agenttesla | 85a7b4ed3f550ab6acea6d3daa78389926d90d99abc6b74ea3556a43907b5866

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

1.8MB
MD5

af942eb89801ce13916b5eecbd060bba
SHA1

65e0d7c0c134cd2b295ea6c123c064cf86f5321e
SHA256

85a7b4ed3f550ab6acea6d3daa78389926d90d99abc6b74ea3556a43907b5866
SHA512

7da265793fe4b35c261a8a00238ad91cecd8d4a07303e06893cb3516c7e7f6156b5898d0db0576adfce23deb001d22c45bdf5885e5a0b239e558aba8a5ccbdfa
SSDEEP

24576:xITMvRFhRRbNWoCfkYSEH3OqtwIuXFJeRqR21rDTfQPvQr:xITYbNbNWo4kSH3OqtwIq+qR21rDH

Score

10^/10

agenttesla cerber evasion execution keylogger persistence ransomware spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cerber 39 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	winxsrcsv64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/5100-7-0x0000000005B00000-0x0000000005D14000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OcylIfBNoAMAxSFUVe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OcylIfBNoAMAxSFUVe"	niggerdick.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 54 IoCs

pid	Process
4800	winxsrcsv64.exe
1056	winxsrcsv64.exe
2592	winxsrcsv64.exe
4428	winxsrcsv64.exe
5036	winxsrcsv64.exe
2856	winxsrcsv64.exe
3020	winxsrcsv64.exe
1468	winxsrcsv64.exe
3268	winxsrcsv64.exe
3468	winxsrcsv64.exe
3592	winxsrcsv64.exe
2108	winxsrcsv64.exe
3304	winxsrcsv64.exe
3868	winxsrcsv64.exe
3064	winxsrcsv64.exe
4784	winxsrcsv64.exe
2456	niggerdick.exe
1372	AMIDEWINx64.EXE
5064	AMIDEWINx64.EXE
4788	AMIDEWINx64.EXE
2000	AMIDEWINx64.EXE
1816	AMIDEWINx64.EXE
3972	AMIDEWINx64.EXE
2332	AMIDEWINx64.EXE
4936	AMIDEWINx64.EXE
1244	AMIDEWINx64.EXE
796	AMIDEWINx64.EXE
1728	AMIDEWINx64.EXE
3048	AMIDEWINx64.EXE
1444	AMIDEWINx64.EXE
1660	AMIDEWINx64.EXE
900	AMIDEWINx64.EXE
4644	AMIDEWINx64.EXE
4832	AMIDEWINx64.EXE
4300	AMIDEWINx64.EXE
3240	AMIDEWINx64.EXE
1008	AMIDEWINx64.EXE
4440	AMIDEWINx64.EXE
240	AMIDEWINx64.EXE
1004	AMIDEWINx64.EXE
1772	Volumeid.exe
3112	Volumeid.exe
2104	Volumeid.exe
3304	Volumeid.exe
4336	Volumeid.exe
1600	Volumeid.exe
3080	Volumeid.exe
4884	Volumeid.exe
4872	Volumeid.exe
396	Volumeid.exe
5084	Volumeid.exe
3616	Volumeid.exe
1576	Volumeid.exe
2860	Volumeid.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\amigendrv64.sys	Loader.exe
File created	C:\Windows\Globalization\Time Zone\niggercum.sys	Loader.exe
File created	C:\Windows\Fonts\amifldrv64.sys	Loader.exe
File created	C:\Windows\Globalization\Time Zone\niggerdick.exe	Loader.exe
File created	C:\Windows\IME\Volumeid.exe	Loader.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.exe	Loader.exe
File created	C:\Windows\Fonts\AMIDEWINx64.EXE	Loader.exe
File opened for modification	C:\Windows\Globalization\Time Zone\APBSHQBALEAKED_Log.txt	cmd.exe
File opened for modification	C:\Windows\Fonts\AMIDEWINx64.EXE	Loader.exe
File opened for modification	C:\Windows\Fonts\amigendrv64.sys	Loader.exe
File opened for modification	C:\Windows\Fonts\amifldrv64.sys	Loader.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.sys	Loader.exe
File created	C:\Windows\Fonts\AUSS.bat	Loader.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4892	sc.exe
652	sc.exe
1876	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Loader.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3968	taskkill.exe
2328	taskkill.exe
2504	taskkill.exe
3776	taskkill.exe
404	taskkill.exe
3532	taskkill.exe
1916	taskkill.exe
4188	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3368	NOTEPAD.EXE

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5100	Loader.exe
5100	Loader.exe

Suspicious behavior: LoadsDriver 40 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
2456	niggerdick.exe
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	Loader.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe
Token: SeSecurityPrivilege	4900	svchost.exe
Token: SeTakeOwnershipPrivilege	4900	svchost.exe
Token: SeLoadDriverPrivilege	4900	svchost.exe
Token: SeSystemtimePrivilege	4900	svchost.exe
Token: SeBackupPrivilege	4900	svchost.exe
Token: SeRestorePrivilege	4900	svchost.exe
Token: SeShutdownPrivilege	4900	svchost.exe
Token: SeSystemEnvironmentPrivilege	4900	svchost.exe
Token: SeUndockPrivilege	4900	svchost.exe
Token: SeManageVolumePrivilege	4900	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe
Token: SeSecurityPrivilege	4900	svchost.exe
Token: SeTakeOwnershipPrivilege	4900	svchost.exe
Token: SeLoadDriverPrivilege	4900	svchost.exe
Token: SeSystemtimePrivilege	4900	svchost.exe
Token: SeBackupPrivilege	4900	svchost.exe
Token: SeRestorePrivilege	4900	svchost.exe
Token: SeShutdownPrivilege	4900	svchost.exe
Token: SeSystemEnvironmentPrivilege	4900	svchost.exe
Token: SeUndockPrivilege	4900	svchost.exe
Token: SeManageVolumePrivilege	4900	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe
Token: SeSecurityPrivilege	4900	svchost.exe
Token: SeTakeOwnershipPrivilege	4900	svchost.exe
Token: SeLoadDriverPrivilege	4900	svchost.exe
Token: SeSystemtimePrivilege	4900	svchost.exe
Token: SeBackupPrivilege	4900	svchost.exe
Token: SeRestorePrivilege	4900	svchost.exe
Token: SeShutdownPrivilege	4900	svchost.exe
Token: SeSystemEnvironmentPrivilege	4900	svchost.exe
Token: SeUndockPrivilege	4900	svchost.exe
Token: SeManageVolumePrivilege	4900	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe
Token: SeSecurityPrivilege	4900	svchost.exe
Token: SeTakeOwnershipPrivilege	4900	svchost.exe
Token: SeLoadDriverPrivilege	4900	svchost.exe
Token: SeSystemtimePrivilege	4900	svchost.exe
Token: SeBackupPrivilege	4900	svchost.exe
Token: SeRestorePrivilege	4900	svchost.exe
Token: SeShutdownPrivilege	4900	svchost.exe
Token: SeSystemEnvironmentPrivilege	4900	svchost.exe
Token: SeUndockPrivilege	4900	svchost.exe
Token: SeManageVolumePrivilege	4900	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe
Token: SeSecurityPrivilege	4900	svchost.exe
Token: SeTakeOwnershipPrivilege	4900	svchost.exe
Token: SeLoadDriverPrivilege	4900	svchost.exe
Token: SeSystemtimePrivilege	4900	svchost.exe
Token: SeBackupPrivilege	4900	svchost.exe
Token: SeRestorePrivilege	4900	svchost.exe
Token: SeShutdownPrivilege	4900	svchost.exe
Token: SeSystemEnvironmentPrivilege	4900	svchost.exe
Token: SeUndockPrivilege	4900	svchost.exe
Token: SeManageVolumePrivilege	4900	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4900	svchost.exe
Token: SeIncreaseQuotaPrivilege	4900	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4800	5100	Loader.exe	77
PID 5100 wrote to memory of 4800	5100	Loader.exe	77
PID 5100 wrote to memory of 1056	5100	Loader.exe	79
PID 5100 wrote to memory of 1056	5100	Loader.exe	79
PID 5100 wrote to memory of 2592	5100	Loader.exe	81
PID 5100 wrote to memory of 2592	5100	Loader.exe	81
PID 5100 wrote to memory of 4428	5100	Loader.exe	83
PID 5100 wrote to memory of 4428	5100	Loader.exe	83
PID 5100 wrote to memory of 5036	5100	Loader.exe	85
PID 5100 wrote to memory of 5036	5100	Loader.exe	85
PID 5100 wrote to memory of 2856	5100	Loader.exe	87
PID 5100 wrote to memory of 2856	5100	Loader.exe	87
PID 5100 wrote to memory of 3020	5100	Loader.exe	89
PID 5100 wrote to memory of 3020	5100	Loader.exe	89
PID 5100 wrote to memory of 1468	5100	Loader.exe	91
PID 5100 wrote to memory of 1468	5100	Loader.exe	91
PID 5100 wrote to memory of 3268	5100	Loader.exe	93
PID 5100 wrote to memory of 3268	5100	Loader.exe	93
PID 5100 wrote to memory of 3468	5100	Loader.exe	95
PID 5100 wrote to memory of 3468	5100	Loader.exe	95
PID 5100 wrote to memory of 3592	5100	Loader.exe	97
PID 5100 wrote to memory of 3592	5100	Loader.exe	97
PID 5100 wrote to memory of 2108	5100	Loader.exe	99
PID 5100 wrote to memory of 2108	5100	Loader.exe	99
PID 5100 wrote to memory of 3304	5100	Loader.exe	101
PID 5100 wrote to memory of 3304	5100	Loader.exe	101
PID 5100 wrote to memory of 3868	5100	Loader.exe	103
PID 5100 wrote to memory of 3868	5100	Loader.exe	103
PID 5100 wrote to memory of 3064	5100	Loader.exe	105
PID 5100 wrote to memory of 3064	5100	Loader.exe	105
PID 5100 wrote to memory of 4784	5100	Loader.exe	107
PID 5100 wrote to memory of 4784	5100	Loader.exe	107
PID 5100 wrote to memory of 3112	5100	Loader.exe	109
PID 5100 wrote to memory of 3112	5100	Loader.exe	109
PID 5100 wrote to memory of 3112	5100	Loader.exe	109
PID 3112 wrote to memory of 4964	3112	net.exe	111
PID 3112 wrote to memory of 4964	3112	net.exe	111
PID 3112 wrote to memory of 4964	3112	net.exe	111
PID 5100 wrote to memory of 4676	5100	Loader.exe	112
PID 5100 wrote to memory of 4676	5100	Loader.exe	112
PID 5100 wrote to memory of 4676	5100	Loader.exe	112
PID 4676 wrote to memory of 3552	4676	net.exe	114
PID 4676 wrote to memory of 3552	4676	net.exe	114
PID 4676 wrote to memory of 3552	4676	net.exe	114
PID 5100 wrote to memory of 652	5100	Loader.exe	116
PID 5100 wrote to memory of 652	5100	Loader.exe	116
PID 5100 wrote to memory of 652	5100	Loader.exe	116
PID 5100 wrote to memory of 1876	5100	Loader.exe	118
PID 5100 wrote to memory of 1876	5100	Loader.exe	118
PID 5100 wrote to memory of 1876	5100	Loader.exe	118
PID 5100 wrote to memory of 1208	5100	Loader.exe	121
PID 5100 wrote to memory of 1208	5100	Loader.exe	121
PID 5100 wrote to memory of 1208	5100	Loader.exe	121
PID 1208 wrote to memory of 1612	1208	cmd.exe	123
PID 1208 wrote to memory of 1612	1208	cmd.exe	123
PID 1208 wrote to memory of 1612	1208	cmd.exe	123
PID 5100 wrote to memory of 4948	5100	Loader.exe	124
PID 5100 wrote to memory of 4948	5100	Loader.exe	124
PID 5100 wrote to memory of 4948	5100	Loader.exe	124
PID 4948 wrote to memory of 2504	4948	cmd.exe	126
PID 4948 wrote to memory of 2504	4948	cmd.exe	126
PID 4948 wrote to memory of 2504	4948	cmd.exe	126
PID 5100 wrote to memory of 2596	5100	Loader.exe	128
PID 5100 wrote to memory of 2596	5100	Loader.exe	128

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SU AUTO
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4800
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BS INAESL1LSGG26XYR
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1056
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CS INAESL1LSGG26XYR
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2592
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SS INAESL1LSGG26XYR
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4428
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SM "System manufacturer"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5036
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SP "System Product Name"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2856
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SV "System Version"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3020
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SK "SKU"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1468
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BT "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3268
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BLC "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3468
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CM "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3592
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CV "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2108
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CA "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3304
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CSK "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3868
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SF "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3064
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /PSN INAESL1LSGG26XYR
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4784
- C:\Windows\SysWOW64\net.exe
  "net" stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4964
- C:\Windows\SysWOW64\net.exe
  "net" start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:3552
- C:\Windows\SysWOW64\sc.exe
  "sc" stop winmgmt
  2⤵
  - Launches sc.exe
  PID:652
- C:\Windows\SysWOW64\sc.exe
  "sc" start winmgmt
  2⤵
  - Launches sc.exe
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn "AsusRuntime" /tr "C:\Windows\Fonts\AUSS.bat" /sc ONLOGON /f /RL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "AsusRuntime" /tr "C:\Windows\Fonts\AUSS.bat" /sc ONLOGON /f /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im epicgameslauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteLauncher.exe
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:4300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:228
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe query "HKU\S-1-5-19\Environment"
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f >> APBSHQBALEAKED_Log.txt
  2⤵
  - Drops file in Windows directory
  PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:2524
- C:\Windows\Globalization\Time Zone\niggerdick.exe
  "C:\Windows\Globalization\Time Zone\niggerdick.exe" "C:\Windows\Globalization\Time Zone\niggercum.sys"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
    3⤵
    PID:3176
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "TW6ST3TO2HV88FSQ"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1372
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "D539NQI3JV3A3PE3"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5064
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "KYGXJQ5XFP2B1EDT"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4788
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "44W9C5AOPIJ8TXW4"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2000
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1816
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "DFCMXV756URAKIRI"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3972
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "MVHY5WJBBMUILN49"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2332
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "GWIMYIDZ2B5T6RVX"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4936
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "KYNVBVG7OZ51GQ5U"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1244
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "XWEGELK32I6OTXG8"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:796
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "JOA9W7Q3923AGZL2"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1728
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "JZ4H2IALH2WDMLRT"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3048
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "7BWH6MQ1JWJWVZ4Y"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1444
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "RJQYY3N2LAXBKTJ3"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1660
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "MXNVH6A81EQENVIK"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:900
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "3VV5O1QQVDO52P7Q"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4644
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "2K3A3WY5Q8ILML5J"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4832
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "6POHG3RZD5X93ICQ"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4300
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "9IH763EK4EQ4JI7J"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3240
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "YW7H347OHJ5XXUII"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1008
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "F1UQGOBSMVM9INN3"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4440
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "X2BD5LYX35SB7C2G"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:240
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "I9GQ2JY5LG8NKWDA"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1004
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" C: "YZZNV6ZX39B47TKE"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" D: "AL5LAT88YXCC79RY"
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" F: "S96GZV6K7GEU6BUJ"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" G: "NXVNMUCBA19A4S4C"
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" H: "VH6BBBM6BW3AA9QQ"
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" A: "UGEAQ1OOEGWL7XBJ"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" E: "XPBDWMHQOL1IB4V3"
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" J: "MOYMYTUV1WWWE6CY"
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" K: "NS3LF1H923PTOQO3"
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" X: "NJAN7PK6PHC61BU4"
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" M: "2PQTWP336RADZ9R4"
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" N: "S4SPOB8CCEVFXXXE"
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" R: "138IK33ROJGM3I9K"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" Q: "3V45XFQ6CYLA32OR"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop winmgmt /y
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start winmgmt /y
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:3148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop winmgmt
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Windows\Globalization\Time Zone\niggerdick.exe

Filesize
142KB

MD5
be299ca6df078683aae62b5a8c513005

SHA1
c130fa8ce7fdf265b290d7eb804419269953920f

SHA256
bfe31b5262ce7b1f5dbd22c4cd50ea01f9da56b6444d30c82386c38f4b3baab5

SHA512
417a62c7b179646b751540dac8385cbade13d04834ead040077fb474c412bce5dbb33b94b596e4de2464119b85d1ee0bb65fc30b0b13052b9073970188b0002b

Download Submit
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe

Filesize
379KB

MD5
91a31f23f3e50bd0a722e605687aed1e

SHA1
f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

SHA256
818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

SHA512
649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

Download Submit
C:\Windows\IME\Volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
memory/5100-8-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/5100-5-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/5100-6-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/5100-7-0x0000000005B00000-0x0000000005D14000-memory.dmp

Filesize
2.1MB

Download
memory/5100-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/5100-9-0x00000000092F0000-0x000000000932C000-memory.dmp

Filesize
240KB

Download
memory/5100-10-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/5100-11-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/5100-16-0x00000000015F0000-0x0000000001656000-memory.dmp

Filesize
408KB

Download
memory/5100-4-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/5100-3-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/5100-2-0x0000000005D40000-0x00000000062E6000-memory.dmp

Filesize
5.6MB

Download
memory/5100-1-0x0000000000A80000-0x0000000000C5C000-memory.dmp

Filesize
1.9MB

Download