Analysis Overview
SHA256
85a7b4ed3f550ab6acea6d3daa78389926d90d99abc6b74ea3556a43907b5866
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Cerber
UAC bypass
AgentTesla
AgentTesla payload
Stops running service(s)
Downloads MZ/PE file
Sets service image path in registry
Executes dropped EXE
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Kills process with taskkill
Runs net.exe
Enumerates system info in registry
Opens file in notepad (likely ransom note)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-03 11:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 11:11
Reported
2024-07-03 11:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1828 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1828 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1828 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4956 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4956 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4956 wrote to memory of 1168 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1168 wrote to memory of 3620 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1168 wrote to memory of 3620 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1168 wrote to memory of 3620 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
C:\Windows\SysWOW64\cmd.exe
cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
Files
memory/1828-0-0x000000007464E000-0x000000007464F000-memory.dmp
memory/1828-1-0x0000000000020000-0x00000000001FC000-memory.dmp
memory/1828-2-0x0000000005140000-0x00000000056E4000-memory.dmp
memory/1828-3-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/1828-4-0x0000000004BB0000-0x0000000004BC2000-memory.dmp
memory/1828-5-0x0000000004DC0000-0x0000000004DCA000-memory.dmp
memory/1828-6-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/1828-7-0x00000000056F0000-0x0000000005904000-memory.dmp
memory/1828-8-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/1828-9-0x000000007464E000-0x000000007464F000-memory.dmp
memory/1828-11-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/1828-15-0x0000000074640000-0x0000000074DF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 11:11
Reported
2024-07-03 11:14
Platform
win11-20240419-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AgentTesla
Cerber
| Description | Indicator | Process | Target |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Windows\Fonts\AMIDEWINx64.EXE | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OcylIfBNoAMAxSFUVe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OcylIfBNoAMAxSFUVe" | C:\Windows\Globalization\Time Zone\niggerdick.exe | N/A |
Stops running service(s)
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\wbem\repository\OBJECTS.DATA | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\INDEX.BTR | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\WRITABLE.TST | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING1.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\amigendrv64.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Globalization\Time Zone\niggercum.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Fonts\amifldrv64.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Globalization\Time Zone\niggerdick.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\IME\Volumeid.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Globalization\Time Zone\winxsrcsv64.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Fonts\AMIDEWINx64.EXE | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File opened for modification | C:\Windows\Globalization\Time Zone\APBSHQBALEAKED_Log.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Fonts\AMIDEWINx64.EXE | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File opened for modification | C:\Windows\Fonts\amigendrv64.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File opened for modification | C:\Windows\Fonts\amifldrv64.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Globalization\Time Zone\winxsrcsv64.sys | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| File created | C:\Windows\Fonts\AUSS.bat | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Globalization\Time Zone\niggerdick.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SU AUTO
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /BS INAESL1LSGG26XYR
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /CS INAESL1LSGG26XYR
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SS INAESL1LSGG26XYR
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SM "System manufacturer"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SP "System Product Name"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SV "System Version"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SK "SKU"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /BT "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /BLC "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /CM "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /CV "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /CA "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /CSK "Default string"
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /SF "To be filled by O.E.M."
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
"winxsrcsv64.exe" /PSN INAESL1LSGG26XYR
C:\Windows\SysWOW64\net.exe
"net" stop winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\SysWOW64\net.exe
"net" start winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start winmgmt /y
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\SysWOW64\sc.exe
"sc" stop winmgmt
C:\Windows\SysWOW64\sc.exe
"sc" start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn "AsusRuntime" /tr "C:\Windows\Fonts\AUSS.bat" /sc ONLOGON /f /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "AsusRuntime" /tr "C:\Windows\Fonts\AUSS.bat" /sc ONLOGON /f /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im epicgameslauncher.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteLauncher.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe query "HKU\S-1-5-19\Environment"
C:\Windows\SysWOW64\reg.exe
Reg.exe query "HKU\S-1-5-19\Environment"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f >> APBSHQBALEAKED_Log.txt
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
C:\Windows\Globalization\Time Zone\niggerdick.exe
"C:\Windows\Globalization\Time Zone\niggerdick.exe" "C:\Windows\Globalization\Time Zone\niggercum.sys"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassCPUCheck" /t REG_DWORD /d "1" /f
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "TW6ST3TO2HV88FSQ"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "D539NQI3JV3A3PE3"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "KYGXJQ5XFP2B1EDT"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "44W9C5AOPIJ8TXW4"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "DFCMXV756URAKIRI"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "MVHY5WJBBMUILN49"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "GWIMYIDZ2B5T6RVX"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "KYNVBVG7OZ51GQ5U"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "XWEGELK32I6OTXG8"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "JOA9W7Q3923AGZL2"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "JZ4H2IALH2WDMLRT"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "7BWH6MQ1JWJWVZ4Y"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "RJQYY3N2LAXBKTJ3"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "MXNVH6A81EQENVIK"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "3VV5O1QQVDO52P7Q"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "2K3A3WY5Q8ILML5J"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "6POHG3RZD5X93ICQ"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "9IH763EK4EQ4JI7J"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "YW7H347OHJ5XXUII"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "F1UQGOBSMVM9INN3"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "X2BD5LYX35SB7C2G"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "I9GQ2JY5LG8NKWDA"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" C: "YZZNV6ZX39B47TKE"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" D: "AL5LAT88YXCC79RY"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" F: "S96GZV6K7GEU6BUJ"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" G: "NXVNMUCBA19A4S4C"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" H: "VH6BBBM6BW3AA9QQ"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" A: "UGEAQ1OOEGWL7XBJ"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" E: "XPBDWMHQOL1IB4V3"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" J: "MOYMYTUV1WWWE6CY"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" K: "NS3LF1H923PTOQO3"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" X: "NJAN7PK6PHC61BU4"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" M: "2PQTWP336RADZ9R4"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" N: "S4SPOB8CCEVFXXXE"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" R: "138IK33ROJGM3I9K"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" Q: "3V45XFQ6CYLA32OR"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop winmgmt /y
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net start winmgmt /y
C:\Windows\SysWOW64\net.exe
net start winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start winmgmt /y
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop winmgmt
C:\Windows\SysWOW64\sc.exe
sc stop winmgmt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| RU | 176.58.48.48:80 | zerocdn.com | tcp |
| RU | 176.58.48.48:443 | zerocdn.com | tcp |
| US | 8.8.8.8:53 | yttrium.zerocdn.com | udp |
| RU | 176.58.39.67:443 | yttrium.zerocdn.com | tcp |
| RU | 176.58.50.155:443 | paradox.zerocdn.com | tcp |
| RU | 176.58.50.75:443 | cometa.zerocdn.com | tcp |
| RU | 176.58.41.115:443 | milanium.zerocdn.com | tcp |
| RU | 176.58.38.163:443 | pe.zerocdn.com | tcp |
| RU | 176.58.50.203:443 | pixel.zerocdn.com | tcp |
| RU | 176.58.42.3:443 | mutantium.zerocdn.com | tcp |
Files
memory/5100-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/5100-1-0x0000000000A80000-0x0000000000C5C000-memory.dmp
memory/5100-2-0x0000000005D40000-0x00000000062E6000-memory.dmp
memory/5100-3-0x0000000005790000-0x0000000005822000-memory.dmp
memory/5100-4-0x00000000056A0000-0x00000000056B2000-memory.dmp
memory/5100-5-0x0000000005720000-0x000000000572A000-memory.dmp
memory/5100-6-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/5100-7-0x0000000005B00000-0x0000000005D14000-memory.dmp
memory/5100-8-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/5100-9-0x00000000092F0000-0x000000000932C000-memory.dmp
memory/5100-10-0x000000007458E000-0x000000007458F000-memory.dmp
memory/5100-11-0x0000000074580000-0x0000000074D31000-memory.dmp
memory/5100-16-0x00000000015F0000-0x0000000001656000-memory.dmp
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
| MD5 | 91a31f23f3e50bd0a722e605687aed1e |
| SHA1 | f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4 |
| SHA256 | 818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8 |
| SHA512 | 649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0 |
C:\Windows\Globalization\Time Zone\niggerdick.exe
| MD5 | be299ca6df078683aae62b5a8c513005 |
| SHA1 | c130fa8ce7fdf265b290d7eb804419269953920f |
| SHA256 | bfe31b5262ce7b1f5dbd22c4cd50ea01f9da56b6444d30c82386c38f4b3baab5 |
| SHA512 | 417a62c7b179646b751540dac8385cbade13d04834ead040077fb474c412bce5dbb33b94b596e4de2464119b85d1ee0bb65fc30b0b13052b9073970188b0002b |
C:\Windows\Fonts\AMIDEWINx64.EXE
| MD5 | 64ae4aa4904d3b259dda8cc53769064f |
| SHA1 | 24be8fb54afd8182652819b9a307b6f66f3fc58d |
| SHA256 | 2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4 |
| SHA512 | 6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16 |
C:\Windows\IME\Volumeid.exe
| MD5 | 4d867033b27c8a603de4885b449c4923 |
| SHA1 | f1ace1a241bab6efb3c7059a68b6e9bbe258da83 |
| SHA256 | 22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3 |
| SHA512 | b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702 |