amadey | 4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-09-2023 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.0MB
MD5

229df5fd5f850d26bb0b0a05f0918e9a
SHA1

400871984e6d833956f06734d7be5d8b7c8cb997
SHA256

4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd
SHA512

1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756
SSDEEP

98304:dCUPT4Mzeh+6D6UH+phuRO5bezZvSZ0NOk/Lg8eSjD:dCwe4O7H45bezZvIaOk/LgbSjD

Score

10^/10

amadey laplas redline xmrig clipper evasion infostealer miner persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.80

http://45.15.156.208/jd9dd3Vw/index.php

http://second.amadgood.com/jd9dd3Vw/index.php

Attributes

install_dir
eb0f58bce7
install_file
oneetx.exe
strings_key
2b74c848ebcfe9bcac3cd4aec559934c

rc4.plain

Extracted

Family

laplas

http://206.189.229.43

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2524-42-0x00000000001A0000-0x00000000003B0000-memory.dmp	family_redline
behavioral1/memory/2684-45-0x00000000000F0000-0x000000000014A000-memory.dmp	family_redline
behavioral1/memory/2684-51-0x00000000000F0000-0x000000000014A000-memory.dmp	family_redline
behavioral1/memory/2524-52-0x00000000001A0000-0x00000000003B0000-memory.dmp	family_redline
behavioral1/memory/2684-53-0x00000000000F0000-0x000000000014A000-memory.dmp	family_redline
behavioral1/memory/2148-68-0x00000000041C0000-0x0000000004BE1000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2904 created 1332	2904	rdpcllp.exe	21
PID 2904 created 1332	2904	rdpcllp.exe	21
PID 2904 created 1332	2904	rdpcllp.exe	21
PID 2904 created 1332	2904	rdpcllp.exe	21
PID 2904 created 1332	2904	rdpcllp.exe	21
PID 1452 created 1332	1452	updater.exe	21
PID 1452 created 1332	1452	updater.exe	21
PID 1452 created 1332	1452	updater.exe	21
PID 1452 created 1332	1452	updater.exe	21
PID 1452 created 1332	1452	updater.exe	21
PID 1452 created 1332	1452	updater.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostclp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/988-290-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/988-294-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	rdpcllp.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 8 IoCs

pid	Process
2148	oneetx.exe
2524	taskmask.exe
2904	rdpcllp.exe
324	taskhostclp.exe
636	oneetx.exe
1452	updater.exe
2544	ntlhost.exe
2964	oneetx.exe

Loads dropped DLL 6 IoCs

pid	Process
2988	tmp.exe
2148	oneetx.exe
2148	oneetx.exe
2148	oneetx.exe
2944	taskeng.exe
324	taskhostclp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000C00000-0x0000000001255000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015320-8.dat	vmprotect
behavioral1/files/0x000a000000015320-9.dat	vmprotect
behavioral1/files/0x000a000000015320-10.dat	vmprotect
behavioral1/memory/2148-12-0x00000000008E0000-0x0000000000F35000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015320-15.dat	vmprotect
behavioral1/files/0x000a000000015320-114.dat	vmprotect
behavioral1/memory/636-124-0x00000000008E0000-0x0000000000F35000-memory.dmp	vmprotect
behavioral1/files/0x000a000000015320-274.dat	vmprotect
behavioral1/memory/2964-284-0x00000000008E0000-0x0000000000F35000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	taskhostclp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
324	taskhostclp.exe
2544	ntlhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2684	2524	taskmask.exe	40
PID 1452 set thread context of 1548	1452	updater.exe	91
PID 1452 set thread context of 988	1452	updater.exe	92

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	rdpcllp.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
768	sc.exe
1984	sc.exe
2564	sc.exe
2700	sc.exe
564	sc.exe
1560	sc.exe
1520	sc.exe
696	sc.exe
908	sc.exe
2912	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1356	schtasks.exe
284	schtasks.exe
1668	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70936ff6fee3d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	rdpcllp.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2064	powershell.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2684	vbc.exe
2684	vbc.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2456	powershell.exe
2904	rdpcllp.exe
2904	rdpcllp.exe
2684	vbc.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
1592	powershell.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
748	powershell.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
1452	updater.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	vbc.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeShutdownPrivilege	2204	powercfg.exe
Token: SeShutdownPrivilege	892	powercfg.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	2436	powercfg.exe
Token: SeShutdownPrivilege	1584	powercfg.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeShutdownPrivilege	1436	powercfg.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeShutdownPrivilege	636	powercfg.exe
Token: SeShutdownPrivilege	2036	powercfg.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeDebugPrivilege	1452	updater.exe
Token: SeLockMemoryPrivilege	988	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2988	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2988 wrote to memory of 2148	2988	tmp.exe	28
PID 2148 wrote to memory of 1356	2148	oneetx.exe	29
PID 2148 wrote to memory of 1356	2148	oneetx.exe	29
PID 2148 wrote to memory of 1356	2148	oneetx.exe	29
PID 2148 wrote to memory of 1356	2148	oneetx.exe	29
PID 2148 wrote to memory of 2152	2148	oneetx.exe	31
PID 2148 wrote to memory of 2152	2148	oneetx.exe	31
PID 2148 wrote to memory of 2152	2148	oneetx.exe	31
PID 2148 wrote to memory of 2152	2148	oneetx.exe	31
PID 2152 wrote to memory of 2716	2152	cmd.exe	33
PID 2152 wrote to memory of 2716	2152	cmd.exe	33
PID 2152 wrote to memory of 2716	2152	cmd.exe	33
PID 2152 wrote to memory of 2716	2152	cmd.exe	33
PID 2152 wrote to memory of 2720	2152	cmd.exe	34
PID 2152 wrote to memory of 2720	2152	cmd.exe	34
PID 2152 wrote to memory of 2720	2152	cmd.exe	34
PID 2152 wrote to memory of 2720	2152	cmd.exe	34
PID 2152 wrote to memory of 2744	2152	cmd.exe	35
PID 2152 wrote to memory of 2744	2152	cmd.exe	35
PID 2152 wrote to memory of 2744	2152	cmd.exe	35
PID 2152 wrote to memory of 2744	2152	cmd.exe	35
PID 2152 wrote to memory of 2712	2152	cmd.exe	36
PID 2152 wrote to memory of 2712	2152	cmd.exe	36
PID 2152 wrote to memory of 2712	2152	cmd.exe	36
PID 2152 wrote to memory of 2712	2152	cmd.exe	36
PID 2152 wrote to memory of 2668	2152	cmd.exe	37
PID 2152 wrote to memory of 2668	2152	cmd.exe	37
PID 2152 wrote to memory of 2668	2152	cmd.exe	37
PID 2152 wrote to memory of 2668	2152	cmd.exe	37
PID 2152 wrote to memory of 2644	2152	cmd.exe	38
PID 2152 wrote to memory of 2644	2152	cmd.exe	38
PID 2152 wrote to memory of 2644	2152	cmd.exe	38
PID 2152 wrote to memory of 2644	2152	cmd.exe	38
PID 2148 wrote to memory of 2524	2148	oneetx.exe	39
PID 2148 wrote to memory of 2524	2148	oneetx.exe	39
PID 2148 wrote to memory of 2524	2148	oneetx.exe	39
PID 2148 wrote to memory of 2524	2148	oneetx.exe	39
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2524 wrote to memory of 2684	2524	taskmask.exe	40
PID 2148 wrote to memory of 2904	2148	oneetx.exe	42
PID 2148 wrote to memory of 2904	2148	oneetx.exe	42
PID 2148 wrote to memory of 2904	2148	oneetx.exe	42
PID 2148 wrote to memory of 2904	2148	oneetx.exe	42
PID 2148 wrote to memory of 324	2148	oneetx.exe	43
PID 2148 wrote to memory of 324	2148	oneetx.exe	43
PID 2148 wrote to memory of 324	2148	oneetx.exe	43
PID 2148 wrote to memory of 324	2148	oneetx.exe	43
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45
PID 580 wrote to memory of 636	580	taskeng.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:N"
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:R" /E
        5⤵
        
        PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe
      "C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:324
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1104
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:564
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2912
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1560
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2468
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2876
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1984
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2564
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2700
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1520
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:696
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:992
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1668
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1548
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988

C:\Windows\system32\taskeng.exe
taskeng.exe {AD39EE5B-E58B-431C-A8CE-9F487E58BF10} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {24CD5455-DF32-4B9F-867D-4FA25DB3EB89} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2944
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe

Filesize
2.0MB

MD5
764d12e322e104fe4df6085e89d53ed2

SHA1
a1a7103d1619d0512fc49931f8e02d4260c0bf22

SHA256
dd40d0e409908a22d3a8a02209131e6fc19e761d491a338282fc11479a73fe36

SHA512
4eba9c0eb377814886b8f9eb2182c55c5e291647948b0ada0b102052cbdb2984d3def87302bc7c460ea3e36e73a86cc282eb6371c03c652cd1b9b2e433aaf25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe

Filesize
2.0MB

MD5
764d12e322e104fe4df6085e89d53ed2

SHA1
a1a7103d1619d0512fc49931f8e02d4260c0bf22

SHA256
dd40d0e409908a22d3a8a02209131e6fc19e761d491a338282fc11479a73fe36

SHA512
4eba9c0eb377814886b8f9eb2182c55c5e291647948b0ada0b102052cbdb2984d3def87302bc7c460ea3e36e73a86cc282eb6371c03c652cd1b9b2e433aaf25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe

Filesize
3.0MB

MD5
02208e4168793ef72942aa31c1ae8642

SHA1
449b579d0b642ca43419c0687cc799afe5aa9194

SHA256
22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9

SHA512
f50be51f1ff3da3da34d4c819021686842d024476993031e56313fde1aded427e9e81d0cb2956c98d29839fac140597a8e1b1cbd89a58c481be70ce88ce5507f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe

Filesize
3.0MB

MD5
02208e4168793ef72942aa31c1ae8642

SHA1
449b579d0b642ca43419c0687cc799afe5aa9194

SHA256
22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9

SHA512
f50be51f1ff3da3da34d4c819021686842d024476993031e56313fde1aded427e9e81d0cb2956c98d29839fac140597a8e1b1cbd89a58c481be70ce88ce5507f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe

Filesize
3.0MB

MD5
02208e4168793ef72942aa31c1ae8642

SHA1
449b579d0b642ca43419c0687cc799afe5aa9194

SHA256
22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9

SHA512
f50be51f1ff3da3da34d4c819021686842d024476993031e56313fde1aded427e9e81d0cb2956c98d29839fac140597a8e1b1cbd89a58c481be70ce88ce5507f

Download Submit
C:\Users\Admin\AppData\Local\Temp\513876443277

Filesize
65KB

MD5
c3059603f8ffae3aff7d601dafb5bc03

SHA1
3607a71d82b19f5c5d36676bc1d010a850f582f5

SHA256
2f6562393cdf4870a820efd5d4da94f3ec057a9e618333d7cf0710b7092312da

SHA512
23d543e4a4fc3d3219b4a6dbb332d44721f228e851033008101ae2b4ba2fe26756fc1630ce2af27376fa8752b4f51505931f66ba334dccd01ca92fdd6c3b0edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA279.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA3B4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f37a8d28a3bca55a121565ffb0b2aa9

SHA1
7cceb1de039efd2b57cf028af92c0743f0bd9c33

SHA256
69f8c2fafa793436723cca8b07c11c71ba13fcc11b8573f1a0f95bf128aea988

SHA512
917fe2e7ef93d1ab510392d6c70b1e7fb7e89af9a95a6a86abe5588000d1de033ddb5fd5869ad61b77bbe48747363426b60af79168ab9defadda9b5f56a15df7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZL29IWUMCUOZHFQZSRUC.temp

Filesize
7KB

MD5
3f37a8d28a3bca55a121565ffb0b2aa9

SHA1
7cceb1de039efd2b57cf028af92c0743f0bd9c33

SHA256
69f8c2fafa793436723cca8b07c11c71ba13fcc11b8573f1a0f95bf128aea988

SHA512
917fe2e7ef93d1ab510392d6c70b1e7fb7e89af9a95a6a86abe5588000d1de033ddb5fd5869ad61b77bbe48747363426b60af79168ab9defadda9b5f56a15df7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
662.0MB

MD5
9cede3c5055918459083c1a194808746

SHA1
12c4cb1ebfb75f217a576d4bfa451a54bad3835f

SHA256
d3793f84f0c695388c0a8907d5dabb07bd209a1ce820b91d8aca39ca5bd815b8

SHA512
c82a1dd147cc0f4ca4a876e8d840600861cec02dde79c31cf5a14915772d29dcf6b8a2d2a158c095762ef678962a8d5fb4619ea774b184c0d0b32babd74cc1b1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe

Filesize
2.0MB

MD5
764d12e322e104fe4df6085e89d53ed2

SHA1
a1a7103d1619d0512fc49931f8e02d4260c0bf22

SHA256
dd40d0e409908a22d3a8a02209131e6fc19e761d491a338282fc11479a73fe36

SHA512
4eba9c0eb377814886b8f9eb2182c55c5e291647948b0ada0b102052cbdb2984d3def87302bc7c460ea3e36e73a86cc282eb6371c03c652cd1b9b2e433aaf25e

Download Submit
\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe

Filesize
7.0MB

MD5
dfdb092fd460c1d4e5c5853bccdd08ca

SHA1
766f11d4b12ae5f196b76581ed6a8930caa609ce

SHA256
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f

SHA512
6e82fa11b7d547f5228c0441ee847113f581508ae367d7345b304fe3877be255c16ab16dd66bb0c42ae64173d613b36dbbda419b35fea0587e5c34f76aed012e

Download Submit
\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe

Filesize
3.0MB

MD5
02208e4168793ef72942aa31c1ae8642

SHA1
449b579d0b642ca43419c0687cc799afe5aa9194

SHA256
22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9

SHA512
f50be51f1ff3da3da34d4c819021686842d024476993031e56313fde1aded427e9e81d0cb2956c98d29839fac140597a8e1b1cbd89a58c481be70ce88ce5507f

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
4.0MB

MD5
229df5fd5f850d26bb0b0a05f0918e9a

SHA1
400871984e6d833956f06734d7be5d8b7c8cb997

SHA256
4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

SHA512
1d1f829572daa2a90311f3db455970043a95928c10bad066b51af2aef24d1e72fbe45cbecb61d682414c0d511d104af93826f594f627474c7dd1d142bd306756

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
683.3MB

MD5
400d5459ce1dcde74578adc7eb364602

SHA1
c367737574925fee18c3881e51f261beff260072

SHA256
05fc01f5db054245f475896eb54a2cf4778519627d9d1385b8e998bd01d58df7

SHA512
5adce1fc50cc6fe22112ef4bbf829fd698bcd9df7b93bd6e6defec8f243f385a918b86b2a367452f46a32cc361d0faac744abd03acc1c0cd593e47bf5f2ad69f

Download Submit
memory/324-223-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/324-122-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-215-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-96-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-97-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/324-98-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/324-99-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/324-100-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/324-220-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/324-102-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/324-104-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/324-103-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-105-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-106-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-107-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-108-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-109-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-110-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-111-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-112-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-221-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-184-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-224-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/324-175-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-128-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/324-119-0x0000000000F60000-0x000000000187D000-memory.dmp

Filesize
9.1MB

Download
memory/324-123-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/636-124-0x00000000008E0000-0x0000000000F35000-memory.dmp

Filesize
6.3MB

Download
memory/988-281-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/988-294-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/988-290-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1452-203-0x000000013F0E0000-0x000000013FB01000-memory.dmp

Filesize
10.1MB

Download
memory/1452-229-0x000000013F0E0000-0x000000013FB01000-memory.dmp

Filesize
10.1MB

Download
memory/1452-214-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1452-204-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1452-201-0x000000013F0E0000-0x000000013FB01000-memory.dmp

Filesize
10.1MB

Download
memory/1452-222-0x000000013F0E0000-0x000000013FB01000-memory.dmp

Filesize
10.1MB

Download
memory/1452-210-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1452-238-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1548-296-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1548-289-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2064-144-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/2064-176-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/2064-146-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2064-145-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2064-143-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2064-142-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/2064-134-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2064-133-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2148-117-0x00000000041C0000-0x0000000004BE1000-memory.dmp

Filesize
10.1MB

Download
memory/2148-68-0x00000000041C0000-0x0000000004BE1000-memory.dmp

Filesize
10.1MB

Download
memory/2148-127-0x0000000004350000-0x0000000004C6D000-memory.dmp

Filesize
9.1MB

Download
memory/2148-12-0x00000000008E0000-0x0000000000F35000-memory.dmp

Filesize
6.3MB

Download
memory/2148-101-0x0000000004350000-0x0000000004C6D000-memory.dmp

Filesize
9.1MB

Download
memory/2456-185-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2456-192-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-191-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2456-190-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2456-189-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-188-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2456-187-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-183-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

Filesize
2.9MB

Download
memory/2524-52-0x00000000001A0000-0x00000000003B0000-memory.dmp

Filesize
2.1MB

Download
memory/2524-42-0x00000000001A0000-0x00000000003B0000-memory.dmp

Filesize
2.1MB

Download
memory/2544-228-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/2544-235-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-295-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-291-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-287-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-273-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-260-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-248-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-243-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-242-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-241-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-225-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-226-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/2544-227-0x000007FEFD060000-0x000007FEFD0CC000-memory.dmp

Filesize
432KB

Download
memory/2544-240-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-239-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-230-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2544-231-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/2544-233-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2544-232-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-234-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2544-236-0x0000000001090000-0x00000000019AD000-memory.dmp

Filesize
9.1MB

Download
memory/2684-121-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-95-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-51-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/2684-116-0x0000000007520000-0x0000000007560000-memory.dmp

Filesize
256KB

Download
memory/2684-186-0x0000000007520000-0x0000000007560000-memory.dmp

Filesize
256KB

Download
memory/2684-45-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/2684-53-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/2684-43-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/2684-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-120-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2904-196-0x000000013F1E0000-0x000000013FC01000-memory.dmp

Filesize
10.1MB

Download
memory/2904-195-0x000000013F1E0000-0x000000013FC01000-memory.dmp

Filesize
10.1MB

Download
memory/2904-118-0x000000013F1E0000-0x000000013FC01000-memory.dmp

Filesize
10.1MB

Download
memory/2904-94-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2904-74-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2904-77-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2904-69-0x000000013F1E0000-0x000000013FC01000-memory.dmp

Filesize
10.1MB

Download
memory/2904-73-0x000000013F1E0000-0x000000013FC01000-memory.dmp

Filesize
10.1MB

Download
memory/2944-198-0x000000013F0E0000-0x000000013FB01000-memory.dmp

Filesize
10.1MB

Download
memory/2964-284-0x00000000008E0000-0x0000000000F35000-memory.dmp

Filesize
6.3MB

Download
memory/2988-3-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2988-0-0x0000000000C00000-0x0000000001255000-memory.dmp

Filesize
6.3MB

Download