Overview
overview
9Static
static
9tox tweaki...or.exe
windows11-21h2-x64
1tox tweaki...or.exe
windows11-21h2-x64
1tox tweaki...CK.exe
windows11-21h2-x64
9tox tweaki...ew.exe
windows11-21h2-x64
6tox tweaki...up.exe
windows11-21h2-x64
1tox tweaki...8.appx
windows11-21h2-x64
1Microsoft.UI.Xaml.dll
windows11-21h2-x64
1Microsoft.UI.Xaml.dll
windows11-21h2-x64
1tox tweaki...up.exe
windows11-21h2-x64
8tox tweaki...LG.exe
windows11-21h2-x64
1tox tweaki...el.exe
windows11-21h2-x64
1tox tweaki...un.exe
windows11-21h2-x64
3Export.bat
windows11-21h2-x64
1Import.bat
windows11-21h2-x64
1SCEWIN_64.exe
windows11-21h2-x64
1amifldrv64.sys
windows11-21h2-x64
1amigendrv64.sys
windows11-21h2-x64
1tox tweaki...64.exe
windows11-21h2-x64
1tox tweaki...CL.exe
windows11-21h2-x64
1tox tweaki...64.exe
windows11-21h2-x64
7tox tweaki...64.sys
windows11-21h2-x64
1tox tweaki...64.sys
windows11-21h2-x64
1tox tweaki...vc.exe
windows11-21h2-x64
1CRU/CRU.exe
windows11-21h2-x64
3CRU/reset-all.exe
windows11-21h2-x64
3CRU/restart.exe
windows11-21h2-x64
5CRU/restart64.exe
windows11-21h2-x64
5tox tweaki...on.exe
windows11-21h2-x64
1Export.bat
windows11-21h2-x64
3tox tweaki...ll.exe
windows11-21h2-x64
7tox tweaki...xp.exe
windows11-21h2-x64
8tox tweaki...tr.exe
windows11-21h2-x64
1Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/11/2024, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
tox tweaking/Emu/KeyAuthEmulator.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
tox tweaking/Emu/KeyAuthEmulator.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
tox tweaking/ToX Premium UtilityCRACK.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
tox tweaking/niggers/DevManView.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
tox tweaking/niggers/DeviceCleanup.exe
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
tox tweaking/niggers/Microsoft-uiXAML2.8.appx
Resource
win11-20241023-en
Behavioral task
behavioral7
Sample
Microsoft.UI.Xaml.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
Microsoft.UI.Xaml.dll
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
tox tweaking/niggers/MicrosoftEdgeSetup.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
tox tweaking/niggers/NSudoLG.exe
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
tox tweaking/niggers/NVIDIA Control Panel.exe
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
tox tweaking/niggers/PowerRun.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Export.bat
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
Import.bat
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
SCEWIN_64.exe
Resource
win11-20241007-en
Behavioral task
behavioral16
Sample
amifldrv64.sys
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
amigendrv64.sys
Resource
win11-20241023-en
Behavioral task
behavioral18
Sample
tox tweaking/niggers/SCEWIN_64.exe
Resource
win11-20241007-en
Behavioral task
behavioral19
Sample
tox tweaking/niggers/SetACL.exe
Resource
win11-20241007-en
Behavioral task
behavioral20
Sample
tox tweaking/niggers/VC_redist.x64.exe
Resource
win11-20241007-en
Behavioral task
behavioral21
Sample
tox tweaking/niggers/amifldrv64.sys
Resource
win11-20241007-en
Behavioral task
behavioral22
Sample
tox tweaking/niggers/amigendrv64.sys
Resource
win11-20241007-en
Behavioral task
behavioral23
Sample
tox tweaking/niggers/bfsvc.exe
Resource
win11-20241023-en
Behavioral task
behavioral24
Sample
CRU/CRU.exe
Resource
win11-20241007-en
Behavioral task
behavioral25
Sample
CRU/reset-all.exe
Resource
win11-20241007-en
Behavioral task
behavioral26
Sample
CRU/restart.exe
Resource
win11-20241007-en
Behavioral task
behavioral27
Sample
CRU/restart64.exe
Resource
win11-20241007-en
Behavioral task
behavioral28
Sample
tox tweaking/niggers/devcon.exe
Resource
win11-20241007-en
Behavioral task
behavioral29
Sample
Export.bat
Resource
win11-20241007-en
Behavioral task
behavioral30
Sample
tox tweaking/niggers/openshell.exe
Resource
win11-20241007-en
Behavioral task
behavioral31
Sample
tox tweaking/niggers/procexp.exe
Resource
win11-20241007-en
Behavioral task
behavioral32
Sample
tox tweaking/niggers/str.exe
Resource
win11-20241007-en
General
-
Target
CRU/restart64.exe
-
Size
73KB
-
MD5
297aa19bade534a791d053ca190b74ad
-
SHA1
15cb6a33994f75fe9e30a2afbc8a7e4616b63962
-
SHA256
5f779bb822aedaf5bd11693cdf73f6c7c3342f37371a78c07c2aca1e15dbfd00
-
SHA512
df883950c598f31b81f22a68b2a9fed7459dcad5084ec6e39399658b0492bcc458d9fc5bb80fda6bc994bed3241f969fc67a0b8e021fb82b040455d64776c625
-
SSDEEP
1536:8vXMJl7uRupZzidl/T+Dnx86Rpy4roKsIrryeq3OTM:8vMJl6RAZu/T+7x8qpRM8rNcOTM
Malware Config
Signatures
-
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File created C:\Windows\system32\perfc00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc010.dat WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\perfc00C.dat WMIADAP.EXE File created C:\Windows\system32\perfh00C.dat WMIADAP.EXE File created C:\Windows\system32\perfh010.dat WMIADAP.EXE File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File created C:\Windows\system32\perfc007.dat WMIADAP.EXE File created C:\Windows\system32\perfh007.dat WMIADAP.EXE File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File created C:\Windows\system32\perfh00A.dat WMIADAP.EXE File created C:\Windows\system32\perfc011.dat WMIADAP.EXE File created C:\Windows\system32\perfh011.dat WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: 33 3268 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3268 AUDIODG.EXE Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe Token: SeLoadDriverPrivilege 5052 restart64.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe 5052 restart64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CRU\restart64.exe"C:\Users\Admin\AppData\Local\Temp\CRU\restart64.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004F81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:4712
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1048
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD56e71c59a539ba8c2d46c4c8f478edf8c
SHA1868558341297d83b247f8be13b375541eb58b886
SHA2564e4e1300a939cc5d58d0c6914410d5ad8eaf876571011fa1c6f0ce27bf59822d
SHA5121a86ab970d99430334ba14cc14d75cb902f267e9e15019afcb64400ec6e4335adae3687a5916ccfec5fd0c82c89bfeeac2aed0c6aad693f35e7326f8fb158f9e
-
Filesize
153KB
MD56c65a113c1d1dcbc5f7603db0134dcb7
SHA11eb93cc7aeb12860b63129a69b812b694748a816
SHA25653d617778c1ba174c22b47fd2d84035aa28c58bdcab6c3f3224f3777d1d8e7ee
SHA51267c438c141f7d6509db1d0bb17b312b66be8947a623580cc49fcb3000f7e402dda856ab1d422a68bbb25392d00902fef2bd31ce9cc491769205cdd7b31edf605
-
Filesize
147KB
MD5ae40b57742832ddaf4efe6bee70ecb10
SHA1ebc87ac614bdf44249300e73018686da5c31d7e3
SHA256af503f9b58bc5975fc609c95c2edad09adb32c5633859516350546031e05b0ca
SHA5126c875bfabbe94359fe36eb144a5a9828d6c9d20c5999149df0aaacc4c9be748b5b6bab4639c7ef9d7bb4886073771d7b73ea1190dac61b5220c5f852ef101e3c
-
Filesize
142KB
MD5031bea42e7e7973aa6c0d637dce03edf
SHA1293a7334cc55a4983a8d9b921393131463e06b7d
SHA2561ffa15a5a579c6ce01140ce98a262db26735f5a1d3c1468c7000681d8486b91a
SHA512d34d8400ba12461d154b50d8246a99fe9ea403160bb977a5612e8fbfbcd9636ee641e187d9a899208f7f43c60d7c6292c5fdbf7b0f61d8f5aa0339fb18dfd920
-
Filesize
126KB
MD55afbd30597a275ad6d5e98187742c01b
SHA14e9a82a388532a0fcb3671047504384e040b48a1
SHA25626ee1d72642d1d79b307581e6027a259696d5e3299d9d6685153a68b8c58b61b
SHA5126d2514d6a12809a7db4901b586b57e03b6e5b0cc4ecd1baeb4f5188ca033773f7ca077fa8e8beadcf82724fd16d9136c0fc252a0163b71a0ff0eae3363f2c0cf
-
Filesize
724KB
MD53bd8043ff69087c78cf81f0aa082664f
SHA1c669871201f05f6153dfa3f6a78d4609d818568e
SHA256d1b8be34dfdff53435bcd3f176f7aa9f17aa8f1145c42edee1ed1eec9faf02b2
SHA512a51d2bb5641aaff1ab091a1c331b6e515bb333d2dfa9f09662d35b2315e6fbd14932102167075cd8bdacf7c8f57fe7313f7b1639090070851c2ecf7662384d6d
-
Filesize
686KB
MD5efeeda97e31eb12669293d78feaff451
SHA1f3680730a9ed165f49be4a2b1be8477196f15afb
SHA256a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834
SHA512452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2
-
Filesize
783KB
MD5ef8cce0162906b208cff1441fe71f927
SHA17a3f2d0dcb39698a6ec9190ea69f2ea01d76935e
SHA256ba9df27d32c3fa43d6840146e28e5266908124efde25a4bf459d908c232a88a7
SHA51235b3dbb9f5cd8b30aa0a26fdb29c562ae65ab9823ba477f082960a19d354a68729008e3c0cfce2f8cce66f6f5bab9fed7d6cbe62628c7a751bc4770a4560f5e8
-
Filesize
785KB
MD5f5fd5898bda4a68842ec6c6a9088adec
SHA1f974a58b258b438e79eb4bea3ae54a91f516a10a
SHA256e962a408ff9a789b92bc1429637cb30e00fc47bfa3b06a7fd7b22646e1f5b872
SHA512932e551597139b85b4faecfa9156e7e98d33b5dad4bd6f4c40504ced7b032c8fed223b81f056654a75c66a8326c51b28fef102ad55d5b224722f90c778b6ed98
-
Filesize
772KB
MD5a583c28c05f94a635bd67fee2d905a27
SHA1a4af858c69297cb8a59cade7da6e5a36b43e7548
SHA256c70b892d93e93c37c826ba97459e8fb724e6c5cf6dc2288613430fc59c0c1eb0
SHA51206626f291b69e044e8e44fa46576c0287e4df434cd07b0bdb1b162fed25ddef652e5ad8d08d984f2d7d4c027c8ee032eef485f7269f0a83e11c1fa61f80a5d67
-
Filesize
468KB
MD533cbb4d0e471fd527da2ded235fe9636
SHA1aa9d9b062511eb38a1faf9a740f8fb709b02a7dd
SHA25673174de99ccd45c2a8d818742ed313a55321186162005c0f2567e162954943a5
SHA512a4c17182347bc3c5cce76562f26b27ac62e84c8589dd91d2840a452b6c593656f3d3a2fd5b7f207f32be0f5a0494bc44987fb70e6e8f3a756a0703df20baa93f
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a