Malware Analysis Report

2024-10-19 01:12

Sample ID 230801-jqcvsafd8z
Target tmp
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
Tags
amadey laplas redline clipper evasion infostealer persistence spyware stealer themida trojan xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

amadey laplas redline clipper evasion infostealer persistence spyware stealer themida trojan xmrig miner

Laplas Clipper

RedLine

xmrig

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

XMRig Miner payload

Stops running service(s)

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Themida packer

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

GoLang User-Agent

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 07:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 07:52

Reported

2023-08-01 07:54

Platform

win7-20230712-en

Max time kernel

142s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2952 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 set thread context of 2268 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 640 set thread context of 1852 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50145b4e4dc4d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3020 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2824 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2984 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2824 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2952 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2824 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2824 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2824 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2824 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 2824 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2824 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2824 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 2824 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 36

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\system32\taskeng.exe

taskeng.exe {427875FE-C1E7-498F-BF01-C8FC8EBACC2F} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {02FA4BCC-B3E4-4C46-9F5A-18C19A0AE212} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
SG 128.199.192.86:81 tcp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

memory/3020-53-0x0000000000090000-0x0000000000091000-memory.dmp

memory/3020-56-0x0000000000270000-0x0000000000D11000-memory.dmp

memory/3020-55-0x0000000000090000-0x0000000000091000-memory.dmp

memory/3020-59-0x0000000000270000-0x0000000000D11000-memory.dmp

memory/3020-58-0x0000000000090000-0x0000000000091000-memory.dmp

memory/3020-61-0x0000000077C30000-0x0000000077C31000-memory.dmp

memory/3020-64-0x0000000000E10000-0x0000000000E11000-memory.dmp

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3020-73-0x0000000000270000-0x0000000000D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2824-77-0x00000000003B0000-0x0000000000E51000-memory.dmp

memory/2824-78-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2824-80-0x00000000003B0000-0x0000000000E51000-memory.dmp

memory/2824-82-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2824-84-0x0000000077C30000-0x0000000077C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\408354897116

MD5 efb6ebc2a900e6cc24768e118f0f20c5
SHA1 52469f10f4c30fcb5e8b5be81f14e07db616bb8f
SHA256 8b3667f8727a415af57dedcd0676654eed265987a3f025d55bcafa9325f7ac8d
SHA512 cbb79bf1b70f18fcc1c0d0b3902e711180ed09c77a435b43e59f5292bf461075447c4535961e3e3320197ebc8c513098fb5f9b028e330b0da7239c52913c1c65

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

memory/2952-116-0x0000000000020000-0x00000000001F7000-memory.dmp

memory/3040-117-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3040-118-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3040-122-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3040-124-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3040-125-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

memory/2824-128-0x00000000003B0000-0x0000000000E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2824-142-0x0000000004520000-0x000000000536A000-memory.dmp

memory/2404-144-0x000000013FED0000-0x0000000140D1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

memory/2404-146-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2404-143-0x000000013FED0000-0x0000000140D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2404-156-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/2404-158-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/2404-159-0x000000013FED0000-0x0000000140D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2404-160-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/2824-164-0x00000000044C0000-0x0000000004E03000-memory.dmp

memory/2404-165-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/1772-166-0x0000000000DE0000-0x0000000001723000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/1772-167-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/1772-168-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-169-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-170-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-171-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-172-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-173-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-174-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-175-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-176-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/3040-177-0x0000000073930000-0x000000007401E000-memory.dmp

memory/2824-178-0x0000000004520000-0x000000000536A000-memory.dmp

memory/2404-179-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/1772-180-0x0000000000DE0000-0x0000000001723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2404-182-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/3040-184-0x00000000073A0000-0x00000000073E0000-memory.dmp

memory/1772-185-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-186-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/1772-187-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/3040-188-0x0000000073930000-0x000000007401E000-memory.dmp

memory/1772-189-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/2404-190-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/112-195-0x000000001B180000-0x000000001B462000-memory.dmp

memory/112-196-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/1772-197-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/112-198-0x0000000002560000-0x00000000025E0000-memory.dmp

memory/112-199-0x0000000002330000-0x0000000002338000-memory.dmp

memory/112-200-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/112-201-0x0000000002560000-0x00000000025E0000-memory.dmp

memory/3040-202-0x00000000073A0000-0x00000000073E0000-memory.dmp

memory/112-203-0x0000000002560000-0x00000000025E0000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 9e44b0fcc6d9c618e284a08c11a1f483
SHA1 da04d3bd6c2a066652843d0fefdcebbe77757d41
SHA256 1fe18168913b9ff846a6682137121583ee7be53ea507accbc40f71d7a0dbe57b
SHA512 c1d1a0f9f9afece76af7ed153687aafb62a16a91d06d5b4e3ffbc654ee0800f32a804e8c1a3238c45013852e6dd7ae4a55f19567c209fe8a06a5e9ce3e9fe9af

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 7dac03689ad2c4a751541ce40c6b4984
SHA1 3b3232db2585f1a6286d4cd9c4af1c395372172b
SHA256 0d96815852011078c015ef9cc09d1616a787c367f57b626a5251f27ad7f9fc8f
SHA512 25083286030e2419c1727b1ae9a11750ea33fd6379868113c6c54d7d692689b3d11db60bf74672d1fa98d019c4ed911085eb13d181f430612d6d3389eb9ed100

memory/1612-208-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1772-209-0x0000000000DE0000-0x0000000001723000-memory.dmp

memory/112-210-0x0000000002560000-0x00000000025E0000-memory.dmp

memory/1772-211-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/1612-213-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/1612-214-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-215-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/112-216-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/1612-217-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/112-219-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/1612-218-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-220-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-221-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-222-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-223-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-224-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-225-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-226-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-228-0x0000000000100000-0x0000000000A43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/2404-229-0x000000013FED0000-0x0000000140D1A000-memory.dmp

memory/1612-230-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/1612-231-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1612-233-0x0000000000100000-0x0000000000A43000-memory.dmp

memory/1944-234-0x00000000003B0000-0x0000000000E51000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KBACVLQ2X0YUKO6HZ5P4.temp

MD5 dd17d73652822a53d0462028c1a82a3b
SHA1 4a63c90dcf70bab6a4222ec3de7764ab1c311282
SHA256 848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722
SHA512 f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dd17d73652822a53d0462028c1a82a3b
SHA1 4a63c90dcf70bab6a4222ec3de7764ab1c311282
SHA256 848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722
SHA512 f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d

memory/2144-240-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2144-241-0x0000000001F60000-0x0000000001F68000-memory.dmp

memory/2144-242-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2144-243-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2144-244-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2144-245-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2144-246-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/1944-249-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1944-252-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1944-251-0x0000000077C30000-0x0000000077C31000-memory.dmp

memory/1944-254-0x00000000003B0000-0x0000000000E51000-memory.dmp

memory/1944-257-0x00000000003B0000-0x0000000000E51000-memory.dmp

memory/2144-258-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2144-260-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2404-264-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2404-265-0x000000013FED0000-0x0000000140D1A000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2720-269-0x000000013F9E0000-0x000000014082A000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/640-271-0x000000013F9E0000-0x000000014082A000-memory.dmp

memory/640-272-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2720-278-0x000000013F9E0000-0x000000014082A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 07:52

Reported

2023-08-01 07:54

Platform

win10v2004-20230703-en

Max time kernel

31s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1324 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 1324 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 4744 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4744 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\cmd.exe
PID 4744 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\cmd.exe
PID 4744 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\cmd.exe
PID 404 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 404 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4744 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\powercfg.exe
PID 4744 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\powercfg.exe
PID 4744 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\System32\powercfg.exe
PID 1524 wrote to memory of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1524 wrote to memory of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1524 wrote to memory of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1524 wrote to memory of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1524 wrote to memory of 3292 N/A C:\Windows\System32\powercfg.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4744 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 4744 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe
PID 4744 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe
PID 4744 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 276

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
US 8.8.8.8:53 208.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 153.49.180.194.in-addr.arpa udp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 86.192.199.128.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 43.229.189.206.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

memory/1324-133-0x0000000000800000-0x00000000012A1000-memory.dmp

memory/1324-135-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/1324-136-0x0000000000800000-0x00000000012A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/1324-152-0x0000000000800000-0x00000000012A1000-memory.dmp

memory/4744-154-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/4744-153-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/4744-156-0x0000000000BE0000-0x0000000001681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\498570331231

MD5 422244f05eab9b383f71b9e89499eeca
SHA1 6f9738a400ecd884a3400e3ea4f9bd138af80b3d
SHA256 2f7ad0f2abcf78740ba79f83d7a666ae75336cffab827fede3098fbe7edf101d
SHA512 696d5396b734d488a8b6275e008679ade1af4c5e682339f402afca68500ead5817b5a0e06a1042d4bf33a95fc015adca44511ae7c953ba88127e630ecc93c7c7

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 5538392914fc8bc5abbc165f87993ffa
SHA1 c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256 c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512 a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841

memory/1524-187-0x0000000000410000-0x00000000005E7000-memory.dmp

memory/3292-188-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/3292-204-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/3292-205-0x0000000007F80000-0x0000000008524000-memory.dmp

memory/3292-206-0x0000000007A70000-0x0000000007B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/3292-218-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/4744-223-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/3292-229-0x0000000007A60000-0x0000000007A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/3292-233-0x0000000008B50000-0x0000000009168000-memory.dmp

memory/3224-236-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-234-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3292-235-0x0000000007CC0000-0x0000000007CD2000-memory.dmp

memory/3292-237-0x0000000007E30000-0x0000000007F3A000-memory.dmp

memory/4744-238-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/3224-239-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/3292-240-0x0000000007D60000-0x0000000007D9C000-memory.dmp

memory/2276-241-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/3224-242-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-243-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-244-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-245-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-246-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3292-247-0x0000000008600000-0x0000000008666000-memory.dmp

memory/2276-248-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/3292-249-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/2276-250-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-251-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-252-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-253-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-254-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-255-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-256-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-257-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/2276-258-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/3224-259-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/2276-260-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/3292-261-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/2276-262-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/3292-263-0x0000000009A60000-0x0000000009AD6000-memory.dmp

memory/3292-264-0x0000000009CB0000-0x0000000009E72000-memory.dmp

memory/3292-265-0x000000000A3B0000-0x000000000A8DC000-memory.dmp

memory/3292-266-0x0000000009BF0000-0x0000000009C0E000-memory.dmp

memory/3224-267-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/2276-268-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/4112-271-0x000001A764340000-0x000001A764350000-memory.dmp

memory/2276-277-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmomneno.4zg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4112-270-0x000001A765B40000-0x000001A765B62000-memory.dmp

memory/3224-282-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/4112-269-0x00007FFF8A440000-0x00007FFF8AF01000-memory.dmp

memory/4112-283-0x000001A764340000-0x000001A764350000-memory.dmp

memory/2276-284-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/4112-287-0x000001A764340000-0x000001A764350000-memory.dmp

memory/4112-288-0x00007FFF8A440000-0x00007FFF8AF01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2276-291-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/3940-293-0x00000235FDE70000-0x00000235FDE80000-memory.dmp

memory/3940-294-0x00000235FDE70000-0x00000235FDE80000-memory.dmp

memory/3940-292-0x00007FFF8A560000-0x00007FFF8B021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/3940-305-0x00000235FDE70000-0x00000235FDE80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3940-307-0x00000235FDE70000-0x00000235FDE80000-memory.dmp

memory/3940-310-0x00007FFF8A560000-0x00007FFF8B021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/3224-313-0x00007FF680E60000-0x00007FF681CAA000-memory.dmp

memory/3224-314-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1660-316-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-317-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/1660-318-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-319-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-320-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-321-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-322-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1660-323-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/888-324-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/888-325-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/2276-326-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/888-327-0x00000000017D0000-0x00000000017D1000-memory.dmp

memory/888-329-0x0000000000BE0000-0x0000000001681000-memory.dmp

memory/888-332-0x0000000000BE0000-0x0000000001681000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 6f81dc55f1ad1766653ff7cc2e0a5834
SHA1 1ae1aad46cf6631f8cab68cd33073d3c6e644347
SHA256 52900a858c84ce422556c28117708b695d5c0ebdf5c90fcb4755f3b625439473
SHA512 b40ec9a7e8974b9dd5eefa2e0ad9a2aac2d53cd2d914b30498884c47b25a40659104262d109181f600644b8b8e78a60b90dc6d96cc85e697060085fcfed31136

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b96442bed1e01b156051cbcd9828240c
SHA1 db6048af82262a0fab4d12da8f85d072629840ba
SHA256 a9be80b15b9f5ac99c90f5466f862a84aac5e6f2b4460ad71822fba4a3500497
SHA512 6151b777507c62daa339bd8250c849f978ddb68f15825275d4b46d070b0cd1fb7e6cb5ed9ef0c785839f36e4b7f77aefcb72a69bd93965a71f10edb4f67d5da7

memory/2276-336-0x0000000000190000-0x0000000000AD3000-memory.dmp

memory/1660-337-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1896-338-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/2276-339-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/1896-340-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1660-341-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/1896-343-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/1896-344-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-345-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-346-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-347-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-348-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-349-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-350-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-351-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-352-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-353-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/4252-354-0x00007FFF8A560000-0x00007FFF8B021000-memory.dmp

memory/4252-355-0x0000018543D50000-0x0000018543D60000-memory.dmp

memory/1896-365-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-366-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1660-367-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1896-369-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/3292-370-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/4252-371-0x00007FF4393F0000-0x00007FF439400000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/1756-429-0x0000000000720000-0x0000000000740000-memory.dmp

memory/1660-428-0x00007FF7A4340000-0x00007FF7A518A000-memory.dmp

memory/1896-431-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/1896-433-0x0000000000300000-0x0000000000C43000-memory.dmp

memory/2308-434-0x00007FF7F9500000-0x00007FF7F952A000-memory.dmp

memory/1756-435-0x00007FF76E7F0000-0x00007FF76EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2