-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3040-184-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/3040-125-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3040-124-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3040-117-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3040-202-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/3040-122-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-177-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-188-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download