Analysis
-
max time kernel
52s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe
Resource
win11-20240508-en
Errors
General
-
Target
febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe
-
Size
1.8MB
-
MD5
fed6e1e51032a738d1230b2d666d2516
-
SHA1
33a24d302456590d25cc98b52228ba778659cb6b
-
SHA256
febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c
-
SHA512
aec10391a2c91f50d0cea7ff88a74681f2d0b2a83a084cf842f982514a0ec655f9574b622ad7f163478a42d4a3ba8dfbcd9b3bdddd2512fb26efe8b3cb84db54
-
SSDEEP
49152:DRxVfHfO3RYjtTtdgDFFXH7rpPO1Psz/tgZCfmPeg1Mf5F7:DHxmBYj/8pO1EZgZCwegq
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
http://49.13.229.86
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023478-612.dat family_xworm behavioral1/memory/4528-631-0x00000000003B0000-0x00000000003E8000-memory.dmp family_xworm -
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/memory/3972-109-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral1/files/0x0007000000023443-130.dat family_zgrat_v1 behavioral1/memory/4288-135-0x00000000004F0000-0x00000000005B0000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/files/0x0007000000023443-130.dat family_redline behavioral1/memory/1536-131-0x00000000004B0000-0x0000000000502000-memory.dmp family_redline behavioral1/memory/4288-135-0x00000000004F0000-0x00000000005B0000-memory.dmp family_redline behavioral1/files/0x0007000000023442-128.dat family_redline behavioral1/files/0x0009000000023446-214.dat family_redline behavioral1/memory/1636-228-0x00000000006A0000-0x00000000006F2000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe -
Executes dropped EXE 3 IoCs
pid Process 2864 explorku.exe 1120 explorku.exe 1772 explorku.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe -
resource yara_rule behavioral1/files/0x0007000000023433-182.dat themida behavioral1/memory/3888-202-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-208-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-209-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-206-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-207-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-204-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-205-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-203-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/memory/3888-201-0x0000000000340000-0x00000000009A5000-memory.dmp themida behavioral1/files/0x0007000000023487-586.dat themida behavioral1/memory/5324-602-0x0000000140000000-0x0000000140B56000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 2864 explorku.exe 1120 explorku.exe 1772 explorku.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2864 set thread context of 1772 2864 explorku.exe 96 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3752 sc.exe 5196 sc.exe 6028 sc.exe 5388 sc.exe 5864 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4048 4564 WerFault.exe 103 3668 5216 WerFault.exe 175 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 2864 explorku.exe 2864 explorku.exe 1120 explorku.exe 1120 explorku.exe 1772 explorku.exe 1772 explorku.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4400 wrote to memory of 2864 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 89 PID 4400 wrote to memory of 2864 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 89 PID 4400 wrote to memory of 2864 4400 febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe 89 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96 PID 2864 wrote to memory of 1772 2864 explorku.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe"C:\Users\Admin\AppData\Local\Temp\febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵PID:4564
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3972
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵PID:1536
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵PID:4288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:212
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:6004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 3326⤵
- Program crash
PID:4048
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"5⤵PID:452
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3080
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵PID:1264
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
PID:3752
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵PID:5128
-
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
PID:5196
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵PID:5212
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵PID:5280
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵PID:5316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵PID:5912
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
PID:6028
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵PID:5100
-
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
PID:5388
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵PID:5412
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵PID:5444
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵PID:5772
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:5864
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵PID:2928
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵PID:5924
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵PID:5892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:5236
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"5⤵PID:5380
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5508
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵PID:5176
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:1800
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"5⤵PID:3624
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"6⤵PID:5676
-
C:\Users\Admin\Pictures\BVNeDqpHYIUJ6TClf4oorTEP.exe"C:\Users\Admin\Pictures\BVNeDqpHYIUJ6TClf4oorTEP.exe"7⤵PID:5900
-
-
C:\Users\Admin\Pictures\C8qK3lVJHH6dZEQTUufLK0m4.exe"C:\Users\Admin\Pictures\C8qK3lVJHH6dZEQTUufLK0m4.exe"7⤵PID:5852
-
-
C:\Users\Admin\Pictures\O6deVVCDiPTdTEgTkAbvm9kc.exe"C:\Users\Admin\Pictures\O6deVVCDiPTdTEgTkAbvm9kc.exe"7⤵PID:3496
-
-
C:\Users\Admin\Pictures\MpquEarF5zHBaSwfeqkHOYfX.exe"C:\Users\Admin\Pictures\MpquEarF5zHBaSwfeqkHOYfX.exe"7⤵PID:5896
-
-
C:\Users\Admin\Pictures\fpyr5FyMS0SCZqo6WKk0yg0P.exe"C:\Users\Admin\Pictures\fpyr5FyMS0SCZqo6WKk0yg0P.exe"7⤵PID:5324
-
-
C:\Users\Admin\Pictures\SgVTJleu6qQuUB2w66epN7qv.exe"C:\Users\Admin\Pictures\SgVTJleu6qQuUB2w66epN7qv.exe"7⤵PID:2424
-
-
C:\Users\Admin\Pictures\GQkY89TcJ6pmVdmVShFjmRMW.exe"C:\Users\Admin\Pictures\GQkY89TcJ6pmVdmVShFjmRMW.exe"7⤵PID:3324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵PID:5668
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:5452
-
-
C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe"6⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\u4m8.0.exe"C:\Users\Admin\AppData\Local\Temp\u4m8.0.exe"7⤵PID:4872
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"6⤵PID:5216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 3527⤵
- Program crash
PID:3668
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵PID:3308
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"5⤵PID:4528
-
-
-
-
C:\Users\Admin\1000006002\fab662f01a.exe"C:\Users\Admin\1000006002\fab662f01a.exe"3⤵PID:3888
-
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4564 -ip 45641⤵PID:1784
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵PID:5344
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵PID:5556
-
C:\Windows\Temp\239303.exe"C:\Windows\Temp\239303.exe" --list-devices3⤵PID:5620
-
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵PID:4984
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵PID:5380
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵PID:6024
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:6080
-
C:\Windows\Temp\866490.exe"C:\Windows\Temp\866490.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵PID:5404
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5216 -ip 52161⤵PID:5304
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
Filesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
Filesize
2.1MB
MD5e362775bdbacb09a7b6d2a93b38562e4
SHA1662a852d0579854dc6779b24cb4481acdf3bad7e
SHA25654aa5005bfceae0a9fa081b44e3b40a533fdb1705153c355629204413133f3db
SHA512453aabb68f747d09345a502b8c56dc34677c845e0ca3d7264ddad2ef6465d72f5e0f1b91aa8e44b2cfa8368750fe6ade61059f141a5d04728ed5901dd5d19db7
-
Filesize
2.3MB
MD50ccbd9a304e057e90346d7e7fd01378d
SHA12efe7b1f375f7f059bc69551f04cb416cbd7d855
SHA2565f561f5dcd6a1a14b88956056d704c6532dd7300b1c7934a3bed269c43fc4beb
SHA512a2d656a8506fe2dd3d3c46f2108d888b700a4c301b709c4da8c1d819991c3e336c1f25df2f6df4fbbcad96c73b3f4a08ccbf3065cf2f64b453b5638e32e4f8f5
-
Filesize
2.7MB
MD512d8cbde2f311aaec7c0db642db92e49
SHA15d9f1f93127b56783ebb193125c9dfa04ab25392
SHA256088c4f114dd1d798632aa93518455165661d471b3de1f16745c136b82e78fa13
SHA5122d9e2c0abc3fddb95363bf8a76ec272f61decbff0926dafde2b9ced9ceedb6d964db47974215def202340fc4749d2b258466c158249d5f1b40072b98380f733f
-
Filesize
2.6MB
MD5cc681c1dffdf9796d3c5362594621fed
SHA1fbb2884a711ddb74cc12eb2efb7b82c5dad09d4c
SHA256d92002891ec3f9a7212e3aac2bb848a08bcb22de019e7d8c3cbfee0080aa8392
SHA512d7c8669d9541711a754db5d152af5dec23055e60b008f3eabeb04eac0463c5e9b54cf00eb79fcd17608f6bcf98978f70695da5525e4bc73f0faaf6b250d9f857
-
Filesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
Filesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
Filesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.2MB
MD5d57820879867c26d0a12cf705742aea5
SHA1099ed7e26d3aa905241e223fd562efb4a6da3117
SHA256ef7ca3616ad339af502d30320b0f297171e259348d2f2dddb4dc2f36f237218c
SHA512dcccfbac75a5c7f1ab3950a901fa984ae1389d2b6725fc02f0e8f756cb48f38100afa0c9b7859d5b068ead7974c4fd3598273fe7dfdcf969502ab10d27fc83e0
-
Filesize
2.0MB
MD568897d4279776c9c6d1142d12e1999cf
SHA18a00a1914dce41285174e783578fd81cb0fe9d98
SHA25630d22241c1935366afdc8159f8e064d05213897090d9310fc524e0bc07094692
SHA512961206e1e53ef5cbfea1e095d733419a9e43ab259b5b70453df2a21d23aa439365b58f5b8438920dc9279b94286763d61635e1633d2879e5e315f7b7b0410942
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
402KB
MD57f981db325bfed412599b12604bd00ab
SHA19f8a8fd9df3af3a4111e429b639174229c0c10cd
SHA256043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b
SHA512a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d
-
Filesize
1.8MB
MD519d375b8c6ddbb050a704ed00c4a5b16
SHA16e1da4c429d6af6099670f3ba33d48b70aef46e4
SHA256869602f665fe213ddb7baba281e9773e2f0f03d1f215f6f02a51d55bdf630c14
SHA5129fa9b5d2a42d77959ae049e54319fa128efd5b70347c3a045083fa19553ffd14c962eba5a8bc1ace9efb00ee9b68a19347c18ebcd9750521f0a94ffa6e6aeb59
-
Filesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
Filesize
3.1MB
MD5ee0f0c1e5f5246571d17b582d2774161
SHA13887fd1af1cd20ad23e2fc19038bcc6f86987fdc
SHA256cf8607a7d98df0ff91aaffd3c3803b4dc8906671c1eaf20c23c5d65de840acde
SHA5127696219dad7327d181690721a0d15adc574af079a1d43278a576cfaafdde0c5ed1597348762f4e992f051ff71f119972afc1e1a5a0480160268065fa93823a69
-
Filesize
3.2MB
MD5477b90ee84c4a585fe93d285443132bf
SHA117bbbe699422aa8db975cb4d23b0473d263c9696
SHA256df64ce8ccd0f232e11f866e7549f860c82b77f75ad98383d6b23965ae3ccb4b6
SHA512b51251ca47ea1213933acb923ff85efadfcc5892c5c03ac5478d4e97e1c139a679f203e7c1ca5770279ae67b83187cf40473629c8383ad57d121dbc6c2b6f2ca
-
Filesize
3.1MB
MD54d0b9462bca1234ba07f9159d0cf543a
SHA1655db3ae1bc491e31ea9b5c0b7a76e067205456d
SHA256afd6472f4315ef0e4eb601d075f4a428ed2e329472cba7c294b29d521c0233b7
SHA512cd978bc21f14842565bd642a12b8a171cbbe4f0bbc95b5990462c4865fad7dd37f39b376d80a01a23f598552329ed671934a7a0dfb3874075bb26ad767a61ab8
-
Filesize
1.0MB
MD5808c0214e53b576530ee5b4592793bb0
SHA13fb03784f5dab1e99d5453664bd3169eff495c97
SHA256434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61
SHA5122db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0
-
Filesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
Filesize
2.4MB
MD587f06385fdd0b53f8d0d20169a8540e7
SHA196fe9dae43a195bad7760328e2a436cfd5be735d
SHA256af9c03f489ab707200bed90eb670965e9dd97a21428c1f00ba4c5eca51f9addf
SHA512751250b372d53093a4beb39d405b36b97f4a552f4191e3db07090be24a3ce6d122aa6ebb9a2b9147c7c09c4deffb2efd14812ec0f0291688f54b5ac9867cadeb
-
Filesize
2.7MB
MD5d18dbc8c3596af59d661a2d0437bb173
SHA10a88bb498001120fc5ae83764c5339f06ae70bac
SHA256ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
SHA51225c2563ec9bf5fbd9f8c3a0606015ba93f4cfd8a8ea9dae72b34fc43c57cb024c3fb97b6bf82b6a59d79b092c014c4c47ca202126755a96880e7476cc91e5e76
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
199KB
MD573309cc961f9645c1c2562ffcdc2dab1
SHA16a8545c08c931e016198c80b304ade1c1e8f7a17
SHA256287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
SHA51289858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914
-
Filesize
386KB
MD5258e2128803910f3b69a21d5bae342c4
SHA1fa9bb27e5804e43b268f063b69d40d8b9d6e05fc
SHA2567954fe796c7bdfd2286b9c29349d8f349f02a0cb53e19bb5bbeaef65108f9e33
SHA51203027a8add75e227870f8db62472807709c7343be3376b8791c38c94a2f6a22859da21c6c2672e65a6ca1e9e697a6c63d094b1d03ff7ad150c1f52ff31cbcd42
-
Filesize
240KB
MD56bcbbfac4eb7dbecb5a44983645a75db
SHA106335c12d2dc398efa4956674628debaf8a22b39
SHA256f73c2ff7df05fca90c08e6ac7a30b97f56a5f62ddc1aed09e0970dc416f995aa
SHA512550b13098d9842bc79b441721b6a93f085d75c274d7b5e0387fae87f9cf5a3566fb13694b5369149e093cb41a109fa015a9698f0553827c8c46c864083a54a33
-
Filesize
411KB
MD515ef2d8cbd2cd1a651bd57dd0934f298
SHA1fe9c1ed02180cfdb311178bf7eca676b97ef527c
SHA256436c790acb8471a1e37519c991c85f6e1197f937324435ed47978bffb0d7ab29
SHA512edc5b9e592503de5bd2d26a72dc472adb7058e502bf9f9772586b15347430cb7cd4b0b2d48ab735af7420c046e67f589e283c91dfc812e62536a873b6d5922e6
-
Filesize
1.8MB
MD5fed6e1e51032a738d1230b2d666d2516
SHA133a24d302456590d25cc98b52228ba778659cb6b
SHA256febb183da4d8c283083eb9a90a9008ff8fc14cb2750749d1009284a49458269c
SHA512aec10391a2c91f50d0cea7ff88a74681f2d0b2a83a084cf842f982514a0ec655f9574b622ad7f163478a42d4a3ba8dfbcd9b3bdddd2512fb26efe8b3cb84db54
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
239KB
MD5431c601846123a7b4aa67d75e31a3dfd
SHA10704a6551c01b3b5744e7b743b33ffa5be2b4ced
SHA2560a9eab89753e07a01b1c5e0197acefea9cc05e5f7829823f811e7aa1d7b817b7
SHA51287a0f6eb99baf620b25216ba491f4891154224ad44ecbbe209c5189585d4cc8abea25ef7b34d78608f074c00ce76374fe49252d76b693521363aced52e4cda27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-711569230-3659488422-571408806-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e
Filesize2KB
MD506df6e3bb4c6a84475ef261f195cf61d
SHA16cd2e25965c08fd1c8670ea7532f81455496b0e4
SHA2561b8221aa8c50960aeda0ed07262c644162e690fe86afcdaace6faa1481c5a422
SHA51260345e459dca17536b99b9b69274fe2c3a41687604d7c7fe6b7e63abffec7f75f5ae1e466eddce1f4548e2adb0608ef345a068d0ad1c5e223fad5a732b4187ec
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
1.9MB
MD5a3ca8b4d27a107850a0f153be808856e
SHA1ba33151275c8b2e549381ceb189ced59c719afa4
SHA256cbffbc715debabad82082c9fa3bef620a7ffc5106ed2af11f42c827d9b6e8db2
SHA5124b53acec4754bff47559154c722bf5c1b77510e1676580c61e86beda9d4e196cc0fb15255fa1d39005604cb469a20d9b0d0646503e67ce3830c952ae1020f944
-
Filesize
2.4MB
MD5103ee572c628c97bf2d2748852184e11
SHA1bff69f2f6571f7cc2f88a2a7cf3d53257a40a535
SHA25624400bec9747a0abd28c8f5088b99b05a7e838f5af5a8a99fdea6c434d5f05d7
SHA51263592ab4ee633ad2bbf5eb8be4b9916e1872572218aea1f834f1c9f8302c87f614af80fe168c2683da96601ad8252f02feed2426d9c723ebffa0f6c25200a1ab
-
Filesize
1.6MB
MD50bbbfe06bb87d8129a365253fd9030c9
SHA115d58fa04d8e4c1c82a7a5c1c02538cbcbee6fe5
SHA25698f2f54dde6794b7e6187670e49aa3306d765253154ef1676183d37aa57fef20
SHA5126c8a2e396476b28ca26ef31589824c7186b4004646c70be77aea1d5e27482e4f0907140ea4a09a06f409366bbc215e3b061f2352886309f56ef3c54592b3e78f
-
Filesize
1.9MB
MD5a5a32cfda67d4f7a36b917946cabfa29
SHA125c9ba76c5a7c36ff9eee9b1d686638002fcc8e8
SHA2561510a4daac90e336080a56d79232bfdd7de29858852334e50b922daaf0be83f0
SHA512646fdc612d3b71c5380e9a43383067aca9affbd443e5b4bb9baee75e63339d71a79ca77f87662fe971f1fb1ce6ec9c95c22f5a3c3d1f23556fedf56f878cc653
-
Filesize
2KB
MD5fe59138b890ef674183c0bc6d2e15935
SHA16271a538000260da0a4c56ed5a2b6b82549c3a69
SHA256868dc232f7b220d4d97e13a46257cb3748fe2e36be39241b3a056d3bc7007768
SHA512c5e35d0f52e60a566dc2cbde0ecdf66ac9f7b7b0e2bd764e57ab7023617adec3468c70e74182d5fa52baec2b29b70ee7b5af41be137509cbd1877c096bc22ec5
-
Filesize
2KB
MD5fa47541b4ec74047aa1a56f29ed59854
SHA1bc55b9fe7db0381dc089a705ba2101058ef2d1f1
SHA256680766d80434f5ae562065b1194493d6879550f9d124456040e25c6d593b4ddd
SHA512bb096c81e4555aa321adf47422ccfade1adb331e40cf37908ec556b555efe9893aebb5d7529ea72a6671e53b5dd6c0fb9a835b43f83d273cc52a506a727ca269
-
Filesize
2KB
MD502100e52fb1d3764475c29fc25fcb59a
SHA1fe78c3ddb5d82a276e17e478dc473dbbca72fa0b
SHA256809deb04be8c39ba233266e8b283398a891012fb89ecbdbc071d0ddcdbf764f4
SHA51272c96153eade1ec3fd47350d3cd56ffbaeaabc6b48fa9d66e4a7bfdcdc103a51ec08cb150e265c633657fb9a8313422310161b5ca3e22cf85f007ce8e233fdbf
-
Filesize
2KB
MD57baf534cce1c13950e232488a4b2c45e
SHA1cb772d23d6c9230a87e405f76945b5db572fbfa5
SHA25686120e079a617e336ee633811bfb040ba6186181ecd30e7e35f2623f32e0b7b0
SHA5127ddc38a5995ff6f06b0971fa71a2aee2d2251ccfe326efd01316c44d3253f68957f4652885910bbe1b926130854a3da414f08cef04cd46b5ab4c02143495d2dc
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
Filesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2