ramnit | fb5e59fbe17f28e69fc37c591ceb2dc8e4c617fe1c126a203ccbbe7eb82bbc8a

Analysis

max time kernel
564s
max time network
563s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

хуеглот.exe
Size

146KB
MD5

e7365a5ab13b26ef263c3655f397473d
SHA1

afa25fa8e260e417c92299232d18c7e563de1162
SHA256

fb5e59fbe17f28e69fc37c591ceb2dc8e4c617fe1c126a203ccbbe7eb82bbc8a
SHA512

3efb3d82d963f7942bbcef8719f314b9fcb75120a8e8084c84aa4755c88eeb31d6227a0b4b80146cd05cced722a59a0c78d50e5a16f09215e7ab91c4f0e3e4fb
SSDEEP

3072:aAd2EccyEhjH1TibfRUpFO9KVtnljw7oLF:ag7hjH1Ob59anl0M

Score

10^/10

ramnit xworm banker defense_evasion discovery persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

xworm

127.0.0.1:62949

pidoras123131-62949.portmap.host:62949

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7812594920:AAF8LiE_BAgLbrCBoONka4W_igE0Wo_lUEg/sendMessage?chat_id=7101392896

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4080-1-0x0000000000100000-0x000000000012A000-memory.dmp	family_xworm

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmmmex.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CheacherCheats1.lnk	хуеглот.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CheacherCheats1.lnk	хуеглот.exe

Executes dropped EXE 18 IoCs

pid	Process
2512	znooyo.exe
3000	ngaqiw.exe
3116	rrumzp.exe
5908	vcxpbu.exe
6000	lmmmex.exe
5344	hevpac.exe
5672	pyfwjp.exe
5008	okxfff.exe
2244	pqdbif.exe
2936	okmudm.exe
1996	bbcdjd.exe
3444	erroricons.exe
4336	INVERS.exe
5832	crazywarningicons.exe
2512	crazyinvers.exe
6012	erroriconscursor.exe
5388	toonel.exe
4748	abqswa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Run\CheacherCheats1 = "C:\\Users\\Admin\\AppData\\Roaming\\CheacherCheats1"	хуеглот.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
12	discord.com

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b11a-72.dat	upx
behavioral1/memory/3000-78-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3000-79-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x001b00000002b121-150.dat	upx
behavioral1/memory/6000-155-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/6000-157-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x001a00000002b126-193.dat	upx
behavioral1/memory/5008-196-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/5008-219-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/files/0x004700000002b12b-264.dat	upx
behavioral1/memory/1996-271-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1996-339-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x001b00000002b141-366.dat	upx
behavioral1/memory/4748-370-0x0000000000400000-0x00000000004F7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	3000	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcxpbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okmudm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbcdjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqswa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rrumzp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmmmex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyfwjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okxfff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngaqiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hevpac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqdbif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{78FBA138-7A46-45BD-990C-A29F5044FE66}	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{D1D461EA-F4D7-4D8C-9B72-0D9D600F76F9}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	pyfwjp.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{B6D40C72-55C7-422C-95A1-24BC294F4E80}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{5264FFEA-A12D-40E5-82F7-5A01A5E2407C}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	хуеглот.exe
4080	хуеглот.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	хуеглот.exe
Token: SeDebugPrivilege	4080	хуеглот.exe
Token: 33	3244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3244	AUDIODG.EXE
Token: SeShutdownPrivilege	1980	WScript.exe
Token: SeCreatePagefilePrivilege	1980	WScript.exe
Token: SeShutdownPrivilege	1980	WScript.exe
Token: SeCreatePagefilePrivilege	1980	WScript.exe
Token: SeDebugPrivilege	2244	pqdbif.exe
Token: SeShutdownPrivilege	3088	WScript.exe
Token: SeCreatePagefilePrivilege	3088	WScript.exe
Token: SeShutdownPrivilege	3840	WScript.exe
Token: SeCreatePagefilePrivilege	3840	WScript.exe
Token: SeShutdownPrivilege	3088	WScript.exe
Token: SeCreatePagefilePrivilege	3088	WScript.exe
Token: SeShutdownPrivilege	3840	WScript.exe
Token: SeCreatePagefilePrivilege	3840	WScript.exe
Token: SeShutdownPrivilege	4940	WScript.exe
Token: SeCreatePagefilePrivilege	4940	WScript.exe
Token: SeShutdownPrivilege	4940	WScript.exe
Token: SeCreatePagefilePrivilege	4940	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4080	хуеглот.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2512	4080	хуеглот.exe	82
PID 4080 wrote to memory of 2512	4080	хуеглот.exe	82
PID 4080 wrote to memory of 3000	4080	хуеглот.exe	84
PID 4080 wrote to memory of 3000	4080	хуеглот.exe	84
PID 4080 wrote to memory of 3000	4080	хуеглот.exe	84
PID 4080 wrote to memory of 3116	4080	хуеглот.exe	88
PID 4080 wrote to memory of 3116	4080	хуеглот.exe	88
PID 4080 wrote to memory of 3116	4080	хуеглот.exe	88
PID 4080 wrote to memory of 5908	4080	хуеглот.exe	90
PID 4080 wrote to memory of 5908	4080	хуеглот.exe	90
PID 4080 wrote to memory of 5908	4080	хуеглот.exe	90
PID 4080 wrote to memory of 6000	4080	хуеглот.exe	91
PID 4080 wrote to memory of 6000	4080	хуеглот.exe	91
PID 4080 wrote to memory of 6000	4080	хуеглот.exe	91
PID 4080 wrote to memory of 5344	4080	хуеглот.exe	92
PID 4080 wrote to memory of 5344	4080	хуеглот.exe	92
PID 4080 wrote to memory of 5344	4080	хуеглот.exe	92
PID 4080 wrote to memory of 5672	4080	хуеглот.exe	93
PID 4080 wrote to memory of 5672	4080	хуеглот.exe	93
PID 4080 wrote to memory of 5672	4080	хуеглот.exe	93
PID 5672 wrote to memory of 2232	5672	pyfwjp.exe	94
PID 5672 wrote to memory of 2232	5672	pyfwjp.exe	94
PID 5672 wrote to memory of 2232	5672	pyfwjp.exe	94
PID 2232 wrote to memory of 2100	2232	WScript.exe	96
PID 2232 wrote to memory of 2100	2232	WScript.exe	96
PID 2232 wrote to memory of 2100	2232	WScript.exe	96
PID 4080 wrote to memory of 5008	4080	хуеглот.exe	97
PID 4080 wrote to memory of 5008	4080	хуеглот.exe	97
PID 4080 wrote to memory of 5008	4080	хуеглот.exe	97
PID 5008 wrote to memory of 4488	5008	okxfff.exe	98
PID 5008 wrote to memory of 4488	5008	okxfff.exe	98
PID 4488 wrote to memory of 1980	4488	cmd.exe	102
PID 4488 wrote to memory of 1980	4488	cmd.exe	102
PID 4080 wrote to memory of 2244	4080	хуеглот.exe	105
PID 4080 wrote to memory of 2244	4080	хуеглот.exe	105
PID 4080 wrote to memory of 2244	4080	хуеглот.exe	105
PID 4080 wrote to memory of 2936	4080	хуеглот.exe	106
PID 4080 wrote to memory of 2936	4080	хуеглот.exe	106
PID 4080 wrote to memory of 2936	4080	хуеглот.exe	106
PID 4080 wrote to memory of 1996	4080	хуеглот.exe	107
PID 4080 wrote to memory of 1996	4080	хуеглот.exe	107
PID 4080 wrote to memory of 1996	4080	хуеглот.exe	107
PID 2936 wrote to memory of 5948	2936	okmudm.exe	108
PID 2936 wrote to memory of 5948	2936	okmudm.exe	108
PID 2936 wrote to memory of 5948	2936	okmudm.exe	108
PID 1996 wrote to memory of 2816	1996	bbcdjd.exe	110
PID 1996 wrote to memory of 2816	1996	bbcdjd.exe	110
PID 5948 wrote to memory of 3840	5948	cmd.exe	112
PID 5948 wrote to memory of 3840	5948	cmd.exe	112
PID 5948 wrote to memory of 3840	5948	cmd.exe	112
PID 2816 wrote to memory of 3088	2816	cmd.exe	113
PID 2816 wrote to memory of 3088	2816	cmd.exe	113
PID 5948 wrote to memory of 3444	5948	cmd.exe	114
PID 5948 wrote to memory of 3444	5948	cmd.exe	114
PID 5948 wrote to memory of 3444	5948	cmd.exe	114
PID 5948 wrote to memory of 4336	5948	cmd.exe	115
PID 5948 wrote to memory of 4336	5948	cmd.exe	115
PID 5948 wrote to memory of 4336	5948	cmd.exe	115
PID 5948 wrote to memory of 5832	5948	cmd.exe	116
PID 5948 wrote to memory of 5832	5948	cmd.exe	116
PID 5948 wrote to memory of 5832	5948	cmd.exe	116
PID 5948 wrote to memory of 2512	5948	cmd.exe	117
PID 5948 wrote to memory of 2512	5948	cmd.exe	117
PID 5948 wrote to memory of 2512	5948	cmd.exe	117

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lmmmex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	lmmmex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	lmmmex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton = "1"	lmmmex.exe

C:\Users\Admin\AppData\Local\Temp\хуеглот.exe
"C:\Users\Admin\AppData\Local\Temp\хуеглот.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\znooyo.exe
  "C:\Users\Admin\AppData\Local\Temp\znooyo.exe"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\ngaqiw.exe
  "C:\Users\Admin\AppData\Local\Temp\ngaqiw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 320
    3⤵
    - Program crash
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\rrumzp.exe
  "C:\Users\Admin\AppData\Local\Temp\rrumzp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\vcxpbu.exe
  "C:\Users\Admin\AppData\Local\Temp\vcxpbu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\lmmmex.exe
  "C:\Users\Admin\AppData\Local\Temp\lmmmex.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\hevpac.exe
  "C:\Users\Admin\AppData\Local\Temp\hevpac.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5344
- C:\Users\Admin\AppData\Local\Temp\pyfwjp.exe
  "C:\Users\Admin\AppData\Local\Temp\pyfwjp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
- C:\Users\Admin\AppData\Local\Temp\okxfff.exe
  "C:\Users\Admin\AppData\Local\Temp\okxfff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B03.tmp\3B04.tmp\3B05.bat C:\Users\Admin\AppData\Local\Temp\okxfff.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"
      4⤵
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- C:\Users\Admin\AppData\Local\Temp\pqdbif.exe
  "C:\Users\Admin\AppData\Local\Temp\pqdbif.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\okmudm.exe
  "C:\Users\Admin\AppData\Local\Temp\okmudm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
      erroricons.exe
      4⤵
      Executes dropped EXE
      PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
      INVERS.exe
      4⤵
      Executes dropped EXE
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
      crazywarningicons.exe
      4⤵
      Executes dropped EXE
      PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
      crazyinvers.exe
      4⤵
      Executes dropped EXE
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
      erroriconscursor.exe
      4⤵
      Executes dropped EXE
      PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
      toonel.exe
      4⤵
      Executes dropped EXE
      PID:5388
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5884
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
- C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe
  "C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6143.tmp\6144.tmp\6145.bat C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"
      4⤵
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3088
- C:\Users\Admin\AppData\Local\Temp\abqswa.exe
  "C:\Users\Admin\AppData\Local\Temp\abqswa.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC6A.tmp\FC6B.tmp\FC6C.bat C:\Users\Admin\AppData\Local\Temp\abqswa.exe"
    3⤵
    - Modifies registry class
    PID:1824
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"
      4⤵
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CheacherCheats1
1⤵
PID:2160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3000 -ip 3000
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
bcdaa031c1dca7719b9b65bbbde072c6

SHA1
7bb0ba3dfa8201a6c9057f0701398a11d0060db9

SHA256
f4a6a6cabb8c6f7da9883360523f552b72746889710730021463f9cd8ba22c30

SHA512
9d3169c2ac0820aca310a828b0736b62817e8a6a84c711e7157d7c8f81d84c3c596fb82967010e3641e495a33c7ca08a7dd1250389b4941cfc13fbca1635e228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
6035c2db5bf97addefa3d642670f6097

SHA1
c07423b8f4f4a7e25534ee24a9d322d1aff7f8e2

SHA256
8c52ca22e80b943fd869751ec4c8ab504f3820ff8d4947cc08d1ce18bbf1d452

SHA512
f66f0280bde2905414449f4aee55c283a6eba6a8b967e6035ad42c703ba36734dcb4f627828b96556610c6b2dd3a4719c70e31304048716ce65e92f20d003cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
9c305568a50a9169234c7a7bbe9c28d2

SHA1
5478b1c40caa2e81b3c4b37540b412a17e7bc6d7

SHA256
d1904b998bf18be36a96780a7c85a7d2dd9a175afabf6408eef5667179f23e64

SHA512
7628bb2245edd4a211460c3d28a506227c85ee518f3628d3f14a3f23f302fb33a69e2d9bd9699e891aa1a5bb882a32b31c744c17d2aeb276948d90eead4cbd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B03.tmp\3B04.tmp\3B05.bat

Filesize
27B

MD5
c7da66cab92e95daf435dc74fa5ca35a

SHA1
924f2b0ebac4eac12c78b298697400a1b338a4c5

SHA256
4ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92

SHA512
28737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.vbs

Filesize
462B

MD5
593e1c1aac6eb52f5a45481a32a8a94c

SHA1
d9f9f058a22e2c1708eb46c494b705f102d65996

SHA256
477a5b41a9daa3035d3a039990fa6cbab15db95da9a6de3c42874331b642b18b

SHA512
fe8c43148cda5cad61bc4749c1384838ffde2599381da69b0b958c10d2f97351696e70124a1d38a121593e658f44b5ea25272a4bf6dd27e1a4cd1646207e0d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6143.tmp\6144.tmp\6145.bat

Filesize
27B

MD5
f7797a987e496cd654125fe3bac95c14

SHA1
7cba1d358434ca024a7180b773f9f0f144b918f9

SHA256
0fea6030305df43e8555f79806142eee57f3df68476ba3de9713c0cdc12d96c0

SHA512
f9aead43b503882eca3b33775e38f287e4c541b17f2338f5324720a7a550f83cba9bc9a5420c32c33192dff076b2fedfe2f9e0963174253b306e6fc3c68926f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC6A.tmp\FC6B.tmp\FC6C.bat

Filesize
27B

MD5
2c60615f570b74008863645b6dbf34d5

SHA1
574b9501e29315dc86cb4627a9ca7d02348af159

SHA256
788c1b4070e76aa8176da1ce35070c3261c97b47d78a665b2225aec9135e9c42

SHA512
8d679bd680c04f169eca4630db2561432745529e975fa111d770560f32143b2f069d681353c3e490c99f92cf80eb1cef4b8acc0c337581018362327ea85e2e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe

Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

Filesize
1.2MB

MD5
e21bb4749a8b1b6fc26a7bcf57781836

SHA1
89cb0bd80d691ca650ad01551be3acefa2256ebd

SHA256
0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

SHA512
b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dobrota.mp3

Filesize
3.1MB

MD5
2e8dd39476399ce5bd98c3e7b0fd79dc

SHA1
01bc2edd0e97a2db5fd99f83cc64a12633577299

SHA256
6d63f9fbda65cf5b4a4daa9c7b3433069728df731f2e76b494d224a8602da101

SHA512
6ca02ee90b8185ea4dad60faa6a8c7b004a62792ca0b8454148cb8e667bc7940aa544cd3b4a22323b332e56abba498c1afceb5db29369601c291540e104065f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe

Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs

Filesize
37B

MD5
35fbf9bf29760b9e120b37900b3c1343

SHA1
8a231c37ee13e72f27a38411668fde6fef3ff5bc

SHA256
e1cdab59df6508013e8b91c71043c8ecfe81b94a037706147ed19adf992539e6

SHA512
d1c12b6690c6b90dda5ad3e226e30adc848b3c324f929dec373ab6c7606fbcab716c49c4446efadf14036583924f8f094491bfe8bef380fd877c00cf9feaacc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs

Filesize
37B

MD5
63954d8930e517637c254f9da0749e7a

SHA1
27f6a13c0e9530166d62b4586c3d2bda5cb5064c

SHA256
bffa14678b8c39c2fbfa54b76fbac5f750aebc8dc2954da10a55b7f1f90f351c

SHA512
dd5df6b8a64523fedb5aaced7d864013d12e6930015d8fd2267b11cffe76741c3a7907814a832ff7589476a51d16e8ab0fc566f4ac0784f6a599070080c7008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs

Filesize
216B

MD5
c36c15e1f99e1c0d093b9b089b1073c5

SHA1
47a237639f83d8de0c2034831ff3e12a3bad7408

SHA256
3d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736

SHA512
4283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat

Filesize
205B

MD5
47fef7e366f39175f9467a5a33675b40

SHA1
4a55fdc489cb4b67517e04fe1eadc63dfff7b232

SHA256
7670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001

SHA512
ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe

Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\abqswa.exe

Filesize
916KB

MD5
38dac07c7cf9940a30f9353eb9f304e7

SHA1
b7b15baebeedff91f1f59e23328172a7a476ccf4

SHA256
b98b81756bed76482d9ffc77fc4cf6c514eb1fa6bb5e47a1c80dea1e84a253ed

SHA512
69d1918c05ebac66e0418acc9d828c136a72e3a6f6f0af941c42dce6a1bd0a82818c4971766996ec84f866295efc73f82bd78ac8b2251c5596f4b884cf875471

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe

Filesize
177KB

MD5
c30105e387ff2bc741d3f775ca2d5a39

SHA1
94b458e17a27777491c5d44a05716b27edfb6599

SHA256
e8be5e2c591dffbd046f290cf0ed55ba2d278b266bb62962fbb33f2b23f172fd

SHA512
90ae93d2d044ca467cb013c3dbcac2757a02e95b0b294459382ebd3524a3099ea1647336ea2193b1e4bb3333d0025d79f12cfa36e5c6773dce79697e9cac2c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevpac.exe

Filesize
112KB

MD5
814dee0898024d825f80d9d8372b9582

SHA1
716c957f9dca55ec4a40ecbbb8e74ccd4a48d475

SHA256
0815a18bad6ab61f6ffb09fa4222d36ac16589a81db07a3ef79545600202913b

SHA512
be34c108059f647abc6f160cfc44e42ed69d8d28705a1d7eebf904d57cdf461aa91b99a8169b1585c964c649894c8bf788fcbb2ef68a3238f761a76c5d967f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmmmex.exe

Filesize
30KB

MD5
c603c9f2b795f4403a3ef90921b6d442

SHA1
5e2536d059ebc67fa0d7efa719d3060903d90311

SHA256
3bd1db009f00810189e035a5c836cf2d0df24007836ad0a912ed4ea9f1789e53

SHA512
21d22954893bb568aca371c469a715aa96a2a59551ba08638bde92ea90e9c8ab692a7f803f2812c195a1359d2cf6b6a9ac4c7bd3cfb6ab180e8726aa690b2c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngaqiw.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\okmudm.exe

Filesize
5.1MB

MD5
864a350ee062a6fa8d89eb4d42310dbf

SHA1
5fde41853e8f94a1e40f83784e3acd0a1e1730e9

SHA256
0aaafb0b3d84c1b167ae2f0271686edf3d261e34a880ea2d5e9eb1356d948f4e

SHA512
4ce87addde6290e0910bc02ac1d4525b16e19e5194b92e4b2574655d01619e7de250bc88888e403f6f2360d056309476b03f97e667da932c3d2700e7733e1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\okxfff.exe

Filesize
237KB

MD5
6520885628fe337b8665099479cc1d4d

SHA1
09741f5c74b3525c31004c5bd19b0ecab835186d

SHA256
13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4

SHA512
235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqdbif.exe

Filesize
159KB

MD5
aed31f4095c122292a392df17053819a

SHA1
c820c2da165965faddb5e29842e217748f51c3b2

SHA256
80c54c67029154dd9364c7017e3700b9382a49f352d4b813ece3ec3a3498908a

SHA512
180498cc26ed82d2995d94d162ba293cb338b50beec3b0f4148635692eaff64058c78a3ebeec38ca25ea2b603890002346a73961babd9087a726efa30361b378

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyfwjp.exe

Filesize
938KB

MD5
abde72bbbe3a4e9aefac2613cc1fb1d8

SHA1
37e233800c07ae09de6f08b0beae552bb3cab69c

SHA256
d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5

SHA512
64c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrumzp.exe

Filesize
336KB

MD5
30ffa22d936df7a75075352a5a0ee10b

SHA1
253abf846e56b1ba34017f3fd7e3a8848e7690fe

SHA256
6cfda6dae076c43a53a258cf73abc43ab7afc64b40d10708de701cbddcbf3b8d

SHA512
9dbfc99c79270c74d7449f3bd75f49566cd17b4cc76268b179a25ac55a7c152f858592fb904913dea69a96d2fa987e5cccb10c7f22acb7ad10e532745ca87ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\znooyo.exe

Filesize
3.8MB

MD5
a06b3a0a8bcc14b73a6a2b566e6d0cfa

SHA1
b2db8cd4ab404f71914e1a0acc3882b036646e2b

SHA256
df1d3303f29c9b8a7c375ea9117688248834a6929a3092097c144e0cd90c94a5

SHA512
1080ac681008cfaec018428e08bd643efa99f4805c3e788ccb82711135a9d22c6b10ae7b7645d37d7465b5e291207adffe56534c9525887597173a9bb250cd1e

Download Submit
C:\Users\Admin\AppData\Roaming\6.VBS

Filesize
115B

MD5
9e242f8f35222db7713bf96248c7434c

SHA1
a66a0c27eca4aa325bc3dc8d907837180bcbd1b3

SHA256
5d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731

SHA512
4c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56

Download Submit
C:\Users\Admin\AppData\Roaming\g.VBS

Filesize
114B

MD5
14371a02afe3ae173b4e225199a312ec

SHA1
3fe8e31a6a5b47c1e4ad8793d448100e1bca9368

SHA256
790196324d796cad8ff1663e035b74af49952db661d519b8b9d0cd1c1e1005c8

SHA512
6d50a6d2d792c50cca154a8d650f216f0ff1c0ec6b5f22025f1767a06b0e3760e796f02a0029fb96568040840c81fcc9c703009c963d30c53b1a033fc924060b

Download Submit
C:\Users\Admin\AppData\Roaming\g.VBS

Filesize
118B

MD5
486f8fc49ee104ec5fc94ac5d059f816

SHA1
9875e165010a7bfc7bedb5c7e9d57bade8cd96c0

SHA256
ec2204907f4e1d4ebc04513b76a78381b2cdb161b69bd32c397d913b770df415

SHA512
0c2170cd96a9e17d0a37d272288a20ee3f44101b7ef62677058b9591541a5bfa731d11b8e9c61b2e4354d1590341479b6750db7a84afa5b9158b1c254441d90d

Download Submit
C:\Users\Admin\AppData\Roaming\ha.mp3

Filesize
141KB

MD5
0e219317ac54406f765cee47cb574ff3

SHA1
6ac9a4994bac9cb6c9d545ffc4085325e13bb197

SHA256
861876a0f3b42cc4f84a2bd10eb99735d37fcf406e21fc642929813d4299a6b1

SHA512
0f773ffab357ae737d0057d687ff742a87a554db4c90954081942002080866d2c61e27cef0204f067383efe715fe15ecd30eabc0660c82ca88c40010207d526a

Download Submit
C:\Users\Admin\AppData\Roaming\na.mp3

Filesize
885KB

MD5
988a540ca51a4b77f5608818a71d498a

SHA1
e7ac93a82687756632e409499d42d2446039aed6

SHA256
a56f12c4baac3e9611c9a9e3c51ab73203248736d2fe2c4ca240ca7a1e32b827

SHA512
349ed22d33e22e8a5957fab3239f0a132f21c52dbc9233caa91621d90621b0e0f71cd71769a49be1752330cfa73250d415ddd30f86fd205143a8e219c705ab1a

Download Submit
C:\Users\Admin\AppData\Roaming\piz.mp3

Filesize
198KB

MD5
71cf668f8ebbceda772022165b460ce3

SHA1
99febb0f4f9f388a4f9aeedd1530b50e0790500c

SHA256
321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033

SHA512
bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63

Download Submit
memory/1996-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-233-0x0000000000F80000-0x0000000000FAE000-memory.dmp

Filesize
184KB

Download
memory/2244-236-0x0000000005C00000-0x0000000005C0A000-memory.dmp

Filesize
40KB

Download
memory/2244-234-0x0000000005F80000-0x0000000006526000-memory.dmp

Filesize
5.6MB

Download
memory/2244-235-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/2512-20-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/2512-136-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/2512-24-0x000001BF0DE20000-0x000001BF0DE2D000-memory.dmp

Filesize
52KB

Download
memory/2512-23-0x000001BF0DD90000-0x000001BF0DD99000-memory.dmp

Filesize
36KB

Download
memory/2512-25-0x000001BF265F0000-0x000001BF2660E000-memory.dmp

Filesize
120KB

Download
memory/2512-21-0x000001BF0BB70000-0x000001BF0BF34000-memory.dmp

Filesize
3.8MB

Download
memory/2512-26-0x000001BF26610000-0x000001BF2661B000-memory.dmp

Filesize
44KB

Download
memory/2512-22-0x000001BF0DDD0000-0x000001BF0DE16000-memory.dmp

Filesize
280KB

Download
memory/2512-27-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/3000-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3000-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3116-114-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/3116-137-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/3116-107-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/4080-5-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4080-120-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/4080-1-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/4080-7-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4080-6-0x00007FFECB8F3000-0x00007FFECB8F5000-memory.dmp

Filesize
8KB

Download
memory/4080-0-0x00007FFECB8F3000-0x00007FFECB8F5000-memory.dmp

Filesize
8KB

Download
memory/4748-370-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/5008-196-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5008-219-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5908-154-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/5908-170-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/6000-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/6000-157-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download