nanocore | 85bd3b83fb8e9310068cc155999c11d8ee2a71e88f757d59927a3564a97699e6

Analysis

max time kernel
141s
max time network
151s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rq6cPaymentreceipt.js
Size

81KB
MD5

989740b7f7dab7211c4005e833f37954
SHA1

a814fbaf107d44cbf8ae69a766cb5e7e90a08e4e
SHA256

85bd3b83fb8e9310068cc155999c11d8ee2a71e88f757d59927a3564a97699e6
SHA512

3831d2bf05c928ad2feb83b41ab7544eb62424ca05961698c1b7a349747aab39b75f745e303937af4fad38c437c31813bc471d9cc3ae2f016bc6c1036b6a801d

Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer trojan worm

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

kenimaf.duckdns.org:8090

Mutex

543e7469-d950-4ec2-a110-de54f8d16167

Attributes

activate_away_mode
true
backup_connection_host
kenimaf.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-01T06:39:50.225932136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8090
default_group
kenn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
543e7469-d950-4ec2-a110-de54f8d16167
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kenimaf.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

vjw0rm

http://6200js.duckdns.org:6200

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

9 2884 wscript.exe
25 2884 wscript.exe
27 2884 wscript.exe
29 2884 wscript.exe
31 2884 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

fj9onm3.exefj9onm3.exefj9onm3.exexzf75ic.exexzf75ic.exekq0uyzv.exekq0uyzv.exekq0uyzv.exe

pid process

676 fj9onm3.exe
3040 fj9onm3.exe
1392 fj9onm3.exe
1860 xzf75ic.exe
2440 xzf75ic.exe
816 kq0uyzv.exe
2144 kq0uyzv.exe
1552 kq0uyzv.exe

flow	pid	process
9	2884	wscript.exe
25	2884	wscript.exe
27	2884	wscript.exe
29	2884	wscript.exe
31	2884	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rq6cPaymentreceipt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rq6cPaymentreceipt.js	wscript.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe = "0"	fj9onm3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe = "0"	xzf75ic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe = "0"	kq0uyzv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	fj9onm3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	fj9onm3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe = "0"	fj9onm3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\rq6cPaymentreceipt.js'"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

fj9onm3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fj9onm3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fj9onm3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 48 IoCs

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

pid	process
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe
816	kq0uyzv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fj9onm3.exexzf75ic.exekq0uyzv.exe

description	pid	process	target process
PID 676 set thread context of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 1860 set thread context of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 816 set thread context of 1552	816	kq0uyzv.exe	kq0uyzv.exe

Drops file in Windows directory 2 IoCs

Processes:

fj9onm3.exe

description	ioc	process
File created	C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe	fj9onm3.exe
File opened for modification	C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe	fj9onm3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

848 676 WerFault.exe fj9onm3.exe
1624 1860 WerFault.exe xzf75ic.exe
1852 816 WerFault.exe kq0uyzv.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3916 schtasks.exe

pid	pid_target	process	target process
848	676	WerFault.exe	fj9onm3.exe
1624	1860	WerFault.exe	xzf75ic.exe
1852	816	WerFault.exe	kq0uyzv.exe

pid	process
3916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fj9onm3.exepowershell.exepowershell.exepowershell.exefj9onm3.exeWerFault.exexzf75ic.exepowershell.exepowershell.exeWerFault.exepowershell.exe

pid	process
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
676	fj9onm3.exe
4020	powershell.exe
2224	powershell.exe
956	powershell.exe
2224	powershell.exe
956	powershell.exe
4020	powershell.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
2224	powershell.exe
956	powershell.exe
4020	powershell.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1392	fj9onm3.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
1860	xzf75ic.exe
3108	powershell.exe
1280	powershell.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
948	powershell.exe
1280	powershell.exe
3108	powershell.exe
948	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fj9onm3.exe

pid process

1392 fj9onm3.exe

pid	process
1392	fj9onm3.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

fj9onm3.exepowershell.exepowershell.exepowershell.exeWerFault.exefj9onm3.exexzf75ic.exepowershell.exepowershell.exeWerFault.exepowershell.exekq0uyzv.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	676	fj9onm3.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	848	WerFault.exe
Token: SeBackupPrivilege	848	WerFault.exe
Token: SeDebugPrivilege	1392	fj9onm3.exe
Token: SeDebugPrivilege	848	WerFault.exe
Token: SeDebugPrivilege	1860	xzf75ic.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1624	WerFault.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	816	kq0uyzv.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1852	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exefj9onm3.exexzf75ic.exekq0uyzv.exe

description	pid	process	target process
PID 2884 wrote to memory of 3916	2884	wscript.exe	schtasks.exe
PID 2884 wrote to memory of 3916	2884	wscript.exe	schtasks.exe
PID 2884 wrote to memory of 676	2884	wscript.exe	fj9onm3.exe
PID 2884 wrote to memory of 676	2884	wscript.exe	fj9onm3.exe
PID 2884 wrote to memory of 676	2884	wscript.exe	fj9onm3.exe
PID 676 wrote to memory of 4020	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 4020	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 4020	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 956	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 956	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 956	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 2224	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 2224	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 2224	676	fj9onm3.exe	powershell.exe
PID 676 wrote to memory of 3040	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 3040	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 3040	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 676 wrote to memory of 1392	676	fj9onm3.exe	fj9onm3.exe
PID 2884 wrote to memory of 1860	2884	wscript.exe	xzf75ic.exe
PID 2884 wrote to memory of 1860	2884	wscript.exe	xzf75ic.exe
PID 2884 wrote to memory of 1860	2884	wscript.exe	xzf75ic.exe
PID 1860 wrote to memory of 3108	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 3108	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 3108	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 1280	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 1280	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 1280	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 948	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 948	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 948	1860	xzf75ic.exe	powershell.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 1860 wrote to memory of 2440	1860	xzf75ic.exe	xzf75ic.exe
PID 2884 wrote to memory of 816	2884	wscript.exe	kq0uyzv.exe
PID 2884 wrote to memory of 816	2884	wscript.exe	kq0uyzv.exe
PID 2884 wrote to memory of 816	2884	wscript.exe	kq0uyzv.exe
PID 816 wrote to memory of 296	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 296	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 296	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1012	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1012	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1012	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1456	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1456	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 1456	816	kq0uyzv.exe	powershell.exe
PID 816 wrote to memory of 2144	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 2144	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 2144	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 1552	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 1552	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 1552	816	kq0uyzv.exe	kq0uyzv.exe
PID 816 wrote to memory of 1552	816	kq0uyzv.exe	kq0uyzv.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\rq6cPaymentreceipt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\rq6cPaymentreceipt.js
2⤵
- Creates scheduled task(s)
PID:3916

C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
"C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
"C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
"C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe"
3⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2264
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
"C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
"C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe"
3⤵
- Executes dropped EXE
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2228
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
"C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\짪짦짪짥쨢짼짩쨘쨗쨚짧쨗짣짨쨖\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
"C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
3⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
"C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe"
3⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 2236
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6b9a0dd8f019fa3f4452371eb818d53

SHA1
44f2c5c7fa8eeae62315bd77aa843651757be353

SHA256
65c2d361682cc0c3d906173982e3aa555ab361e1e2bb7793797dc9ed4f80e288

SHA512
5c5120057fa89f417479f51faeccdac2883df64c2ced113b39adc1968e9e1f74699f9ca55fb1a46d77d1d6cfa0e1bd9f2196ce64c2a84af1f380be93e7e82075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7952d51d44a4d98a85e6fbf9183a2807

SHA1
52f3849f91de0d2bbfa64db57741522c602264dd

SHA256
bd734d1f626b6eb90131104f7fe7e810d0f1f61ee598d3ace920ab497cadc324

SHA512
e7a64d71a36a011de0f0e1fcae424a75795e2ec272f88bd1b656ef47963628e3a4bbe636f1eeed48488b060294a22d19233f0b7b00b4efc1ce8f25afb6d58f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7952d51d44a4d98a85e6fbf9183a2807

SHA1
52f3849f91de0d2bbfa64db57741522c602264dd

SHA256
bd734d1f626b6eb90131104f7fe7e810d0f1f61ee598d3ace920ab497cadc324

SHA512
e7a64d71a36a011de0f0e1fcae424a75795e2ec272f88bd1b656ef47963628e3a4bbe636f1eeed48488b060294a22d19233f0b7b00b4efc1ce8f25afb6d58f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d0ac265e835bcebd3509ae6cd7dcf97f

SHA1
fa19262dd02ef4d0b59d17f761dccfa5c81d9acf

SHA256
8a6329db9966495d6532c3ae194274da5e4cce916fb414cb3ef6bd4d2bd16fbf

SHA512
935d459f26867a60f4ae3601d60f267581c47eec13a61d234b0a8b50d3d0b11072fba419aa4cab5ef5c25d2c7782c9ef290c7c91fecd418b7d76e7b9bb43da29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b6b7ebd3095230e06c753d8bdee51eaf

SHA1
1c2e106f6d76371b9480769e6b0e70abf92f4dc7

SHA256
64874f6f6eb6ec3f46bc9552fa4beb5f32de0df334e3a34737a073d1a1bc2495

SHA512
46753b515c94f1d7253e990031f7d6924e5810e0c71cba54398d1ac6cc17f611f84f47c4ff124946b3f9d29cc194d8ecc9f50133744baac4e4e699f5dffa6e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3146e17f153f6b1cc36460cc6660f920

SHA1
fe4a6b7dc870179e00bcb27df500e8e5dcd37d95

SHA256
8cbb6f1f9e5df797c8d407fd82d20e429264f2b056994d0cfb3f13189ec08cfc

SHA512
5213b994b571556fb4a6ec4d55ddcb423f2a49f64bbeedc6e318451a69cba4fc53c40222d9a713536da9f46661498849296218599434f88229ebe263e721492c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
62866622d006822c38053409713d8307

SHA1
766e19e81c7001934368c045f5a0ef800f5a3e99

SHA256
700bcca32223e18328e3489f31c21685d20d84186504caeba8d50cfde2d63460

SHA512
93b7f5b170a0d18893caf527a653845581ad72500465c938a69fcbb9ef77c15391bf0a0e4e2b7659d52ffc12c61d33f5079eb8141dcee3e77044fefb9534b929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
62866622d006822c38053409713d8307

SHA1
766e19e81c7001934368c045f5a0ef800f5a3e99

SHA256
700bcca32223e18328e3489f31c21685d20d84186504caeba8d50cfde2d63460

SHA512
93b7f5b170a0d18893caf527a653845581ad72500465c938a69fcbb9ef77c15391bf0a0e4e2b7659d52ffc12c61d33f5079eb8141dcee3e77044fefb9534b929

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj9onm3.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq0uyzv.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzf75ic.exe
MD5
5fd86e06e75df7a20aa8310b79ca7bf6

SHA1
cb6ea4acc8067dd2ffc614c11b6792b59c07a7a7

SHA256
d0d6f17e84af9584e983239c9440e91647d6f6cb0090bde9e813fa3a1b29503a

SHA512
65224fc7f426902604f337a9189b492b1fd8345ee0462b8e8831ff4f758fbc1da210ff761f3904f264d59ad39362ac9cd93dd0e737c178a1e958d37c104c54db

Download Submit
memory/296-1704-0x0000000000000000-mapping.dmp

Download
memory/296-1785-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/296-1745-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/296-1743-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/676-138-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/676-128-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/676-116-0x0000000000000000-mapping.dmp

Download
memory/676-119-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/676-145-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/676-121-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/676-124-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

Filesize
12KB

Download
memory/676-129-0x0000000006C00000-0x0000000006C8C000-memory.dmp

Filesize
560KB

Download
memory/676-130-0x000000000B550000-0x000000000B551000-memory.dmp

Filesize
4KB

Download
memory/816-1711-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/816-1690-0x0000000000000000-mapping.dmp

Download
memory/948-947-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/948-951-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/948-929-0x0000000000000000-mapping.dmp

Download
memory/948-1046-0x000000007EBE0000-0x000000007EBE1000-memory.dmp

Filesize
4KB

Download
memory/948-1096-0x0000000004F93000-0x0000000004F94000-memory.dmp

Filesize
4KB

Download
memory/956-165-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/956-140-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/956-132-0x0000000000000000-mapping.dmp

Download
memory/956-172-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/956-191-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/956-137-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/956-135-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/956-144-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/956-246-0x000000007F160000-0x000000007F161000-memory.dmp

Filesize
4KB

Download
memory/956-148-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/956-147-0x0000000007152000-0x0000000007153000-memory.dmp

Filesize
4KB

Download
memory/956-297-0x0000000007153000-0x0000000007154000-memory.dmp

Filesize
4KB

Download
memory/1012-1786-0x0000000004C23000-0x0000000004C24000-memory.dmp

Filesize
4KB

Download
memory/1012-1705-0x0000000000000000-mapping.dmp

Download
memory/1012-1742-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1012-1746-0x0000000004C22000-0x0000000004C23000-memory.dmp

Filesize
4KB

Download
memory/1280-1049-0x00000000073A3000-0x00000000073A4000-memory.dmp

Filesize
4KB

Download
memory/1280-928-0x0000000000000000-mapping.dmp

Download
memory/1280-1040-0x000000007FA30000-0x000000007FA31000-memory.dmp

Filesize
4KB

Download
memory/1280-955-0x00000000073A2000-0x00000000073A3000-memory.dmp

Filesize
4KB

Download
memory/1280-953-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/1392-154-0x000000000041E792-mapping.dmp

Download
memory/1392-178-0x0000000005390000-0x00000000053A9000-memory.dmp

Filesize
100KB

Download
memory/1392-175-0x0000000005380000-0x0000000005385000-memory.dmp

Filesize
20KB

Download
memory/1392-196-0x0000000006530000-0x0000000006545000-memory.dmp

Filesize
84KB

Download
memory/1392-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1392-177-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/1392-195-0x0000000006520000-0x000000000652D000-memory.dmp

Filesize
52KB

Download
memory/1392-179-0x0000000005DD0000-0x0000000005DD3000-memory.dmp

Filesize
12KB

Download
memory/1456-1749-0x00000000068F2000-0x00000000068F3000-memory.dmp

Filesize
4KB

Download
memory/1456-1706-0x0000000000000000-mapping.dmp

Download
memory/1456-1787-0x00000000068F3000-0x00000000068F4000-memory.dmp

Filesize
4KB

Download
memory/1456-1748-0x00000000068F0000-0x00000000068F1000-memory.dmp

Filesize
4KB

Download
memory/1552-1722-0x000000000041E792-mapping.dmp

Download
memory/1552-1751-0x0000000004DC0000-0x00000000052BE000-memory.dmp

Filesize
5.0MB

Download
memory/1860-912-0x0000000000000000-mapping.dmp

Download
memory/1860-924-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2224-133-0x0000000000000000-mapping.dmp

Download
memory/2224-189-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2224-186-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2224-183-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/2224-180-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2224-305-0x00000000069F3000-0x00000000069F4000-memory.dmp

Filesize
4KB

Download
memory/2224-150-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/2224-139-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2224-143-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2224-176-0x00000000069F2000-0x00000000069F3000-memory.dmp

Filesize
4KB

Download
memory/2224-253-0x000000007FC80000-0x000000007FC81000-memory.dmp

Filesize
4KB

Download
memory/2440-976-0x0000000004DB0000-0x00000000052AE000-memory.dmp

Filesize
5.0MB

Download
memory/2440-943-0x000000000041E792-mapping.dmp

Download
memory/3108-1048-0x0000000004E43000-0x0000000004E44000-memory.dmp

Filesize
4KB

Download
memory/3108-944-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3108-948-0x0000000004E42000-0x0000000004E43000-memory.dmp

Filesize
4KB

Download
memory/3108-927-0x0000000000000000-mapping.dmp

Download
memory/3108-1043-0x000000007F010000-0x000000007F011000-memory.dmp

Filesize
4KB

Download
memory/3916-115-0x0000000000000000-mapping.dmp

Download
memory/4020-131-0x0000000000000000-mapping.dmp

Download
memory/4020-248-0x000000007F7D0000-0x000000007F7D1000-memory.dmp

Filesize
4KB

Download
memory/4020-151-0x00000000068F2000-0x00000000068F3000-memory.dmp

Filesize
4KB

Download
memory/4020-193-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4020-301-0x00000000068F3000-0x00000000068F4000-memory.dmp

Filesize
4KB

Download
memory/4020-134-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4020-136-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4020-160-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/4020-142-0x00000000068F0000-0x00000000068F1000-memory.dmp

Filesize
4KB

Download
memory/4020-169-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download

pid	process
676	fj9onm3.exe
3040	fj9onm3.exe
1392	fj9onm3.exe
1860	xzf75ic.exe
2440	xzf75ic.exe
816	kq0uyzv.exe
2144	kq0uyzv.exe
1552	kq0uyzv.exe