Analysis
-
max time kernel
564s -
max time network
563s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/03/2025, 21:30
General
-
Target
хуеглот.exe
-
Size
146KB
-
MD5
e7365a5ab13b26ef263c3655f397473d
-
SHA1
afa25fa8e260e417c92299232d18c7e563de1162
-
SHA256
fb5e59fbe17f28e69fc37c591ceb2dc8e4c617fe1c126a203ccbbe7eb82bbc8a
-
SHA512
3efb3d82d963f7942bbcef8719f314b9fcb75120a8e8084c84aa4755c88eeb31d6227a0b4b80146cd05cced722a59a0c78d50e5a16f09215e7ab91c4f0e3e4fb
-
SSDEEP
3072:aAd2EccyEhjH1TibfRUpFO9KVtnljw7oLF:ag7hjH1Ob59anl0M
Malware Config
Extracted
xworm
127.0.0.1:62949
pidoras123131-62949.portmap.host:62949
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7812594920:AAF8LiE_BAgLbrCBoONka4W_igE0Wo_lUEg/sendMessage?chat_id=7101392896
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4080-1-0x0000000000100000-0x000000000012A000-memory.dmp family_xworm -
Ramnit family
-
Xworm family
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lmmmex.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CheacherCheats1.lnk хуеглот.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CheacherCheats1.lnk хуеглот.exe -
Executes dropped EXE 18 IoCs
pid Process 2512 znooyo.exe 3000 ngaqiw.exe 3116 rrumzp.exe 5908 vcxpbu.exe 6000 lmmmex.exe 5344 hevpac.exe 5672 pyfwjp.exe 5008 okxfff.exe 2244 pqdbif.exe 2936 okmudm.exe 1996 bbcdjd.exe 3444 erroricons.exe 4336 INVERS.exe 5832 crazywarningicons.exe 2512 crazyinvers.exe 6012 erroriconscursor.exe 5388 toonel.exe 4748 abqswa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Run\CheacherCheats1 = "C:\\Users\\Admin\\AppData\\Roaming\\CheacherCheats1" хуеглот.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\X: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 12 discord.com -
resource yara_rule behavioral1/files/0x001900000002b11a-72.dat upx behavioral1/memory/3000-78-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3000-79-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x001b00000002b121-150.dat upx behavioral1/memory/6000-155-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/6000-157-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x001a00000002b126-193.dat upx behavioral1/memory/5008-196-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/5008-219-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x004700000002b12b-264.dat upx behavioral1/memory/1996-271-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1996-339-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/files/0x001b00000002b141-366.dat upx behavioral1/memory/4748-370-0x0000000000400000-0x00000000004F7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2752 3000 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcxpbu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okmudm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbcdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abqswa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrumzp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNDLL32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lmmmex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pyfwjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngaqiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hevpac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pqdbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{78FBA138-7A46-45BD-990C-A29F5044FE66} WScript.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{D1D461EA-F4D7-4D8C-9B72-0D9D600F76F9} WScript.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings pyfwjp.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{B6D40C72-55C7-422C-95A1-24BC294F4E80} WScript.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{5264FFEA-A12D-40E5-82F7-5A01A5E2407C} WScript.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4080 хуеглот.exe 4080 хуеглот.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 4080 хуеглот.exe Token: SeDebugPrivilege 4080 хуеглот.exe Token: 33 3244 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3244 AUDIODG.EXE Token: SeShutdownPrivilege 1980 WScript.exe Token: SeCreatePagefilePrivilege 1980 WScript.exe Token: SeShutdownPrivilege 1980 WScript.exe Token: SeCreatePagefilePrivilege 1980 WScript.exe Token: SeDebugPrivilege 2244 pqdbif.exe Token: SeShutdownPrivilege 3088 WScript.exe Token: SeCreatePagefilePrivilege 3088 WScript.exe Token: SeShutdownPrivilege 3840 WScript.exe Token: SeCreatePagefilePrivilege 3840 WScript.exe Token: SeShutdownPrivilege 3088 WScript.exe Token: SeCreatePagefilePrivilege 3088 WScript.exe Token: SeShutdownPrivilege 3840 WScript.exe Token: SeCreatePagefilePrivilege 3840 WScript.exe Token: SeShutdownPrivilege 4940 WScript.exe Token: SeCreatePagefilePrivilege 4940 WScript.exe Token: SeShutdownPrivilege 4940 WScript.exe Token: SeCreatePagefilePrivilege 4940 WScript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4080 хуеглот.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 2512 4080 хуеглот.exe 82 PID 4080 wrote to memory of 2512 4080 хуеглот.exe 82 PID 4080 wrote to memory of 3000 4080 хуеглот.exe 84 PID 4080 wrote to memory of 3000 4080 хуеглот.exe 84 PID 4080 wrote to memory of 3000 4080 хуеглот.exe 84 PID 4080 wrote to memory of 3116 4080 хуеглот.exe 88 PID 4080 wrote to memory of 3116 4080 хуеглот.exe 88 PID 4080 wrote to memory of 3116 4080 хуеглот.exe 88 PID 4080 wrote to memory of 5908 4080 хуеглот.exe 90 PID 4080 wrote to memory of 5908 4080 хуеглот.exe 90 PID 4080 wrote to memory of 5908 4080 хуеглот.exe 90 PID 4080 wrote to memory of 6000 4080 хуеглот.exe 91 PID 4080 wrote to memory of 6000 4080 хуеглот.exe 91 PID 4080 wrote to memory of 6000 4080 хуеглот.exe 91 PID 4080 wrote to memory of 5344 4080 хуеглот.exe 92 PID 4080 wrote to memory of 5344 4080 хуеглот.exe 92 PID 4080 wrote to memory of 5344 4080 хуеглот.exe 92 PID 4080 wrote to memory of 5672 4080 хуеглот.exe 93 PID 4080 wrote to memory of 5672 4080 хуеглот.exe 93 PID 4080 wrote to memory of 5672 4080 хуеглот.exe 93 PID 5672 wrote to memory of 2232 5672 pyfwjp.exe 94 PID 5672 wrote to memory of 2232 5672 pyfwjp.exe 94 PID 5672 wrote to memory of 2232 5672 pyfwjp.exe 94 PID 2232 wrote to memory of 2100 2232 WScript.exe 96 PID 2232 wrote to memory of 2100 2232 WScript.exe 96 PID 2232 wrote to memory of 2100 2232 WScript.exe 96 PID 4080 wrote to memory of 5008 4080 хуеглот.exe 97 PID 4080 wrote to memory of 5008 4080 хуеглот.exe 97 PID 4080 wrote to memory of 5008 4080 хуеглот.exe 97 PID 5008 wrote to memory of 4488 5008 okxfff.exe 98 PID 5008 wrote to memory of 4488 5008 okxfff.exe 98 PID 4488 wrote to memory of 1980 4488 cmd.exe 102 PID 4488 wrote to memory of 1980 4488 cmd.exe 102 PID 4080 wrote to memory of 2244 4080 хуеглот.exe 105 PID 4080 wrote to memory of 2244 4080 хуеглот.exe 105 PID 4080 wrote to memory of 2244 4080 хуеглот.exe 105 PID 4080 wrote to memory of 2936 4080 хуеглот.exe 106 PID 4080 wrote to memory of 2936 4080 хуеглот.exe 106 PID 4080 wrote to memory of 2936 4080 хуеглот.exe 106 PID 4080 wrote to memory of 1996 4080 хуеглот.exe 107 PID 4080 wrote to memory of 1996 4080 хуеглот.exe 107 PID 4080 wrote to memory of 1996 4080 хуеглот.exe 107 PID 2936 wrote to memory of 5948 2936 okmudm.exe 108 PID 2936 wrote to memory of 5948 2936 okmudm.exe 108 PID 2936 wrote to memory of 5948 2936 okmudm.exe 108 PID 1996 wrote to memory of 2816 1996 bbcdjd.exe 110 PID 1996 wrote to memory of 2816 1996 bbcdjd.exe 110 PID 5948 wrote to memory of 3840 5948 cmd.exe 112 PID 5948 wrote to memory of 3840 5948 cmd.exe 112 PID 5948 wrote to memory of 3840 5948 cmd.exe 112 PID 2816 wrote to memory of 3088 2816 cmd.exe 113 PID 2816 wrote to memory of 3088 2816 cmd.exe 113 PID 5948 wrote to memory of 3444 5948 cmd.exe 114 PID 5948 wrote to memory of 3444 5948 cmd.exe 114 PID 5948 wrote to memory of 3444 5948 cmd.exe 114 PID 5948 wrote to memory of 4336 5948 cmd.exe 115 PID 5948 wrote to memory of 4336 5948 cmd.exe 115 PID 5948 wrote to memory of 4336 5948 cmd.exe 115 PID 5948 wrote to memory of 5832 5948 cmd.exe 116 PID 5948 wrote to memory of 5832 5948 cmd.exe 116 PID 5948 wrote to memory of 5832 5948 cmd.exe 116 PID 5948 wrote to memory of 2512 5948 cmd.exe 117 PID 5948 wrote to memory of 2512 5948 cmd.exe 117 PID 5948 wrote to memory of 2512 5948 cmd.exe 117 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lmmmex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" lmmmex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" lmmmex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton = "1" lmmmex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\хуеглот.exe"C:\Users\Admin\AppData\Local\Temp\хуеглот.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\znooyo.exe"C:\Users\Admin\AppData\Local\Temp\znooyo.exe"2⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\ngaqiw.exe"C:\Users\Admin\AppData\Local\Temp\ngaqiw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 3203⤵
- Program crash
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\rrumzp.exe"C:\Users\Admin\AppData\Local\Temp\rrumzp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\vcxpbu.exe"C:\Users\Admin\AppData\Local\Temp\vcxpbu.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5908
-
-
C:\Users\Admin\AppData\Local\Temp\lmmmex.exe"C:\Users\Admin\AppData\Local\Temp\lmmmex.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System policy modification
PID:6000
-
-
C:\Users\Admin\AppData\Local\Temp\hevpac.exe"C:\Users\Admin\AppData\Local\Temp\hevpac.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\pyfwjp.exe"C:\Users\Admin\AppData\Local\Temp\pyfwjp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters4⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\okxfff.exe"C:\Users\Admin\AppData\Local\Temp\okxfff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B03.tmp\3B04.tmp\3B05.bat C:\Users\Admin\AppData\Local\Temp\okxfff.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pqdbif.exe"C:\Users\Admin\AppData\Local\Temp\pqdbif.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\okmudm.exe"C:\Users\Admin\AppData\Local\Temp\okmudm.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exeerroricons.exe4⤵
- Executes dropped EXE
PID:3444
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exeINVERS.exe4⤵
- Executes dropped EXE
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.execrazywarningicons.exe4⤵
- Executes dropped EXE
PID:5832
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.execrazyinvers.exe4⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exeerroriconscursor.exe4⤵
- Executes dropped EXE
PID:6012
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exetoonel.exe4⤵
- Executes dropped EXE
PID:5388
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:5884
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:5976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe"C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6143.tmp\6144.tmp\6145.bat C:\Users\Admin\AppData\Local\Temp\bbcdjd.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abqswa.exe"C:\Users\Admin\AppData\Local\Temp\abqswa.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC6A.tmp\FC6B.tmp\FC6C.bat C:\Users\Admin\AppData\Local\Temp\abqswa.exe"3⤵
- Modifies registry class
PID:1824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CheacherCheats11⤵PID:2160
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3000 -ip 30001⤵PID:340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5bcdaa031c1dca7719b9b65bbbde072c6
SHA17bb0ba3dfa8201a6c9057f0701398a11d0060db9
SHA256f4a6a6cabb8c6f7da9883360523f552b72746889710730021463f9cd8ba22c30
SHA5129d3169c2ac0820aca310a828b0736b62817e8a6a84c711e7157d7c8f81d84c3c596fb82967010e3641e495a33c7ca08a7dd1250389b4941cfc13fbca1635e228
-
Filesize
896KB
MD56035c2db5bf97addefa3d642670f6097
SHA1c07423b8f4f4a7e25534ee24a9d322d1aff7f8e2
SHA2568c52ca22e80b943fd869751ec4c8ab504f3820ff8d4947cc08d1ce18bbf1d452
SHA512f66f0280bde2905414449f4aee55c283a6eba6a8b967e6035ad42c703ba36734dcb4f627828b96556610c6b2dd3a4719c70e31304048716ce65e92f20d003cda
-
Filesize
1024KB
MD59c305568a50a9169234c7a7bbe9c28d2
SHA15478b1c40caa2e81b3c4b37540b412a17e7bc6d7
SHA256d1904b998bf18be36a96780a7c85a7d2dd9a175afabf6408eef5667179f23e64
SHA5127628bb2245edd4a211460c3d28a506227c85ee518f3628d3f14a3f23f302fb33a69e2d9bd9699e891aa1a5bb882a32b31c744c17d2aeb276948d90eead4cbd2d
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
27B
MD5c7da66cab92e95daf435dc74fa5ca35a
SHA1924f2b0ebac4eac12c78b298697400a1b338a4c5
SHA2564ab885b4b48037707771cc63658513d3d82a80cf97fbcdf4558e35bc3adc2b92
SHA51228737deed8241b3c577cc6a2942287d5be0f9a45f9a902696ab733c78fe2bcd0d47d29d0efec6cca57de656472346170379c7d1ba60a5508c31f883674786787
-
Filesize
462B
MD5593e1c1aac6eb52f5a45481a32a8a94c
SHA1d9f9f058a22e2c1708eb46c494b705f102d65996
SHA256477a5b41a9daa3035d3a039990fa6cbab15db95da9a6de3c42874331b642b18b
SHA512fe8c43148cda5cad61bc4749c1384838ffde2599381da69b0b958c10d2f97351696e70124a1d38a121593e658f44b5ea25272a4bf6dd27e1a4cd1646207e0d0d
-
Filesize
27B
MD5f7797a987e496cd654125fe3bac95c14
SHA17cba1d358434ca024a7180b773f9f0f144b918f9
SHA2560fea6030305df43e8555f79806142eee57f3df68476ba3de9713c0cdc12d96c0
SHA512f9aead43b503882eca3b33775e38f287e4c541b17f2338f5324720a7a550f83cba9bc9a5420c32c33192dff076b2fedfe2f9e0963174253b306e6fc3c68926f4
-
Filesize
27B
MD52c60615f570b74008863645b6dbf34d5
SHA1574b9501e29315dc86cb4627a9ca7d02348af159
SHA256788c1b4070e76aa8176da1ce35070c3261c97b47d78a665b2225aec9135e9c42
SHA5128d679bd680c04f169eca4630db2561432745529e975fa111d770560f32143b2f069d681353c3e490c99f92cf80eb1cef4b8acc0c337581018362327ea85e2e5d
-
Filesize
2.3MB
MD55134f289dbf4abae370e3f36b637b73e
SHA1c78d3f2d00dc47da0112a74df665c7a84a8e32c3
SHA256e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2
SHA5120bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5
-
Filesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
Filesize
1.2MB
MD5e21bb4749a8b1b6fc26a7bcf57781836
SHA189cb0bd80d691ca650ad01551be3acefa2256ebd
SHA2560ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b
-
Filesize
3.1MB
MD52e8dd39476399ce5bd98c3e7b0fd79dc
SHA101bc2edd0e97a2db5fd99f83cc64a12633577299
SHA2566d63f9fbda65cf5b4a4daa9c7b3433069728df731f2e76b494d224a8602da101
SHA5126ca02ee90b8185ea4dad60faa6a8c7b004a62792ca0b8454148cb8e667bc7940aa544cd3b4a22323b332e56abba498c1afceb5db29369601c291540e104065f3
-
Filesize
316KB
MD57f31508d95be3fe50e4e9aa646e86a12
SHA1c61b439d6e17d630728f48c09b36af2647940748
SHA256994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA5122e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda
-
Filesize
316KB
MD5135eeb256e92d261066cfd3ffd31fb3e
SHA15c275ffd2ab1359249bae8c91bebcab19a185e91
SHA256f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d
SHA512a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b
-
Filesize
37B
MD535fbf9bf29760b9e120b37900b3c1343
SHA18a231c37ee13e72f27a38411668fde6fef3ff5bc
SHA256e1cdab59df6508013e8b91c71043c8ecfe81b94a037706147ed19adf992539e6
SHA512d1c12b6690c6b90dda5ad3e226e30adc848b3c324f929dec373ab6c7606fbcab716c49c4446efadf14036583924f8f094491bfe8bef380fd877c00cf9feaacc6
-
Filesize
37B
MD563954d8930e517637c254f9da0749e7a
SHA127f6a13c0e9530166d62b4586c3d2bda5cb5064c
SHA256bffa14678b8c39c2fbfa54b76fbac5f750aebc8dc2954da10a55b7f1f90f351c
SHA512dd5df6b8a64523fedb5aaced7d864013d12e6930015d8fd2267b11cffe76741c3a7907814a832ff7589476a51d16e8ab0fc566f4ac0784f6a599070080c7008d
-
Filesize
216B
MD5c36c15e1f99e1c0d093b9b089b1073c5
SHA147a237639f83d8de0c2034831ff3e12a3bad7408
SHA2563d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736
SHA5124283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f
-
Filesize
205B
MD547fef7e366f39175f9467a5a33675b40
SHA14a55fdc489cb4b67517e04fe1eadc63dfff7b232
SHA2567670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001
SHA512ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28
-
Filesize
317KB
MD5a84257e64cfbd9f6c0a574af416bc0d1
SHA1245649583806d63abb1b2dc1947feccc8ce4a4bc
SHA256fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7
SHA5126fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2
-
Filesize
916KB
MD538dac07c7cf9940a30f9353eb9f304e7
SHA1b7b15baebeedff91f1f59e23328172a7a476ccf4
SHA256b98b81756bed76482d9ffc77fc4cf6c514eb1fa6bb5e47a1c80dea1e84a253ed
SHA51269d1918c05ebac66e0418acc9d828c136a72e3a6f6f0af941c42dce6a1bd0a82818c4971766996ec84f866295efc73f82bd78ac8b2251c5596f4b884cf875471
-
Filesize
177KB
MD5c30105e387ff2bc741d3f775ca2d5a39
SHA194b458e17a27777491c5d44a05716b27edfb6599
SHA256e8be5e2c591dffbd046f290cf0ed55ba2d278b266bb62962fbb33f2b23f172fd
SHA51290ae93d2d044ca467cb013c3dbcac2757a02e95b0b294459382ebd3524a3099ea1647336ea2193b1e4bb3333d0025d79f12cfa36e5c6773dce79697e9cac2c27
-
Filesize
112KB
MD5814dee0898024d825f80d9d8372b9582
SHA1716c957f9dca55ec4a40ecbbb8e74ccd4a48d475
SHA2560815a18bad6ab61f6ffb09fa4222d36ac16589a81db07a3ef79545600202913b
SHA512be34c108059f647abc6f160cfc44e42ed69d8d28705a1d7eebf904d57cdf461aa91b99a8169b1585c964c649894c8bf788fcbb2ef68a3238f761a76c5d967f82
-
Filesize
30KB
MD5c603c9f2b795f4403a3ef90921b6d442
SHA15e2536d059ebc67fa0d7efa719d3060903d90311
SHA2563bd1db009f00810189e035a5c836cf2d0df24007836ad0a912ed4ea9f1789e53
SHA51221d22954893bb568aca371c469a715aa96a2a59551ba08638bde92ea90e9c8ab692a7f803f2812c195a1359d2cf6b6a9ac4c7bd3cfb6ab180e8726aa690b2c84
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
5.1MB
MD5864a350ee062a6fa8d89eb4d42310dbf
SHA15fde41853e8f94a1e40f83784e3acd0a1e1730e9
SHA2560aaafb0b3d84c1b167ae2f0271686edf3d261e34a880ea2d5e9eb1356d948f4e
SHA5124ce87addde6290e0910bc02ac1d4525b16e19e5194b92e4b2574655d01619e7de250bc88888e403f6f2360d056309476b03f97e667da932c3d2700e7733e1899
-
Filesize
237KB
MD56520885628fe337b8665099479cc1d4d
SHA109741f5c74b3525c31004c5bd19b0ecab835186d
SHA25613d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4
SHA512235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c
-
Filesize
159KB
MD5aed31f4095c122292a392df17053819a
SHA1c820c2da165965faddb5e29842e217748f51c3b2
SHA25680c54c67029154dd9364c7017e3700b9382a49f352d4b813ece3ec3a3498908a
SHA512180498cc26ed82d2995d94d162ba293cb338b50beec3b0f4148635692eaff64058c78a3ebeec38ca25ea2b603890002346a73961babd9087a726efa30361b378
-
Filesize
938KB
MD5abde72bbbe3a4e9aefac2613cc1fb1d8
SHA137e233800c07ae09de6f08b0beae552bb3cab69c
SHA256d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5
SHA51264c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595
-
Filesize
336KB
MD530ffa22d936df7a75075352a5a0ee10b
SHA1253abf846e56b1ba34017f3fd7e3a8848e7690fe
SHA2566cfda6dae076c43a53a258cf73abc43ab7afc64b40d10708de701cbddcbf3b8d
SHA5129dbfc99c79270c74d7449f3bd75f49566cd17b4cc76268b179a25ac55a7c152f858592fb904913dea69a96d2fa987e5cccb10c7f22acb7ad10e532745ca87ee4
-
Filesize
3.8MB
MD5a06b3a0a8bcc14b73a6a2b566e6d0cfa
SHA1b2db8cd4ab404f71914e1a0acc3882b036646e2b
SHA256df1d3303f29c9b8a7c375ea9117688248834a6929a3092097c144e0cd90c94a5
SHA5121080ac681008cfaec018428e08bd643efa99f4805c3e788ccb82711135a9d22c6b10ae7b7645d37d7465b5e291207adffe56534c9525887597173a9bb250cd1e
-
Filesize
115B
MD59e242f8f35222db7713bf96248c7434c
SHA1a66a0c27eca4aa325bc3dc8d907837180bcbd1b3
SHA2565d173c4f51d33ea28ce3a5aa715bc7140f7bcc82c4b99fad2a2d3474c476c731
SHA5124c4383df59bbbe7d5d86bc0f78b44afc68327789f5244f7cdf55f81889b6e74d008d0b94e6dfec66ac8394699919bc75a038b6c9c380fbe83161ad702b830b56
-
Filesize
114B
MD514371a02afe3ae173b4e225199a312ec
SHA13fe8e31a6a5b47c1e4ad8793d448100e1bca9368
SHA256790196324d796cad8ff1663e035b74af49952db661d519b8b9d0cd1c1e1005c8
SHA5126d50a6d2d792c50cca154a8d650f216f0ff1c0ec6b5f22025f1767a06b0e3760e796f02a0029fb96568040840c81fcc9c703009c963d30c53b1a033fc924060b
-
Filesize
118B
MD5486f8fc49ee104ec5fc94ac5d059f816
SHA19875e165010a7bfc7bedb5c7e9d57bade8cd96c0
SHA256ec2204907f4e1d4ebc04513b76a78381b2cdb161b69bd32c397d913b770df415
SHA5120c2170cd96a9e17d0a37d272288a20ee3f44101b7ef62677058b9591541a5bfa731d11b8e9c61b2e4354d1590341479b6750db7a84afa5b9158b1c254441d90d
-
Filesize
141KB
MD50e219317ac54406f765cee47cb574ff3
SHA16ac9a4994bac9cb6c9d545ffc4085325e13bb197
SHA256861876a0f3b42cc4f84a2bd10eb99735d37fcf406e21fc642929813d4299a6b1
SHA5120f773ffab357ae737d0057d687ff742a87a554db4c90954081942002080866d2c61e27cef0204f067383efe715fe15ecd30eabc0660c82ca88c40010207d526a
-
Filesize
885KB
MD5988a540ca51a4b77f5608818a71d498a
SHA1e7ac93a82687756632e409499d42d2446039aed6
SHA256a56f12c4baac3e9611c9a9e3c51ab73203248736d2fe2c4ca240ca7a1e32b827
SHA512349ed22d33e22e8a5957fab3239f0a132f21c52dbc9233caa91621d90621b0e0f71cd71769a49be1752330cfa73250d415ddd30f86fd205143a8e219c705ab1a
-
Filesize
198KB
MD571cf668f8ebbceda772022165b460ce3
SHA199febb0f4f9f388a4f9aeedd1530b50e0790500c
SHA256321f25cb7284f1b11bea1dd0286efcce180a2ea15357acca7158d575840c3033
SHA512bbc77a20f1a0a5355e82a40741ed50cc27fbbe97b4615c9f47644288275710ea288504fb97d14f786192bd6db54ba06ed61a3210a3571d988d026293aeb17a63