Overview

overview

10

Static

static

1

fe7c4b36fc...80.exe

windows7-x64

10

fe7c4b36fc...80.exe

windows10-2004-x64

10

Resubmissions

11-06-2024 12:49

240611-p2sm9sxgpq 1

19-04-2024 05:35

240419-f92rgabb5t 10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe7c4b36fca4fdf53789979a4a09c880.exe

  • Size

    50KB

  • MD5

    fe7c4b36fca4fdf53789979a4a09c880

  • SHA1

    89caf7f3b9f4d7d732ade5593e1958f6f025afa1

  • SHA256

    1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470

  • SHA512

    e0668f6dfda991ab07870d53ce291f73d48533c44dfed1178c8b98b57c799eb77f19451bc70d09caaf757bf18ef6217b44e7fc626b38c89261dc8920796339f3

  • SSDEEP

    768:mDrJUAkwf3ppZuBdrm+KiPxWEh9HgPxWEjj4G:8rkwf3ppZRsPxZgPx94G

Score
10/10
hermeticwiperxwormzgratbootkitpersistencerattrojanupxwiper

Malware Config

Extracted

Family

xworm

Version

3.1

C2

gamemodz.duckdns.org:6969

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect HermeticWiper 1 IoCs

    Detect HermeticWiper Payload.

    wiper
  • Detect Xworm Payload 1 IoCs
  • Detect ZGRat V1 34 IoCs
  • HermeticWiper

    HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.

    wiperhermeticwiper
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe7c4b36fca4fdf53789979a4a09c880.exe
    "C:\Users\Admin\AppData\Local\Temp\fe7c4b36fca4fdf53789979a4a09c880.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2052
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://i.imgflip.com/1p7cdj.jpg
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87cfa46f8,0x7ff87cfa4708,0x7ff87cfa4718
          4⤵
            PID:908
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
            4⤵
              PID:2100
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:992
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
              4⤵
                PID:2636
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
                4⤵
                  PID:1704
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
                  4⤵
                    PID:2604
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:8
                    4⤵
                      PID:2684
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2516
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
                      4⤵
                        PID:4748
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                        4⤵
                          PID:2372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                          4⤵
                            PID:2256
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11078202839643578770,7187155232845658489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                            4⤵
                              PID:4760
                          • C:\Users\Admin\AppData\Local\Temp\alzevs.exe
                            "C:\Users\Admin\AppData\Local\Temp\alzevs.exe"
                            3⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3284
                          • C:\Users\Admin\AppData\Local\Temp\rhuqgz.exe
                            "C:\Users\Admin\AppData\Local\Temp\rhuqgz.exe"
                            3⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            PID:2804
                            • C:\Windows\system32\wscript.exe
                              "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FA49.tmp\FA4A.tmp\FA4B.vbs //Nologo
                              4⤵
                              • Checks computer location settings
                              PID:4776
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\mbr.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\mbr.exe"
                                5⤵
                                • Executes dropped EXE
                                • Writes to the Master Boot Record (MBR)
                                PID:2572
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\bytebeat1.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\bytebeat1.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:3104
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\rgb.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\rgb.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:3068
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\sinewaves.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\sinewaves.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:5640
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\Lines.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\Lines.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:6416
                              • C:\Windows\System32\taskkill.exe
                                "C:\Windows\System32\taskkill.exe" /f /im Lines.exe
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6412
                              • C:\Windows\System32\taskkill.exe
                                "C:\Windows\System32\taskkill.exe" /f /im sinewaves.exe
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6104
                              • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\txtout.exe
                                "C:\Users\Admin\AppData\Local\Temp\FA49.tmp\txtout.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:5336
                          • C:\Users\Admin\AppData\Local\Temp\ieuwqd.exe
                            "C:\Users\Admin\AppData\Local\Temp\ieuwqd.exe"
                            3⤵
                            • Executes dropped EXE
                            • Drops desktop.ini file(s)
                            • Drops file in Program Files directory
                            PID:4280
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4288
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1932
                          • C:\Users\Admin\AppData\Roaming\cvtres.exe
                            C:\Users\Admin\AppData\Roaming\cvtres.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3952
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4f0
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1300
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6356

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\7-Zip\Lang\az.txt
                            Filesize

                            9B

                            MD5

                            9d88efac0177f99fa528033afb54e378

                            SHA1

                            a6fef6b2f49cdb2e476020bd1e7da65997d9bfc3

                            SHA256

                            845640b68b92599fcab7a1a64ddd79087781cefcc5ed743ac4eee5c760b4ada5

                            SHA512

                            ffa3236f35b7e8ed5e52c31d330aaf1bb0ee87e5e107b033a3377f593d6a02c6716332f582c175fc2f17a520db9f28036254c58b2fea74844e1e90f75628abfc

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            c4e86f72f6f2bdd2f68d77a7f5477091

                            SHA1

                            e489acc011f1c8edca2308577653e19e0daf2974

                            SHA256

                            2abddff8823bde0650a10297709c4ea22258a3e5c79620805f6da52664eb762c

                            SHA512

                            ca6093a136006f6808ce12a1b3e92dd8f53d6500ed253ecfafa8aa5a97e375641df25b0f3360acf6e063e9ee8bdb814c469973fae663a217cc0932c9122a746b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            d7068dbc5d66be9ce2817196103217ab

                            SHA1

                            ecc24ad138e575547b358803789f6ee31a66260a

                            SHA256

                            b89d90e5fc2e8b7e9057196ca5caa49e1974ca4c58b95d779f95393bea6373c5

                            SHA512

                            5f429904ac12a13d3889874b1f2cc9c05ec5f15a40f844e74a91e8294e6af344c5f1b1fa72487a5e4759a703f8e5be0f8906f7310f9d3553875a08024c627960

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            b4db5ee50aca85e240bb17699cd87d7f

                            SHA1

                            080a99c4e7910d4633d23e1cc83c2080de425f06

                            SHA256

                            52355455485b2002af5ec2b9f4b8669dbaa0ffce8234853eb45ace42d9b46469

                            SHA512

                            ead73bc380a2e9ef7959418273444ac1b96deb01817bd1ff3edb1ee3413b95eb60381dd753cf891345275636e76cb319c241894ba3dce2ea0d06b1fe95804e23

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            507cc706282bb79f9dfa85410500e1a7

                            SHA1

                            afde4aa843f5963cf0a8039d4634f4ea64bf00a9

                            SHA256

                            a7d957d1081dae9a31f4487540dab27e261c6c6ed1473472959ac5bf1e4cbb05

                            SHA512

                            e64d80e0a383e594ada18ae6756df51aa46c0f9a034660b36856ec46dac3accd7ccbd8891ea0ad0686d01b7c4731a0444a698cbac90a008a9ccf0f09553ce0ec

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                            Filesize

                            24KB

                            MD5

                            9e699fa6cf4922d4d223dc5d994fe9ef

                            SHA1

                            4c201219f45689ec69e236a99e2b8783222c6d25

                            SHA256

                            ccdffba38d1a7abbf06e286f7a360718f52a4b6c8f4f7d87394a86d44f862ed0

                            SHA512

                            94a8e29d6f5f5d780b567fb23f0973bef99ecc173249a79b90965fe3ddb2abce4dc48d3ca3ee3270e4f58416eaefb4ae1fb99ea59a266853fbd2e1efe8cc83d2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            acf73ea8f1ade02d9ac1c9feb4c344ee

                            SHA1

                            54efe401823d4b505c5048975e1216b9b4842684

                            SHA256

                            30d41e513b120eac31f991e9e9deabf08c7b7cd6acd1bc8b10444146fe80855c

                            SHA512

                            035172c25138021c9a36d0218005f1a98e02e2ab684fb8bc48333d3a21cab6318176b9bbb76a02acefb7f374018455c31ee8681c3d877af3a04e86ee2b682a01

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            b562bd99d4a45797755d80c752c103de

                            SHA1

                            ff249b5bcbd9e8f2b93b08ceb32cc7a217d06383

                            SHA256

                            fe0068ccb28a5e6e9dd3bd7875e2c3d6636c550fff8574e4af178c9554286137

                            SHA512

                            4ab2a966589d8ec972253aa2741395d1e9330cc2a19d359d618cde43a5388c1615dfae031f98724e7fef9012efda4ab9c96acd6b83027feefc83e37ca703811d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\FA4A.tmp\FA4B.vbs
                            Filesize

                            3KB

                            MD5

                            dbe460e73bc825119c6326250ac8f223

                            SHA1

                            191f599142390b486868a952f6c3df8eedc60ab2

                            SHA256

                            39ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0

                            SHA512

                            f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\Lines.exe
                            Filesize

                            103KB

                            MD5

                            6381e3e4b02204e1353218ee6ec45c2a

                            SHA1

                            a350d4432d2a1a8c7a34d5ea7214326ffc02c270

                            SHA256

                            df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1

                            SHA512

                            ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\bytebeat1.exe
                            Filesize

                            102KB

                            MD5

                            6b673ece600bcc8a665ebf251d7d926e

                            SHA1

                            64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

                            SHA256

                            41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

                            SHA512

                            feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\bytebeat1.wav
                            Filesize

                            1.3MB

                            MD5

                            09d2094f56d2d38aa64eac1d90c5a554

                            SHA1

                            c6268759b1eee9fdfafa0d605d62bbbf85defbca

                            SHA256

                            4599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c

                            SHA512

                            4ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\mbr.exe
                            Filesize

                            577KB

                            MD5

                            d1174d4066bc2b4c09059e7839651eac

                            SHA1

                            a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878

                            SHA256

                            5000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb

                            SHA512

                            7ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\rgb.exe
                            Filesize

                            105KB

                            MD5

                            bfc9e8ab494313d6efb67fc8942f5ee9

                            SHA1

                            1b42cc97803221538e020cb90517cb808cf19381

                            SHA256

                            33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13

                            SHA512

                            2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\sinewaves.exe
                            Filesize

                            108KB

                            MD5

                            e9534d452e7b06b5591e0509553f8d86

                            SHA1

                            2be1075e3ffe29c95fb0fcbed4dcf9fc54788a58

                            SHA256

                            edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909

                            SHA512

                            21c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FA49.tmp\txtout.exe
                            Filesize

                            105KB

                            MD5

                            4fa1fa5d513c7fa461af0b0fcdedc2a0

                            SHA1

                            f9d0b9bbb95d8584050056a2a55541389d506566

                            SHA256

                            57f402713148807269c35f71eaa37b3f9309f259dc03a14a304fa7598f8acd4f

                            SHA512

                            8434b1f647ba903cb0d411f54d8566430bf7c1822e67d165b9e6f18cb906101be1c9566d8cc09741c9a629c9f45f774317112e4d20f3ac3ea1ad513b05cc90d1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\alzevs.exe
                            Filesize

                            114KB

                            MD5

                            3f4a16b29f2f0532b7ce3e7656799125

                            SHA1

                            61b25d11392172e587d8da3045812a66c3385451

                            SHA256

                            1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

                            SHA512

                            32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\ieuwqd.exe
                            Filesize

                            172KB

                            MD5

                            bc1bade9688d5f472c5f2df32323161d

                            SHA1

                            ebaac201839daf02c53f89a1cd6fa9fd6fb17e5a

                            SHA256

                            6eccd34b5fd479c02356e2f27c4a0d4703d4c0a1ba6e2ca079f652f6b8d9a989

                            SHA512

                            10520c7e5eff0a817e2ce605891a31498ca912771009543975209d4468250bd889adce1b568278f47a20af745a127e42ec70134c3710f77d9273ce1bf611a08c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\rhuqgz.exe
                            Filesize

                            791KB

                            MD5

                            e9d46548e6009b9dd5648fce65b22511

                            SHA1

                            7f1aae821773d8481df3453d6ad2c6074cb55fb6

                            SHA256

                            e320066f7580bb1d65f073fc673e14b5fe07021474e9254e8a78b3bb4f28e0be

                            SHA512

                            bf15cee63ae05521407fc6d578daa44fd5d6f7dd876beeae01fc00906d2e949855121f81cde0042bf76a2f9bb35730606b47c5123cbf3d6ffc4a0abaf5543f44

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\cvtres.exe
                            Filesize

                            45KB

                            MD5

                            70d838a7dc5b359c3f938a71fad77db0

                            SHA1

                            66b83eb16481c334719eed406bc58a3c2b910923

                            SHA256

                            e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea

                            SHA512

                            9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

                            Download Submit

                          • \??\pipe\LOCAL\crashpad_4596_GKVQBRHXVMTJSDVD
                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            Download Submit

                          • memory/212-4891-0x0000000004790000-0x00000000047E4000-memory.dmp

                            Filesize

                            336KB

                            Download

                          • memory/212-33-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-43-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-45-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-47-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-49-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-51-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-53-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-55-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-57-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-59-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-61-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-63-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-65-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-67-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-69-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-1992-0x0000000074DA0000-0x0000000075550000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/212-2223-0x0000000004D90000-0x0000000004DA0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/212-4888-0x0000000005A90000-0x0000000005A91000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/212-4889-0x0000000005D40000-0x0000000005DA2000-memory.dmp

                            Filesize

                            392KB

                            Download

                          • memory/212-4890-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/212-0-0x0000000000300000-0x000000000030E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/212-1-0x0000000074DA0000-0x0000000075550000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/212-2-0x0000000004D90000-0x0000000004DA0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/212-4894-0x0000000074DA0000-0x0000000075550000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/212-3-0x00000000057A0000-0x00000000059C6000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-4-0x0000000005F80000-0x0000000006524000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/212-5-0x0000000005AD0000-0x0000000005B62000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/212-39-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-6-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-37-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-7-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-35-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-41-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-31-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-29-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-27-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-25-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-23-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-21-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-19-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-17-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-9-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-11-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-15-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/212-13-0x00000000057A0000-0x00000000059C0000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/1312-4897-0x0000000005740000-0x00000000057DC000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/1312-5001-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1312-4915-0x0000000005980000-0x0000000005990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1312-4908-0x0000000074DA0000-0x0000000075550000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/1312-4896-0x0000000074DA0000-0x0000000075550000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/1312-4899-0x0000000005980000-0x0000000005990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1312-4895-0x0000000000400000-0x0000000000418000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/1312-11740-0x0000000001370000-0x000000000137C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1312-4898-0x0000000003370000-0x00000000033D6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/2804-13334-0x0000000000400000-0x00000000004D8000-memory.dmp

                            Filesize

                            864KB

                            Download

                          • memory/2804-5000-0x0000000000400000-0x00000000004D8000-memory.dmp

                            Filesize

                            864KB

                            Download

                          • memory/4280-7695-0x0000000000F70000-0x0000000000F80000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4280-5282-0x0000000000F70000-0x0000000000F80000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4280-13335-0x0000000000F70000-0x0000000000F80000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4280-5183-0x000000006EDA0000-0x000000006F351000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/4280-14865-0x000000006EDA0000-0x000000006F351000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/4280-14898-0x0000000000F70000-0x0000000000F80000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4280-14899-0x0000000000F70000-0x0000000000F80000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4280-5081-0x000000006EDA0000-0x000000006F351000-memory.dmp

                            Filesize

                            5.7MB

                            Download