Analysis

  • max time kernel
    150s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    TrashMalwares-main/Dro trojan. Virus prank.exe

  • Size

    1.8MB

  • MD5

    af483a4c67d358dd807194ef89484f1e

  • SHA1

    4aefb5884e289fb85af3f5a5bec344b738073603

  • SHA256

    480ca2097e13abb1444b69b0d984961702f8ee8122fc0f0acc5bff217d253854

  • SHA512

    e5739841097828a7789e7a3317a0efa1ce4c109490df1d1ce62e559fa555affc7aee69d389bb50d5dbb4bf5d1d87d94a22cf4a5b9a0e3d7da3b48813c1c75917

  • SSDEEP

    49152:ysNjxEmz1dG6HOMlDTsBQL/difgzGSe5Wa6IQ:yYymicDT2C/EfyuUl

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe
    "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\START.exe
      "C:\Users\Admin\AppData\Local\Temp\START.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZbDz.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
            5⤵
              PID:2920
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM Taskmgr.exe /F
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2936
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM Taskmgr.exe /F
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1048
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM Taskmgr.exe /F
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1456
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM Taskmgr.exe /F
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM Taskmgr.exe /F
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2184
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
              5⤵
                PID:548
          • C:\Users\Admin\AppData\Local\Temp\Killer.exe
            "C:\Users\Admin\AppData\Local\Temp\Killer.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:840
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse_all.js"
            3⤵
            • Suspicious use of FindShellTrayWindow
            PID:2320
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHK.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\SHK.bat" "
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
                Shaking_horizontally.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2292
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 1
                5⤵
                • Delays execution with timeout.exe
                PID:324
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /IM Shaking_horizontally.exe /F
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:596
          • C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe
            "C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:448
            • C:\Windows\SysWOW64\calc.exe
              "C:\Windows\System32\calc.exe"
              4⤵
                PID:1156
              • C:\Windows\SysWOW64\notepad.exe
                "C:\Windows\System32\notepad.exe"
                4⤵
                  PID:1328
                • C:\Windows\SysWOW64\control.exe
                  "C:\Windows\System32\control.exe"
                  4⤵
                    PID:2192
                  • C:\Windows\SysWOW64\calc.exe
                    "C:\Windows\System32\calc.exe"
                    4⤵
                      PID:1592
                    • C:\Windows\SysWOW64\notepad.exe
                      "C:\Windows\System32\notepad.exe"
                      4⤵
                        PID:2712
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" https://neave.tv/
                        4⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:2576
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
                          5⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:2804
                      • C:\Windows\SysWOW64\regedit.exe
                        "C:\Windows\System32\regedit.exe"
                        4⤵
                        • Runs regedit.exe
                        PID:2416
                    • C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe
                      "C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:620
                    • C:\Users\Admin\AppData\Local\Temp\Error_icons.exe
                      "C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:664
                    • C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe
                      "C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:3000
                    • C:\Users\Admin\AppData\Local\Temp\New_Names.exe
                      "C:\Users\Admin\AppData\Local\Temp\New_Names.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:2832
                    • C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
                      "C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2716
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                  1⤵
                    PID:584

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                    Filesize

                    67KB

                    MD5

                    753df6889fd7410a2e9fe333da83a429

                    SHA1

                    3c425f16e8267186061dd48ac1c77c122962456e

                    SHA256

                    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                    SHA512

                    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    17dabc8408bbc690943f932394ff9ecb

                    SHA1

                    20887b99f05f4489036827176631117894f3ae5d

                    SHA256

                    b7dd6529ed59f3e9930b89375aac9aa32c64936b37abb3c7467cb4ca80a20ca6

                    SHA512

                    3c5c16ba760fa717c686a30c618e3ca34285065da75b5255e6a3de8316396b22ed2d77d388623223a5fd82f262f78ae1495e4896c6685fa32d81fafccb3d6ca7

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    fd05cf6cf5b14d5874b2184097ca99bf

                    SHA1

                    2979f669088da868602bf5d474c7d12b4f1729d8

                    SHA256

                    577c6371fd783e78a82e5f5581b61ea98fd52b65c2a01ac557be9c690c5e66b3

                    SHA512

                    aa7e7cf2bedd3685a31ce7596a747fe08b9edccdc4ac85b21f923e9ceeb03274f61a8ac8a04cb18f03a0fd84fcdb6107771adedb7379d976b71abf98fd72f187

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    df4154af4451615fed7dc3f5ea1bd0fe

                    SHA1

                    b8efd3bc6f5c77731abca5d447b63957bb930e54

                    SHA256

                    2d431860517211ff3db9b940e954ad4b02ba2be21f5b41e9991ed2145c3737cb

                    SHA512

                    070bb9e1b77466dd2deff32c78af73c9d25f45e9ced070bf75436204ec517711c37b90f1d64c29b2cf96210b0e387428adfa15a6913359893dc4d4fda4b917a9

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    1895f8ccf169e9111b5494ff871c240d

                    SHA1

                    400cc5b342b8bb47c2a1276bca1687c8bfd5a720

                    SHA256

                    7d705cb0a3bc83bc3a35edddf8e0b4cde2c0431fae40582ecfdc81685238f89e

                    SHA512

                    26ba75157584ab5664dc6222c3153601cee39d15b8e4a0db724e3d1a851c0f53f49d3130f87443e27c1ab9e0c6475b678e527ae86b729ff69314e26e8bc8dbde

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    a7fd5b331c4127ce292405a22e5cc69c

                    SHA1

                    4621909193dbe4fc8f2d57de381f8d02c6e4a1e3

                    SHA256

                    d378f3cb73a92fa57532b771d0839a6d3cfd21be1e33d0a152841c1e637b7b79

                    SHA512

                    1c26168e3c3c4dc2820e06976323d18bf5f7e186daa6ce5257c24ccc7661aa3fb27af04f1539ca34d949931394770c8128450536e868254842cad3341a69e4a2

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    8e520369a3faea274df9586f9e4f7036

                    SHA1

                    2f8163893f6bb46de54e102d49e21f454f015274

                    SHA256

                    bfeb219b36522872b66dee4a6c8f433536b9162d51432d41155371ea3feb62a7

                    SHA512

                    5c458b0ab4cf578ccf7f402d97da9307afcf9b8ea4dc2b59d1dca9b23b303c6ad4a96012236fd76efcb64f1ffd54a247e600ba37700559e5283a8f400947d160

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    42b0a82735dfb2391168a5a386bb1020

                    SHA1

                    4734858a964272de6623581156e32ffc1fb97961

                    SHA256

                    40ec337e8776506fb4808db2c3b64a128bea3c0510bf3c9d8fa65b21134e20d2

                    SHA512

                    97d6804eabc875fb676e3e48608563eb715abb21ca00a272bd8985407d8712ec7333b527f936d97ec3f1f5afdb38ddea21d06f197f2968d8281653b9c1a1c308

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    f8c5c68cf8ae6c4ece3d970702788390

                    SHA1

                    e01b2e8c14daf8b8976d21a3464dbc3285908a34

                    SHA256

                    8fecc21b7d4425ed4589941118473489072167b751dde8e06524f6e63122ffa6

                    SHA512

                    6fd4d85be61437a443adbbc4191707a1f0efa50217f465f6059e5149361b4e86c322d455572bc24c59bc3100050801cc9e0cb8e82f8dbd7d8fa9be748ac4a02a

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    bab66cc84696e571760552c47eac63e1

                    SHA1

                    31fe1b2cede624d432c7c24c538d8333199a845f

                    SHA256

                    3da9aa3bc766280d87b95b646d22a883f1debcd0f9194e7f2529d8df20391be6

                    SHA512

                    000781e326c65d76643730adf46b43d016755fda34dfdfbf33fa4cfc38d0e20bc412c5671c87acc7f9171c81fbc47be70f69be35c8154ce7d68ff6029969058b

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    a49c611a8ee9e98b5d2577b12b04fda2

                    SHA1

                    b72a54c186b97739ea8d2842c995db8f0fd294e5

                    SHA256

                    80fe5beac9e9b621445d3d36e7208ef2c0a8a2b493753c7705e3be70cc5f6c93

                    SHA512

                    bac584865b17c203edb57165ecd86bda530f279422d71b304f63d592815299c675e30f2108ad2193f3e8c7ccd092ad90eae45dafa107fcf08ec215519889c737

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

                    Filesize

                    1KB

                    MD5

                    2d59812bd22138c95e1a86a61d46e5ae

                    SHA1

                    bafec6bdfbff08d61a09f096df4b07d1aa58fce3

                    SHA256

                    7ed1a5b247df580d06efbc9f7c9e7577f7dadfcca81f179ad8f8b358c6f66fb0

                    SHA512

                    506ee57bf2c6326cb8ba1a1021b3366d219543df13ecdbc4d0b4d8f0c5be46225c66eaf8413d055a645babaeb17aa249c3278cf8b49128dd81c69aef39abdb4d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\icon-32[1].png

                    Filesize

                    983B

                    MD5

                    161e12c343ad30aee3bfac354658e4f1

                    SHA1

                    2951751e5f6f01e237dc0565d41c35d7040a29ce

                    SHA256

                    270582c227f5a93d8ff4a659a0075ea2af8952f0f73d24ba4d8c6a512a6465bf

                    SHA512

                    e14f4b34b1d7f85b8a8674e0c9c87a9318de70fbb2aa46f0eecb7a033cdd84770d1afc3fc891482a278254ec671db8a7faf18c181b2a7aba034148b9460fec33

                  • C:\Users\Admin\AppData\Local\Temp\Cab7521.tmp

                    Filesize

                    65KB

                    MD5

                    ac05d27423a85adc1622c714f2cb6184

                    SHA1

                    b0fe2b1abddb97837ea0195be70ab2ff14d43198

                    SHA256

                    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                    SHA512

                    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                  • C:\Users\Admin\AppData\Local\Temp\Collapse_all.js

                    Filesize

                    58B

                    MD5

                    f60e1a46f1e7301a7eb36f723cdec4b3

                    SHA1

                    5e46742927659e3fb0cef6c67542cb5ec2b0926d

                    SHA256

                    5fdab6a87288b929290f603f813a254efa019d8fe6c73d8757ebc543ba6949eb

                    SHA512

                    945f7f053700cf18a80553e09c3d64c8481aeb70d871dd00106bf66fcb33b4360b4412cb4bf9391e4dfd8e6df92d11ffe896bee6f864bdbdddedc1877714ee16

                  • C:\Users\Admin\AppData\Local\Temp\Error_icons.exe

                    Filesize

                    27KB

                    MD5

                    d9c07b7bc1a4df56ecb73941aafa2d78

                    SHA1

                    9d64ca9262852e3ee4b5e098e2762401364e80e8

                    SHA256

                    506b80e8f8551e29fa1e93082fefc99ce6613ad7abae895d61bdda92f4dce8c3

                    SHA512

                    ca282eedf7851df48e0ae001684ca4400b6a43e14893610972496e7c4c7002c508b95278896176ef4d49d371d95b6cc759609313a833bcdbc010a064cb28170f

                  • C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe

                    Filesize

                    27KB

                    MD5

                    7cfd733ea3aedb94f04013881f8a9f14

                    SHA1

                    94642432fd416ec32f1cd17dfd9b23922432dcea

                    SHA256

                    fceb50190c036057c6386387ed115b83a9fec153332b80be4d891cb9ef8f624a

                    SHA512

                    8c2b83a6aa96bed630e950cb66cd3a50e4789f303b9f2f3f2f6043f16a3a26d7dc9a56aa43cb3af0e548b207d5a228b88eaacb0b1872fc8abd4e1191f465e323

                  • C:\Users\Admin\AppData\Local\Temp\Killer.exe

                    Filesize

                    186KB

                    MD5

                    32c1a77891071523637345563fcda855

                    SHA1

                    d582fa0290b7c04c99ded56c8ebc6e45df981300

                    SHA256

                    c8cb8941b2ebe27ba69600b8cb5725b9630fb631bd7c7e88dea9eebd8bd3bef3

                    SHA512

                    61c6e7eddb5d8e880952c0fec6382082cbd33d0463ac556527598aaa6cf9bdb3755f395639d28be1a0cf4efa9f699cfdae06ecb5068b5f43b08b65354580704a

                  • C:\Users\Admin\AppData\Local\Temp\New_Names.exe

                    Filesize

                    389KB

                    MD5

                    dd799cfa99ea38299f32a744b4a9864c

                    SHA1

                    850457eea90f64bb760d078008f17799f8eb4843

                    SHA256

                    f9f469026252b2c7084755430c9b0d8939a8547b23a5bb32371102d7a3578ed1

                    SHA512

                    9c74976ea217276bf5b291d629aa21ace989a45697748cb449eeba8d8c846e77e7ab66c1b701243ceb207db364d1abc376950c6b5f4cb92db068922ae41dcef3

                  • C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe

                    Filesize

                    27KB

                    MD5

                    7c3647e86215919ec06437d9a5fce95d

                    SHA1

                    7bc1a0582e03bd9d7ee5ba1d66268d800d66c596

                    SHA256

                    39e30df6628702de8a548ff031383c360dfc63a9399169bb93838f7eef57a6ed

                    SHA512

                    d0a4991ad1cff73dbd0425e9f7190101f27811daa622c0fa5ba620566a9f95caae4430b0386a6ea9a7575a56931a45ca821f5274f8d2798c73d5154c8fe7e33d

                  • C:\Users\Admin\AppData\Local\Temp\SHK.bat

                    Filesize

                    94B

                    MD5

                    ab921b5b6a2b7232c8d2fd2f0dc78790

                    SHA1

                    fe0c9c4e5255f903bf9b006f27a913f39a115a54

                    SHA256

                    dfd827c3e9bb39c84ca90001a7718c55458145fcf035b4dba1001b201422a8da

                    SHA512

                    47d8ded63fd55f4490d0cd64c8f688fc5bb5814018a09e46f1eae0e36228589f4097f88f2f42e92d02cc068fd3e807aae219a4c4162474a561b3767331e8f98e

                  • C:\Users\Admin\AppData\Local\Temp\SHK.vbs

                    Filesize

                    115B

                    MD5

                    2643272752b857cbc69d843d92ff4879

                    SHA1

                    10f1f87652b5747dd37ed141734e5af39af19ef2

                    SHA256

                    53c3cd2ed0f6184b2cf0304acfbef726c3415528c903c69a86f3f9405b52179c

                    SHA512

                    3e7d2548ccbe96599b94a585c6a02e2ee2820ac6a8aec1ede270c8089623c3c41fd779fdf5a93b2cd1b9fca3ef2d2b915703f3438c7abd6e27f5a59626f01282

                  • C:\Users\Admin\AppData\Local\Temp\Tar7524.tmp

                    Filesize

                    171KB

                    MD5

                    9c0c641c06238516f27941aa1166d427

                    SHA1

                    64cd549fb8cf014fcd9312aa7a5b023847b6c977

                    SHA256

                    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                    SHA512

                    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                  • C:\Users\Admin\AppData\Local\Temp\Tar7662.tmp

                    Filesize

                    175KB

                    MD5

                    dd73cead4b93366cf3465c8cd32e2796

                    SHA1

                    74546226dfe9ceb8184651e920d1dbfb432b314e

                    SHA256

                    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                    SHA512

                    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                  • C:\Users\Admin\AppData\Local\Temp\ZbDz.bat

                    Filesize

                    375B

                    MD5

                    90716ec6d805a3e478c0a26477138efd

                    SHA1

                    ceae2264e1c3c6a0bf715cf54237c3f763cd5799

                    SHA256

                    f185b92c729b011a051d2d8775eee998da9e71ba6156a8da81b0fc1b25c90a77

                    SHA512

                    fbda3613b691e83299077b1378aa845ab59befd61bc177e54b950f55c857c8e2b208012c026c24489f354c88404172ba25d7584f1b825ccd6880598bcc65cc56

                  • C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs

                    Filesize

                    116B

                    MD5

                    8a25126b21c1f849b719999cb5d85e11

                    SHA1

                    714fb5a246721c3117868c2229e7598ef7dfb2eb

                    SHA256

                    8ee9f21dd968d66fb71be502c6f2b96f3e0ee1954a4bcf2e7fffa45477fb7f38

                    SHA512

                    8ea3d56e58410e369c42f6e16381ee802c8df58ee7f60ab937a19417e9a86f6877241ee7472df898bb85765d0bd3a5df2a58f97c717f5da8d32e7c8acf638c84

                  • \Users\Admin\AppData\Local\Temp\Draw_cursor.exe

                    Filesize

                    27KB

                    MD5

                    4f5d56501b68860d79846d1c4a567459

                    SHA1

                    548a514797c85e982a0f636030a18566895efaaa

                    SHA256

                    0df880855797fb52bcaac0e11074869ed409b9daaabfe8939ecd4039962292cd

                    SHA512

                    5efc549dcef528f0f5b09758ce18686106781788c0e78467d02fb12b7b138c0ca301d68e81305e7053f5471fa6c9c192d6bad81067fe70803e237b8dbf7d1f41

                  • \Users\Admin\AppData\Local\Temp\START.exe

                    Filesize

                    28KB

                    MD5

                    b9e9b7fbd019b7e09e77bdec78ade264

                    SHA1

                    0cdeda0e10d1f754d2171596d82e97e347089e01

                    SHA256

                    227e8953a11d22ea948fe3b2426753a435993336ae1f49a6fe3c1dd0b70bf3b7

                    SHA512

                    d2e5dadb63d0ff75e48504720186483877ecde0354fe56d88255a079c116eef5b5c59eaef6ccc99217acce5d5755fd0a50fcf93b115f9408962535a572960a85

                  • \Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe

                    Filesize

                    27KB

                    MD5

                    d2404ad25ee623edb58a175d4bb0c7a1

                    SHA1

                    4ca3589e630abebffe46782f5941f6253001bea9

                    SHA256

                    35ee2069ddde1c079b1890eafd7041f59eb5170063f3f308b0b808dcc24623ce

                    SHA512

                    26758e01881ccbfa5f124fb8fa15e1712d228ea1aa9e552dd5020436f55e4e83d450128e799aff829e6215eacfcb284133fdf3ca952696cadfe061477b8d0b8c

                  • \Users\Admin\AppData\Local\Temp\msvcr100d.dll

                    Filesize

                    1.4MB

                    MD5

                    440e9fd9824b8e97d3ca2f34bd1bfbd1

                    SHA1

                    6852b2c592b3794da114d6ac5ea9d083317bf5af

                    SHA256

                    eddaa890ac6470692f76eee9586c06d727a1caf7a242170ab1a3947523927396

                    SHA512

                    b458a0838159367727a63e417bba7c12b196f4d4af56703fe77ddcb2c28c3b6aab1d62335c513398f92c225f204e32b437fb49316b7c2b537c1cf877653c2ef8

                  • memory/448-109-0x00000000010E0000-0x00000000010FB000-memory.dmp

                    Filesize

                    108KB

                  • memory/620-116-0x0000000001060000-0x000000000107B000-memory.dmp

                    Filesize

                    108KB

                  • memory/620-124-0x0000000001060000-0x000000000107B000-memory.dmp

                    Filesize

                    108KB

                  • memory/664-122-0x0000000001080000-0x000000000109B000-memory.dmp

                    Filesize

                    108KB

                  • memory/840-103-0x0000000000D80000-0x0000000000DC2000-memory.dmp

                    Filesize

                    264KB

                  • memory/840-89-0x0000000000D80000-0x0000000000DC2000-memory.dmp

                    Filesize

                    264KB

                  • memory/2292-101-0x0000000000840000-0x000000000085B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-107-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-130-0x00000000001F0000-0x000000000020B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-668-0x00000000001F0000-0x000000000020B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-99-0x0000000000270000-0x000000000028B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-102-0x0000000001DA0000-0x0000000001DE2000-memory.dmp

                    Filesize

                    264KB

                  • memory/2452-125-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-123-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-120-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-114-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-110-0x0000000000610000-0x000000000062B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-82-0x0000000000270000-0x000000000028B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-138-0x00000000001F0000-0x000000000020B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2452-87-0x0000000001DA0000-0x0000000001DE2000-memory.dmp

                    Filesize

                    264KB

                  • memory/2632-97-0x0000000000130000-0x000000000014B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2716-669-0x00000000000B0000-0x00000000000CB000-memory.dmp

                    Filesize

                    108KB

                  • memory/2804-79-0x0000000002300000-0x000000000231B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2804-72-0x0000000002300000-0x000000000231B000-memory.dmp

                    Filesize

                    108KB

                  • memory/2832-136-0x0000000000320000-0x0000000000321000-memory.dmp

                    Filesize

                    4KB

                  • memory/2832-667-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB

                  • memory/2832-137-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB

                  • memory/3000-131-0x0000000000E70000-0x0000000000E8B000-memory.dmp

                    Filesize

                    108KB