Analysis

  • max time kernel
    69s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 23:32

Errors

Reason
Machine shutdown

General

  • Target

    Trojan/2repair.exe

  • Size

    10.2MB

  • MD5

    795d891f34890796120931c1b74318a4

  • SHA1

    9a698435df1e850479f66b08dd8ee84e7473b0eb

  • SHA256

    327e9f126a7d897239ddafc8adbae981e6a4c00d4d3383846ceb8d2befefef04

  • SHA512

    77234732395eac75687aeff81d40fc3e7b1f1d7e14b4df9f786f0aa7cc2bee04d5614dbd6cdd04fd310ea455c2747cd2c0a598143a886807e690c2cc01b06aa0

  • SSDEEP

    196608:LgOzUNRd/74b/Mqe9NPnjRs6j+2ufWvi2DuFg3k7bwanYP9UX5hT84jWR/B:CRd83Klji52RhwPA92584jmB

Malware Config

Signatures

  • Windows security bypass 2 TTPs 3 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 37 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Delays execution with timeout.exe 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2CDA.tmp\2CDB.tmp\2CDC.bat C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\system32\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:2676
      • C:\Users\Admin\AppData\Local\Temp\Trojan\FreeMicrosoft.exe
        FreeMicrosoft.exe
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
        Melting.exe
        3⤵
        • Executes dropped EXE
        PID:2452
      • C:\Users\Admin\AppData\Local\Temp\Trojan\AntivirusPlatinum.exe
        AntivirusPlatinum.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\WINDOWS\302746537.exe
          "C:\WINDOWS\302746537.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\44EC.tmp\302746537.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 /s c:\windows\comctl32.ocx
              6⤵
              • Modifies registry class
              PID:2712
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 /s c:\windows\mscomctl.ocx
              6⤵
              • Modifies registry class
              PID:2708
            • \??\c:\windows\antivirus-platinum.exe
              c:\windows\antivirus-platinum.exe
              6⤵
              • Windows security bypass
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Windows security modification
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:2624
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h c:\windows\antivirus-platinum.exe
              6⤵
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:2792
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:2696
      • C:\Users\Admin\AppData\Local\Temp\Trojan\Antivirus.exe
        Antivirus.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:348
        • C:\Windows\SysWOW64\net.exe
          net stop wscsvc
          4⤵
            PID:2192
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop wscsvc
              5⤵
                PID:2964
            • C:\Windows\SysWOW64\net.exe
              net stop winmgmt /y
              4⤵
                PID:2384
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop winmgmt /y
                  5⤵
                    PID:2796
                • C:\Windows\SysWOW64\net.exe
                  net start winmgmt
                  4⤵
                    PID:3004
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start winmgmt
                      5⤵
                        PID:2000
                    • C:\Windows\SysWOW64\net.exe
                      net start wscsvc
                      4⤵
                        PID:1712
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 start wscsvc
                          5⤵
                            PID:1356
                        • C:\Windows\SysWOW64\Wbem\mofcomp.exe
                          mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
                          4⤵
                            PID:2056
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2248
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1032
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1656
                        • C:\Windows\system32\taskkill.exe
                          taskkill /IM lsass.exe /F
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1796
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2220
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1400
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\Badgame.exe
                          Badgame.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:1360
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1444
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1500
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\Hydra.exe
                          Hydra.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:1328
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:1772
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2276
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2124
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2096
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2052
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2320
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2424
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
                          Melting.exe
                          3⤵
                          • Executes dropped EXE
                          PID:2428
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2780
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
                          Melting.exe
                          3⤵
                          • Executes dropped EXE
                          PID:1996
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                          runaway.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of SetWindowsHookEx
                          PID:2672
                        • C:\Users\Admin\AppData\Local\Temp\Trojan\SGen.exe
                          SGen.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:2832
                          • C:\Windows\SysWOW64\wscript.exe
                            wscript.exe "C:\Users\Admin\AppData\Local\Temp\SFC4E30.tmp.vbs"
                            4⤵
                              PID:2088
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                            runaway.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of SetWindowsHookEx
                            PID:1548
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe
                            runaway.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of SetWindowsHookEx
                            PID:1012
                          • C:\Windows\system32\timeout.exe
                            timeout /t 10
                            3⤵
                            • Delays execution with timeout.exe
                            PID:996
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
                            Melting.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2500
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
                            Melting.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2464
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe
                            Melting.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2892
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe
                            PCOptimizerProInstaller.exe
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1640
                          • C:\Users\Admin\AppData\Local\Temp\Trojan\VirusCan.exe
                            VirusCan.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1944
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\75CC.tmp\VirusCan.bat""
                              4⤵
                                PID:1768
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe
                                  5⤵
                                    PID:268
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe
                                    5⤵
                                      PID:864
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd.exe
                                      5⤵
                                        PID:772
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe
                                        5⤵
                                          PID:584
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe
                                          5⤵
                                            PID:2116
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe
                                            5⤵
                                              PID:688
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd.exe
                                              5⤵
                                                PID:1048
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe
                                                5⤵
                                                  PID:808
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd.exe
                                                  5⤵
                                                    PID:1088
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd.exe
                                                    5⤵
                                                      PID:812
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd.exe
                                                      5⤵
                                                        PID:920
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd.exe
                                                        5⤵
                                                          PID:320
                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\matrix.exe
                                                      matrix.exe
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                      PID:2524
                                                      • C:\Windows\system32\cmd.exe
                                                        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75BC.tmp\75BD.tmp\75BE.bat C:\Users\Admin\AppData\Local\Temp\Trojan\matrix.exe"
                                                        4⤵
                                                          PID:2012
                                                      • C:\Users\Admin\AppData\Local\Temp\Trojan\bomb.exe
                                                        bomb.exe
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                        PID:2692
                                                      • C:\Users\Admin\AppData\Local\Temp\Trojan\ChilledWindows.exe
                                                        ChilledWindows.exe
                                                        3⤵
                                                        • Executes dropped EXE
                                                        PID:2708
                                                        • C:\Windows\system32\WerFault.exe
                                                          C:\Windows\system32\WerFault.exe -u -p 2708 -s 656
                                                          4⤵
                                                            PID:1812

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Temp\2CDA.tmp\2CDB.tmp\2CDC.bat

                                                      Filesize

                                                      853B

                                                      MD5

                                                      9eed2c0c3293d9424e3edacf3b36615d

                                                      SHA1

                                                      1d7743263a25661055549dd913ec5c654fa99ffd

                                                      SHA256

                                                      9780bbabc18e0a4cf00c87ffe12c36804fd1180c7e62ceb3f244820224dd15b2

                                                      SHA512

                                                      cedcd3b4ea56f4495e5f0baf20795c1296130f65d5512b4a7adabd1cfc46c2af0f94e5678a74b9fc181371d2e34239bc1d833f908e599f7389ee53cd55a8b746

                                                    • C:\Users\Admin\AppData\Local\Temp\44EC.tmp\302746537.bat

                                                      Filesize

                                                      348B

                                                      MD5

                                                      7d8beb22dfcfacbbc2609f88a41c1458

                                                      SHA1

                                                      52ec2b10489736b963d39a9f84b66bafbf15685f

                                                      SHA256

                                                      4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2

                                                      SHA512

                                                      a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

                                                    • C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

                                                      Filesize

                                                      443B

                                                      MD5

                                                      7fad92afda308dca8acfc6ff45c80c24

                                                      SHA1

                                                      a7fa35e7f90f772fc943c2e940737a48b654c295

                                                      SHA256

                                                      76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f

                                                      SHA512

                                                      49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

                                                    • C:\Users\Admin\AppData\Local\Temp\75CC.tmp\VirusCan.bat

                                                      Filesize

                                                      82B

                                                      MD5

                                                      55dcde25c122c782757989a3c275fea2

                                                      SHA1

                                                      a669581a58e6aa602cbdaf690e3e365fa4de570f

                                                      SHA256

                                                      3aad2d3f7f3c5ef2676e33cc3be636f1929cf106707e88068ed8eee1ecfcb916

                                                      SHA512

                                                      b9cd00ffc8e42d2cd1f37a3312655c12423c8fb145910ee2ac8abf0d06b5942b5754fdd60d6b94a125c3bf3a1e7818eded0bfe662dc3992dac10d9df3fcaa5f2

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\Antivirus.exe

                                                      Filesize

                                                      2.0MB

                                                      MD5

                                                      c7e9746b1b039b8bd1106bca3038c38f

                                                      SHA1

                                                      cb93ac887876bafe39c5f9aa64970d5e747fb191

                                                      SHA256

                                                      b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

                                                      SHA512

                                                      cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\AntivirusPlatinum.exe

                                                      Filesize

                                                      739KB

                                                      MD5

                                                      382430dd7eae8945921b7feab37ed36b

                                                      SHA1

                                                      c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

                                                      SHA256

                                                      70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

                                                      SHA512

                                                      26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\Badgame.exe

                                                      Filesize

                                                      61KB

                                                      MD5

                                                      ebfbd478a8cfc0fb645b8559973690cb

                                                      SHA1

                                                      88ec8dff51b53beed128582bcaf86ea81f684a0f

                                                      SHA256

                                                      62c99ea25fea9d3e5917114ada0406a333b1506697bd2bc28e9d676655232a59

                                                      SHA512

                                                      30c5dbaf97d3b43edca2e0c9f98fe3e45a2b508880021ce624145549b295c46f4468118c2f5051be402d4eeb3d9791a5eb27f1cc242b3a639b8318be49315f82

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\ChilledWindows.exe

                                                      Filesize

                                                      798KB

                                                      MD5

                                                      7a0dde676273569966f442d203b25b31

                                                      SHA1

                                                      96443c3966ce6d5cd332d8257be8fc3e9306c319

                                                      SHA256

                                                      3c5aa7cf099b14996bba31ccd20be58c88c5c7a79fc6af43b081edef70da2803

                                                      SHA512

                                                      bb999f7aa09120e326d66553a7c5278b7d6399b560fb255e2cb05e6d566f2c202d425c93cfa68604fa7f7098adcd177e5703a8ea683449810ac476eb2a3cd9cd

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\ChilledWindows.exe

                                                      Filesize

                                                      624KB

                                                      MD5

                                                      ed6850b4fd4bbe49853aa0c8d11c559f

                                                      SHA1

                                                      bcb56054ff868be782b182d464287c59ae6817e8

                                                      SHA256

                                                      53e4dea75cb5f625b174b47562a1739c309b9e883ca3b5c3f0273abb7acf682b

                                                      SHA512

                                                      b822d6f05936d00a1fa21780aaa111355e197ddb01f1a31b3e0c01f55ae0da3e4965b26f5cdca08b0b577086299d949a467d13039e119344c766f44f796190db

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\Hydra.exe

                                                      Filesize

                                                      43KB

                                                      MD5

                                                      b2eca909a91e1946457a0b36eaf90930

                                                      SHA1

                                                      3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

                                                      SHA256

                                                      0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

                                                      SHA512

                                                      607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exe

                                                      Filesize

                                                      12KB

                                                      MD5

                                                      833619a4c9e8c808f092bf477af62618

                                                      SHA1

                                                      b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

                                                      SHA256

                                                      92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

                                                      SHA512

                                                      4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe

                                                      Filesize

                                                      652KB

                                                      MD5

                                                      714a82f547c2cf783201c7ab20edbc32

                                                      SHA1

                                                      959a295c7d5818638c6bd452fd9b8e0b5c21602b

                                                      SHA256

                                                      48264ea35fdb5b00e32f675465104f73e87c4ff81f7857ce13ff39bb6ff1e650

                                                      SHA512

                                                      19f6471cb17cd8110ae2c160855620ae0016e7d7578de9c6418793b831692118222d7c5680bef820d11f617601efd67e0014c7d7172c9df8dd466821e397e77e

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe

                                                      Filesize

                                                      374KB

                                                      MD5

                                                      82e0e9f8e0576837610117e6f705bc5c

                                                      SHA1

                                                      8e2dd01c4ab2ae1e9068b4578b78a2dedb859652

                                                      SHA256

                                                      96f9af12f79ae73912bc483fa032bd928674799937e655423018410f5e3124f0

                                                      SHA512

                                                      8df710ddeb284693371fc1ce38242ce493d5036db50027bf56b377b45f8cb928bc186ea3e4c1bb02265a76467b9bdad2aad440d73394882e9587f7d45517c185

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\SGen.exe

                                                      Filesize

                                                      16KB

                                                      MD5

                                                      3e20f1b0a3bb4c8608844e47d92d2121

                                                      SHA1

                                                      e2f84e46d4e63cbd091feeca686814752519596e

                                                      SHA256

                                                      a23284c86e2b640fce315419157db159355efa61f0ed1b70e716584aa77b6793

                                                      SHA512

                                                      1047304be5dcca4b71fed0c76db3bd4c42fcd2b163b6d93dc27be16fe90579d6a8c40655e76132b398ad430dadf7238267342adc2206025c9a77998c4214dd6b

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\VirusCan.exe

                                                      Filesize

                                                      25KB

                                                      MD5

                                                      8edb51ed1d3241c4f026bb0d5de20f89

                                                      SHA1

                                                      9453b850f98062c0b3955a58c295a662be605efb

                                                      SHA256

                                                      c26fc73c59765b9f8df9cf66f6bb81ce099097804a9f0bd4660f3f80e0639f47

                                                      SHA512

                                                      0217f034da40cbe924ee8e73b024a3c5d86de1b7b12881d1b2909da2aba39661526b712acf9b390d000940ffbf3746e65a5687b7782635c24e844b36560c59f2

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\bomb.exe

                                                      Filesize

                                                      96KB

                                                      MD5

                                                      05ad3f85b73e5ff86504f8dcc55b5d42

                                                      SHA1

                                                      927d4554328cc6d767a566c3c6cb54c16d58857a

                                                      SHA256

                                                      124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af

                                                      SHA512

                                                      6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\matrix.exe

                                                      Filesize

                                                      121KB

                                                      MD5

                                                      83726a8767faba50ea1b5f31afef5938

                                                      SHA1

                                                      70165dcc633f3390d98ae08c731113b007069737

                                                      SHA256

                                                      e2636cb5e2b2ff10b27e3050e88801620494654017751d41e5a0725a5ce3b6c4

                                                      SHA512

                                                      e190e655c4df6ed6b79a8bff97c56a8c736753ce86f181f1fb15a4c57914bec0f1b1a3c8736e49a715191f2e6637a67be2a58354187365894c5d846518d7e301

                                                    • C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exe

                                                      Filesize

                                                      8KB

                                                      MD5

                                                      979b597855746aee2f30ee74f9d7c163

                                                      SHA1

                                                      56dd0b4bbc5ddcc3fab99ea2e8f781d8b7c7c05f

                                                      SHA256

                                                      dc6ee4edbbbe1116a200b928f2b62dbc55594a9f79152bbb0076161a58546c11

                                                      SHA512

                                                      6b7411b23fa0be275070bb08edb0293f7c5c00fffb7746afe0b4368e0a45e4c2743d3ef86417a610021577f70253bb0ca1c5d3398ac93d22d6672d2b16e0ec4e

                                                    • C:\Windows\302746537.exe

                                                      Filesize

                                                      22KB

                                                      MD5

                                                      8703ff2e53c6fd3bc91294ef9204baca

                                                      SHA1

                                                      3dbb8f7f5dfe6b235486ab867a2844b1c2143733

                                                      SHA256

                                                      3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

                                                      SHA512

                                                      d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

                                                    • C:\Windows\antivirus-platinum.exe

                                                      Filesize

                                                      9KB

                                                      MD5

                                                      cd1800322ccfc425014a8394b01a4b3d

                                                      SHA1

                                                      171073975effde1c712dfd86309457fd457aed33

                                                      SHA256

                                                      8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0

                                                      SHA512

                                                      92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

                                                    • \??\c:\windows\comctl32.ocx

                                                      Filesize

                                                      595KB

                                                      MD5

                                                      821511549e2aaf29889c7b812674d59b

                                                      SHA1

                                                      3b2fd80f634a3d62277e0508bedca9aae0c5a0d6

                                                      SHA256

                                                      f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4

                                                      SHA512

                                                      8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

                                                    • \??\c:\windows\mscomctl.ocx

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      714cf24fc19a20ae0dc701b48ded2cf6

                                                      SHA1

                                                      d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

                                                      SHA256

                                                      09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

                                                      SHA512

                                                      d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

                                                    • \Users\Admin\AppData\Local\Temp\nso73F9.tmp\GetVersion.dll

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      dc9562578490df8bc464071f125bfc19

                                                      SHA1

                                                      56301a36ae4e3f92883f89f86b5d04da1e52770d

                                                      SHA256

                                                      0351fe33a6eb13417437c1baaee248442fb1ecc2c65940c9996bcda574677c3f

                                                      SHA512

                                                      9242f8e8ece707874ef61680cbfcba7fc810ec3a03d2cb2e803da59cc9c82badd71be0e76275574bc0c44cdfcef9b6db4e917ca8eb5391c5ae4b37e226b0c321

                                                    • \Users\Admin\AppData\Local\Temp\nso73F9.tmp\LangDLL.dll

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      de3558ce305e32f742ff25b697407fec

                                                      SHA1

                                                      d55c50c546001421647f2e91780c324dbb8d6ebb

                                                      SHA256

                                                      98160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a

                                                      SHA512

                                                      7081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac

                                                    • memory/1012-141-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1012-143-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1032-113-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1032-159-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1032-175-0x0000000004870000-0x00000000048B0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1032-127-0x0000000004870000-0x00000000048B0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1328-96-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/1328-142-0x0000000000250000-0x0000000000290000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1328-150-0x0000000000250000-0x0000000000290000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1328-166-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1328-117-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1360-227-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                    • memory/1400-163-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1400-128-0x00000000047E0000-0x0000000004820000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1400-114-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1400-176-0x00000000047E0000-0x0000000004820000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1444-164-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1444-129-0x00000000047B0000-0x00000000047F0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1444-115-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1500-138-0x00000000046E0000-0x0000000004720000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1500-165-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1500-116-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1548-145-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1548-146-0x0000000001EC0000-0x0000000001F00000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1656-136-0x0000000001DD0000-0x0000000001E10000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1656-90-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1656-158-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1772-118-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1772-139-0x0000000004660000-0x00000000046A0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/1772-167-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/1944-246-0x0000000000400000-0x0000000000410000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/2052-120-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2052-169-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2052-135-0x0000000004830000-0x0000000004870000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2096-125-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2096-130-0x00000000046D0000-0x0000000004710000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2096-160-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2124-134-0x0000000002040000-0x0000000002080000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2124-119-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2124-168-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2220-137-0x00000000048B0000-0x00000000048F0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2220-144-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2248-131-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2248-80-0x0000000000010000-0x0000000000018000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2248-110-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2248-162-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2276-173-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2276-124-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2320-174-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2320-126-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2424-121-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2424-170-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2424-132-0x0000000001DF0000-0x0000000001E30000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2456-49-0x0000000000400000-0x0000000000410000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/2456-73-0x0000000000400000-0x0000000000410000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/2624-151-0x0000000000400000-0x000000000040D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                    • memory/2624-70-0x0000000000400000-0x000000000040D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                    • memory/2672-133-0x0000000004140000-0x0000000004180000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2672-123-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2672-172-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2692-254-0x0000000000400000-0x000000000043E000-memory.dmp

                                                      Filesize

                                                      248KB

                                                    • memory/2736-149-0x0000000001E40000-0x0000000001E50000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/2736-47-0x0000000001E40000-0x0000000001E50000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/2736-42-0x0000000001DD0000-0x0000000001DD6000-memory.dmp

                                                      Filesize

                                                      24KB

                                                    • memory/2780-140-0x0000000004570000-0x00000000045B0000-memory.dmp

                                                      Filesize

                                                      256KB

                                                    • memory/2780-171-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2780-122-0x0000000074190000-0x000000007487E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                    • memory/2924-68-0x0000000000130000-0x000000000013D000-memory.dmp

                                                      Filesize

                                                      52KB