eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/AjarSys.exe
Size

5.8MB
MD5

0816a1e816f9737a1fd3eaa7493aa075
SHA1

682405e63e3cfa28f955ea4eee2890b93fa6414d
SHA256

418f6ff813bbbbe5344b9f8fea28948259bcfd28d424f1354289f5071c85d6ca
SHA512

640000c30a3c1e8d05bc5383daa405303596b8694e11a17a04a77e3cf0688a887f35a7f8d38ffea89e8a3ba6e36e63c4b39285b83bfffa55e9fab5cc595484a8
SSDEEP

98304:wYOgp0AsZKigPWKQ/HVRBH9vYewem9lTTdxlN7/c3DgPY9rT6Bl1tF:wYL0rtC3Q/pdePbH7/0DIYNT6LbF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

AjarSystem.exeASLib.exeOpenAll.exeSound.exered.exeerror.exeNoise.exediskdestroyer.exe

pid process

1752 AjarSystem.exe
1632 ASLib.exe
1972 OpenAll.exe
1700 Sound.exe
2008 red.exe
512 error.exe
1264 Noise.exe
1868 diskdestroyer.exe

pid	process
1752	AjarSystem.exe
1632	ASLib.exe
1972	OpenAll.exe
1700	Sound.exe
2008	red.exe
512	error.exe
1264	Noise.exe
1868	diskdestroyer.exe

Loads dropped DLL 16 IoCs

Processes:

AjarSys.exeASLib.exeOpenAll.exe

pid	process
924	AjarSys.exe
924	AjarSys.exe
924	AjarSys.exe
1632	ASLib.exe
1632	ASLib.exe
1632	ASLib.exe
1632	ASLib.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe
1972	OpenAll.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mountvol.exemountvol.exe

description ioc process

File opened (read-only) \??\A: mountvol.exe
File opened (read-only) \??\B: mountvol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

ASLib.exe

pid process

1632 ASLib.exe

description	ioc	process
File opened (read-only)	\??\A:	mountvol.exe
File opened (read-only)	\??\B:	mountvol.exe

pid	process
1632	ASLib.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	916	AUDIODG.EXE
Token: 33	916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	916	AUDIODG.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

AjarSys.exeAjarSystem.execmd.exeASLib.exeOpenAll.exediskdestroyer.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 1752	924	AjarSys.exe	AjarSystem.exe
PID 924 wrote to memory of 1752	924	AjarSys.exe	AjarSystem.exe
PID 924 wrote to memory of 1752	924	AjarSys.exe	AjarSystem.exe
PID 924 wrote to memory of 1752	924	AjarSys.exe	AjarSystem.exe
PID 1752 wrote to memory of 1360	1752	AjarSystem.exe	cmd.exe
PID 1752 wrote to memory of 1360	1752	AjarSystem.exe	cmd.exe
PID 1752 wrote to memory of 1360	1752	AjarSystem.exe	cmd.exe
PID 1752 wrote to memory of 1360	1752	AjarSystem.exe	cmd.exe
PID 1360 wrote to memory of 1632	1360	cmd.exe	ASLib.exe
PID 1360 wrote to memory of 1632	1360	cmd.exe	ASLib.exe
PID 1360 wrote to memory of 1632	1360	cmd.exe	ASLib.exe
PID 1360 wrote to memory of 1632	1360	cmd.exe	ASLib.exe
PID 1632 wrote to memory of 1972	1632	ASLib.exe	OpenAll.exe
PID 1632 wrote to memory of 1972	1632	ASLib.exe	OpenAll.exe
PID 1632 wrote to memory of 1972	1632	ASLib.exe	OpenAll.exe
PID 1632 wrote to memory of 1972	1632	ASLib.exe	OpenAll.exe
PID 1972 wrote to memory of 1700	1972	OpenAll.exe	Sound.exe
PID 1972 wrote to memory of 1700	1972	OpenAll.exe	Sound.exe
PID 1972 wrote to memory of 1700	1972	OpenAll.exe	Sound.exe
PID 1972 wrote to memory of 1700	1972	OpenAll.exe	Sound.exe
PID 1972 wrote to memory of 2008	1972	OpenAll.exe	red.exe
PID 1972 wrote to memory of 2008	1972	OpenAll.exe	red.exe
PID 1972 wrote to memory of 2008	1972	OpenAll.exe	red.exe
PID 1972 wrote to memory of 2008	1972	OpenAll.exe	red.exe
PID 1972 wrote to memory of 512	1972	OpenAll.exe	error.exe
PID 1972 wrote to memory of 512	1972	OpenAll.exe	error.exe
PID 1972 wrote to memory of 512	1972	OpenAll.exe	error.exe
PID 1972 wrote to memory of 512	1972	OpenAll.exe	error.exe
PID 1972 wrote to memory of 1264	1972	OpenAll.exe	Noise.exe
PID 1972 wrote to memory of 1264	1972	OpenAll.exe	Noise.exe
PID 1972 wrote to memory of 1264	1972	OpenAll.exe	Noise.exe
PID 1972 wrote to memory of 1264	1972	OpenAll.exe	Noise.exe
PID 1972 wrote to memory of 1868	1972	OpenAll.exe	diskdestroyer.exe
PID 1972 wrote to memory of 1868	1972	OpenAll.exe	diskdestroyer.exe
PID 1972 wrote to memory of 1868	1972	OpenAll.exe	diskdestroyer.exe
PID 1972 wrote to memory of 1868	1972	OpenAll.exe	diskdestroyer.exe
PID 1868 wrote to memory of 896	1868	diskdestroyer.exe	cmd.exe
PID 1868 wrote to memory of 896	1868	diskdestroyer.exe	cmd.exe
PID 1868 wrote to memory of 896	1868	diskdestroyer.exe	cmd.exe
PID 1868 wrote to memory of 896	1868	diskdestroyer.exe	cmd.exe
PID 896 wrote to memory of 1112	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1112	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1112	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1304	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1304	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1304	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1292	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1292	896	cmd.exe	mountvol.exe
PID 896 wrote to memory of 1292	896	cmd.exe	mountvol.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\AjarSys.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\AjarSys.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F133.tmp\F134.tmp\F135.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ASLib.exe
      ASLib.exe -p@$L1b -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\OpenAll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OpenAll.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\Sound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sound.exe"
        6⤵
        Executes dropped EXE
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\red.exe
        
        "C:\Users\Admin\AppData\Local\Temp\red.exe"
        6⤵
        Executes dropped EXE
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\error.exe
        
        "C:\Users\Admin\AppData\Local\Temp\error.exe"
        6⤵
        Executes dropped EXE
        
        PID:512
      - C:\Users\Admin\AppData\Local\Temp\Noise.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Noise.exe"
        6⤵
        Executes dropped EXE
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\diskdestroyer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\diskdestroyer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D8.tmp\8D9.tmp\8DA.bat C:\Users\Admin\AppData\Local\Temp\diskdestroyer.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\system32\mountvol.exe
        
        mountvol A:\ /D
        8⤵
        Enumerates connected drives
        
        PID:1112
        
        C:\Windows\system32\mountvol.exe
        
        mountvol B:\ /D
        8⤵
        Enumerates connected drives
        
        PID:1304
        
        C:\Windows\system32\mountvol.exe
        
        mountvol C:\ /D
        8⤵
        
        PID:1292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x260
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D8.tmp\8D9.tmp\8DA.bat

Filesize
448B

MD5
799bcbf06b30a24abca9d67a87aa7ce1

SHA1
775b9f11cd9ce520fa020a9ebf51ef0098ae6698

SHA256
afd37a6263be867f11b20537c1457db478378f4250989ecc654ee531d09c1276

SHA512
2b9515c200defb3567d03cbde1bda90ef1e82f2b2fe6fa18b460ce7b8a9f60599491c664b67c2012813d2d1ebf009fdee7e90e77b264f54e15c194900e9b85cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F133.tmp\F134.tmp\F135.bat

Filesize
37B

MD5
9d38ca2f5b6b20698c106a71d78a39d3

SHA1
aaf3ee5b10303a599fc4bb5e18643e5f4bef9bc3

SHA256
e7f18f87f25d9f2c0a8e51cdb7df01b57c4063f8cb14b16efadfa579243c80ea

SHA512
a2a864aa734fbe52a75db72eda7a033189869e4ef414d63b200580674483aaa9780c9ad2d1c6f64424ab2271b54c6e861bc86148abb2845bed702052e4afa5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Noise.exe

Filesize
2.5MB

MD5
8fc1142d14d3f202041454f02443cf86

SHA1
d00220ab94b0305ee0fe5319d1cfa6229e99885e

SHA256
0068636924e7c0d0074d594f94156b3a3428e7a6dad72ffdb24202f34fa14dab

SHA512
3c50fcc51fd31e7243e305d447ef40c1e3cb6b47212b41e0a940d004d788b463764abb4f19f6f9b6ea902a9ef4e9dd6cd9ac8e922b43d4f5def295bde2cc2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Noise.exe

Filesize
2.5MB

MD5
8fc1142d14d3f202041454f02443cf86

SHA1
d00220ab94b0305ee0fe5319d1cfa6229e99885e

SHA256
0068636924e7c0d0074d594f94156b3a3428e7a6dad72ffdb24202f34fa14dab

SHA512
3c50fcc51fd31e7243e305d447ef40c1e3cb6b47212b41e0a940d004d788b463764abb4f19f6f9b6ea902a9ef4e9dd6cd9ac8e922b43d4f5def295bde2cc2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ASLib.exe

Filesize
5.7MB

MD5
f32ca324c5efd03baa77d02a2d6c93e1

SHA1
0904821bfc023a8970240f31fd1bacb06dedd961

SHA256
adf652e07642597466a7c60bb512d9f6ec927f0e217a76e8625123974982a525

SHA512
31a7ddfb463d5c5d94d66bf84b2f55a7b87caddc433e4ac71d9fe8b43098b56172b170c4bff84ca3641aa2466576d7499ad6742aa98de66cb9a87b9d7caab0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ASLib.exe

Filesize
5.7MB

MD5
f32ca324c5efd03baa77d02a2d6c93e1

SHA1
0904821bfc023a8970240f31fd1bacb06dedd961

SHA256
adf652e07642597466a7c60bb512d9f6ec927f0e217a76e8625123974982a525

SHA512
31a7ddfb463d5c5d94d66bf84b2f55a7b87caddc433e4ac71d9fe8b43098b56172b170c4bff84ca3641aa2466576d7499ad6742aa98de66cb9a87b9d7caab0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe

Filesize
87KB

MD5
39952a00847a65cb5b192c28e81445ee

SHA1
e650da31ee60842483a37c7b761b5372add7fbe1

SHA256
fb796ea1d7c377fa8e3630ceb0b10479a738ef23bdaa6fde5c980c04c6e5d027

SHA512
e851486624fc1df056f88b229fe6f5129a1bb5218d374ff65b93178b246e610a1f5d065cf6e379c37c21fb0f8f47d75f7d80802c0d94a777149197bdd89f498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe

Filesize
87KB

MD5
39952a00847a65cb5b192c28e81445ee

SHA1
e650da31ee60842483a37c7b761b5372add7fbe1

SHA256
fb796ea1d7c377fa8e3630ceb0b10479a738ef23bdaa6fde5c980c04c6e5d027

SHA512
e851486624fc1df056f88b229fe6f5129a1bb5218d374ff65b93178b246e610a1f5d065cf6e379c37c21fb0f8f47d75f7d80802c0d94a777149197bdd89f498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sound.exe

Filesize
359KB

MD5
7bfc8ab77270809d4ab9932ddee9086a

SHA1
8461ed3470bd8d71cb2c5375c9bb3a77c5787cbc

SHA256
b8f43fc7ac936cac21fe4ee2046e3fecdc69e503994fb8ca4fd26282c075e3ea

SHA512
9a2a9a9a61b221730924e10a969d3489d0de49029b6d5a199bdd9eaf3a43ccf897537f98ed72655a06be54ea18c9a8dcbf8bf8d1656cc433b4d8dee9aad852d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sound.exe

Filesize
359KB

MD5
7bfc8ab77270809d4ab9932ddee9086a

SHA1
8461ed3470bd8d71cb2c5375c9bb3a77c5787cbc

SHA256
b8f43fc7ac936cac21fe4ee2046e3fecdc69e503994fb8ca4fd26282c075e3ea

SHA512
9a2a9a9a61b221730924e10a969d3489d0de49029b6d5a199bdd9eaf3a43ccf897537f98ed72655a06be54ea18c9a8dcbf8bf8d1656cc433b4d8dee9aad852d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskdestroyer.exe

Filesize
87KB

MD5
c41817af1c8343debfad342ac6502ab8

SHA1
af79a175cadecee91e1299ba737874337d9dd590

SHA256
abf949f60c1a2f377b534f8cca248a274a30455905fc3d2f5859b05bd2ab5c3d

SHA512
d45a292f389fcc4ac746516746c566ffc24f948ada370b0806c1df92b3ff1050a8b68efd5554a5db6164d28e46d8816649e24785b8a0dc8c3f5ce118d54b51c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskdestroyer.exe

Filesize
87KB

MD5
c41817af1c8343debfad342ac6502ab8

SHA1
af79a175cadecee91e1299ba737874337d9dd590

SHA256
abf949f60c1a2f377b534f8cca248a274a30455905fc3d2f5859b05bd2ab5c3d

SHA512
d45a292f389fcc4ac746516746c566ffc24f948ada370b0806c1df92b3ff1050a8b68efd5554a5db6164d28e46d8816649e24785b8a0dc8c3f5ce118d54b51c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.exe

Filesize
48KB

MD5
4a62a62dbde30e8489771c68a72d46d7

SHA1
e9a2659468f9f326b2821edfc84bbe22d6dde64e

SHA256
30f79f9e19e590b6fa4caf9a492b748cbffbffa96b763323228e3a420e0ae163

SHA512
d8221d1de1fa01afa6830e74944d69e39f0249fdfd9211e3806ac484fb93862fc5d04049472c18fb80afadf95439c953e0f3602c5f162b61871627cf47f6b6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.exe

Filesize
48KB

MD5
4a62a62dbde30e8489771c68a72d46d7

SHA1
e9a2659468f9f326b2821edfc84bbe22d6dde64e

SHA256
30f79f9e19e590b6fa4caf9a492b748cbffbffa96b763323228e3a420e0ae163

SHA512
d8221d1de1fa01afa6830e74944d69e39f0249fdfd9211e3806ac484fb93862fc5d04049472c18fb80afadf95439c953e0f3602c5f162b61871627cf47f6b6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\red.exe

Filesize
50KB

MD5
1a1bff7d50b030c8fef04cf3690ea9db

SHA1
76e45523c9630af83f0be68e5ca2fd3b2e2201c6

SHA256
ebb449f07966c7d638dfe56b349706a1e7b38bafc0ba419625223cb7f91f3031

SHA512
8a87cab8669fdc21c98973aea068951c1d6b70996298e29ce3f49e90aac5ad99b25ffa42623a630cc3255cafc73fd4f8f61029d3af7de5554c2e21c6e3994859

Download Submit
C:\Users\Admin\AppData\Local\Temp\red.exe

Filesize
50KB

MD5
1a1bff7d50b030c8fef04cf3690ea9db

SHA1
76e45523c9630af83f0be68e5ca2fd3b2e2201c6

SHA256
ebb449f07966c7d638dfe56b349706a1e7b38bafc0ba419625223cb7f91f3031

SHA512
8a87cab8669fdc21c98973aea068951c1d6b70996298e29ce3f49e90aac5ad99b25ffa42623a630cc3255cafc73fd4f8f61029d3af7de5554c2e21c6e3994859

Download Submit
C:\Users\Admin\AppData\Local\Temp\snd.wav

Filesize
5.0MB

MD5
6ec4b2cf3c320af5ab766a0816560a50

SHA1
304138a303969f55de0e77bce78ff613ed4f708c

SHA256
fd9cf1cb662429674008ab18ab0e84ac62aa7daa8dca0efb5df66d0e2b862935

SHA512
8ddd3df7fb56349034e3cee289589e301dfd3ae312501994a08dc0d4139de0422f68c99c7efecc1da43831f78337a82e8a41580990dd531194691d5d74938be7

Download Submit
\Users\Admin\AppData\Local\Temp\Noise.exe

Filesize
2.5MB

MD5
8fc1142d14d3f202041454f02443cf86

SHA1
d00220ab94b0305ee0fe5319d1cfa6229e99885e

SHA256
0068636924e7c0d0074d594f94156b3a3428e7a6dad72ffdb24202f34fa14dab

SHA512
3c50fcc51fd31e7243e305d447ef40c1e3cb6b47212b41e0a940d004d788b463764abb4f19f6f9b6ea902a9ef4e9dd6cd9ac8e922b43d4f5def295bde2cc2807

Download Submit
\Users\Admin\AppData\Local\Temp\Noise.exe

Filesize
2.5MB

MD5
8fc1142d14d3f202041454f02443cf86

SHA1
d00220ab94b0305ee0fe5319d1cfa6229e99885e

SHA256
0068636924e7c0d0074d594f94156b3a3428e7a6dad72ffdb24202f34fa14dab

SHA512
3c50fcc51fd31e7243e305d447ef40c1e3cb6b47212b41e0a940d004d788b463764abb4f19f6f9b6ea902a9ef4e9dd6cd9ac8e922b43d4f5def295bde2cc2807

Download Submit
\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
\Users\Admin\AppData\Local\Temp\OpenAll.exe

Filesize
359KB

MD5
2f0f0fe2ccee8ac13fb5c7d259a5f002

SHA1
f04097d8fd83f709df8691c40216c80f79e18981

SHA256
495428cf3b39c9dc80641fcbc8739e56ccfe37604968a68c595666a7684ce3aa

SHA512
aba50b51c3e0839feb9b885cc1a87db61a2aa0fc46ff704ba89e5ca32e4c15fed584fadd2c4f8b47bcb627570256e05796146c06f18a43be9d17fc70fd739f1d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe

Filesize
87KB

MD5
39952a00847a65cb5b192c28e81445ee

SHA1
e650da31ee60842483a37c7b761b5372add7fbe1

SHA256
fb796ea1d7c377fa8e3630ceb0b10479a738ef23bdaa6fde5c980c04c6e5d027

SHA512
e851486624fc1df056f88b229fe6f5129a1bb5218d374ff65b93178b246e610a1f5d065cf6e379c37c21fb0f8f47d75f7d80802c0d94a777149197bdd89f498b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe

Filesize
87KB

MD5
39952a00847a65cb5b192c28e81445ee

SHA1
e650da31ee60842483a37c7b761b5372add7fbe1

SHA256
fb796ea1d7c377fa8e3630ceb0b10479a738ef23bdaa6fde5c980c04c6e5d027

SHA512
e851486624fc1df056f88b229fe6f5129a1bb5218d374ff65b93178b246e610a1f5d065cf6e379c37c21fb0f8f47d75f7d80802c0d94a777149197bdd89f498b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AjarSystem.exe

Filesize
87KB

MD5
39952a00847a65cb5b192c28e81445ee

SHA1
e650da31ee60842483a37c7b761b5372add7fbe1

SHA256
fb796ea1d7c377fa8e3630ceb0b10479a738ef23bdaa6fde5c980c04c6e5d027

SHA512
e851486624fc1df056f88b229fe6f5129a1bb5218d374ff65b93178b246e610a1f5d065cf6e379c37c21fb0f8f47d75f7d80802c0d94a777149197bdd89f498b

Download Submit
\Users\Admin\AppData\Local\Temp\Sound.exe

Filesize
359KB

MD5
7bfc8ab77270809d4ab9932ddee9086a

SHA1
8461ed3470bd8d71cb2c5375c9bb3a77c5787cbc

SHA256
b8f43fc7ac936cac21fe4ee2046e3fecdc69e503994fb8ca4fd26282c075e3ea

SHA512
9a2a9a9a61b221730924e10a969d3489d0de49029b6d5a199bdd9eaf3a43ccf897537f98ed72655a06be54ea18c9a8dcbf8bf8d1656cc433b4d8dee9aad852d8

Download Submit
\Users\Admin\AppData\Local\Temp\Sound.exe

Filesize
359KB

MD5
7bfc8ab77270809d4ab9932ddee9086a

SHA1
8461ed3470bd8d71cb2c5375c9bb3a77c5787cbc

SHA256
b8f43fc7ac936cac21fe4ee2046e3fecdc69e503994fb8ca4fd26282c075e3ea

SHA512
9a2a9a9a61b221730924e10a969d3489d0de49029b6d5a199bdd9eaf3a43ccf897537f98ed72655a06be54ea18c9a8dcbf8bf8d1656cc433b4d8dee9aad852d8

Download Submit
\Users\Admin\AppData\Local\Temp\diskdestroyer.exe

Filesize
87KB

MD5
c41817af1c8343debfad342ac6502ab8

SHA1
af79a175cadecee91e1299ba737874337d9dd590

SHA256
abf949f60c1a2f377b534f8cca248a274a30455905fc3d2f5859b05bd2ab5c3d

SHA512
d45a292f389fcc4ac746516746c566ffc24f948ada370b0806c1df92b3ff1050a8b68efd5554a5db6164d28e46d8816649e24785b8a0dc8c3f5ce118d54b51c3

Download Submit
\Users\Admin\AppData\Local\Temp\error.exe

Filesize
48KB

MD5
4a62a62dbde30e8489771c68a72d46d7

SHA1
e9a2659468f9f326b2821edfc84bbe22d6dde64e

SHA256
30f79f9e19e590b6fa4caf9a492b748cbffbffa96b763323228e3a420e0ae163

SHA512
d8221d1de1fa01afa6830e74944d69e39f0249fdfd9211e3806ac484fb93862fc5d04049472c18fb80afadf95439c953e0f3602c5f162b61871627cf47f6b6f6

Download Submit
\Users\Admin\AppData\Local\Temp\error.exe

Filesize
48KB

MD5
4a62a62dbde30e8489771c68a72d46d7

SHA1
e9a2659468f9f326b2821edfc84bbe22d6dde64e

SHA256
30f79f9e19e590b6fa4caf9a492b748cbffbffa96b763323228e3a420e0ae163

SHA512
d8221d1de1fa01afa6830e74944d69e39f0249fdfd9211e3806ac484fb93862fc5d04049472c18fb80afadf95439c953e0f3602c5f162b61871627cf47f6b6f6

Download Submit
\Users\Admin\AppData\Local\Temp\red.exe

Filesize
50KB

MD5
1a1bff7d50b030c8fef04cf3690ea9db

SHA1
76e45523c9630af83f0be68e5ca2fd3b2e2201c6

SHA256
ebb449f07966c7d638dfe56b349706a1e7b38bafc0ba419625223cb7f91f3031

SHA512
8a87cab8669fdc21c98973aea068951c1d6b70996298e29ce3f49e90aac5ad99b25ffa42623a630cc3255cafc73fd4f8f61029d3af7de5554c2e21c6e3994859

Download Submit
\Users\Admin\AppData\Local\Temp\red.exe

Filesize
50KB

MD5
1a1bff7d50b030c8fef04cf3690ea9db

SHA1
76e45523c9630af83f0be68e5ca2fd3b2e2201c6

SHA256
ebb449f07966c7d638dfe56b349706a1e7b38bafc0ba419625223cb7f91f3031

SHA512
8a87cab8669fdc21c98973aea068951c1d6b70996298e29ce3f49e90aac5ad99b25ffa42623a630cc3255cafc73fd4f8f61029d3af7de5554c2e21c6e3994859

Download Submit
memory/512-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1264-133-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/1264-121-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1700-120-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1700-128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1972-125-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1972-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-129-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download