Analysis

  • max time kernel
    24s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:29

Errors

Reason
Machine shutdown

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer.exe

  • Size

    24.3MB

  • MD5

    9126205f1460c950981fecec5f7d5950

  • SHA1

    c52f01a0aa92ffec52e23a6130c1ada98e4bb9ff

  • SHA256

    f74e97e2b94d1ff8f1fe3ad9f8c13438c07a72a4a35e39a2d45948a80bbf4053

  • SHA512

    1d5637a8b350295deff1703e9ea4e861d3daba0c63a83cd001df0074e910a92cfa0b46099435b99f1d6c7d0f505b7e294f576bae2526974007f2e8e69239e34a

  • SSDEEP

    786432:58l+gc4HHiVwrdsiVTJ/cGSsMLRjuc5PGpUH:58l+grWgbTJPyLUcZGpA

Malware Config

Signatures

  • UAC bypass 3 TTPs 16 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 19 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\run.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Public\temp\main.bat" "
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im explorer.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\update.vbs"
          4⤵
            PID:2640
          • C:\Windows\SysWOW64\timeout.exe
            timeout 20
            4⤵
            • Delays execution with timeout.exe
            PID:628
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
            4⤵
            • Sets desktop wallpaper using registry
            PID:2364
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            4⤵
              PID:1368
            • C:\Windows\SysWOW64\reg.exe
              Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
              4⤵
                PID:2196
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
                4⤵
                  PID:2304
                • C:\Windows\SysWOW64\reg.exe
                  reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
                  4⤵
                  • Modifies registry key
                  PID:2040
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:2036
                  • C:\Windows\SysWOW64\reg.exe
                    reg import virus.reg
                    4⤵
                      PID:1192
                    • C:\Windows\SysWOW64\reg.exe
                      reg import here.reg
                      4⤵
                      • UAC bypass
                      PID:836
                    • C:\Windows\SysWOW64\reg.exe
                      reg import death.reg
                      4⤵
                        PID:2028
                      • C:\Windows\SysWOW64\reg.exe
                        reg import no.reg
                        4⤵
                        • UAC bypass
                        PID:2012
                      • C:\Windows\SysWOW64\reg.exe
                        reg import password.reg
                        4⤵
                          PID:1856
                        • C:\Windows\SysWOW64\reg.exe
                          reg import color.reg
                          4⤵
                            PID:1908
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                            4⤵
                              PID:2216
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                              4⤵
                                PID:2156
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                4⤵
                                  PID:552
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                  4⤵
                                    PID:568
                                  • C:\Users\Public\temp\mover.exe
                                    mover.exe
                                    4⤵
                                    • Executes dropped EXE
                                    PID:1468
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                    4⤵
                                      PID:748
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                      4⤵
                                        PID:876
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                        4⤵
                                          PID:1596
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                          4⤵
                                            PID:2164
                                          • C:\Users\Public\temp\x.exe
                                            x.exe
                                            4⤵
                                            • Executes dropped EXE
                                            PID:2088
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\80E3.tmp\x.cmd""
                                              5⤵
                                                PID:2396
                                            • C:\Users\Public\temp\x.exe
                                              x.exe
                                              4⤵
                                              • Executes dropped EXE
                                              PID:1752
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\816F.tmp\x.cmd""
                                                5⤵
                                                  PID:2884
                                              • C:\Users\Public\temp\x.exe
                                                x.exe
                                                4⤵
                                                • Executes dropped EXE
                                                PID:2864
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8121.tmp\x.cmd""
                                                  5⤵
                                                    PID:2776
                                                • C:\Users\Public\temp\x.exe
                                                  x.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  PID:1528
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\8150.tmp\x.cmd""
                                                    5⤵
                                                      PID:2676
                                                  • C:\Users\Public\temp\x.exe
                                                    x.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    PID:2912
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\817F.tmp\x.cmd""
                                                      5⤵
                                                        PID:556
                                                    • C:\Users\Public\temp\x.exe
                                                      x.exe
                                                      4⤵
                                                      • Executes dropped EXE
                                                      PID:2520
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8180.tmp\x.cmd""
                                                        5⤵
                                                          PID:356
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg import im.reg
                                                        4⤵
                                                          PID:2588
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg import systemmessage.reg
                                                          4⤵
                                                          • UAC bypass
                                                          PID:2972
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                          4⤵
                                                          • Modifies registry key
                                                          PID:2560
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg import UAC.reg
                                                          4⤵
                                                          • UAC bypass
                                                          PID:1340
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg import inkfile.reg
                                                          4⤵
                                                          • Modifies registry class
                                                          PID:1796
                                                        • C:\Windows\SysWOW64\shutdown.exe
                                                          shutdown /r /t 0
                                                          4⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2276
                                                  • C:\Windows\system32\LogonUI.exe
                                                    "LogonUI.exe" /flags:0x0
                                                    1⤵
                                                      PID:1772
                                                    • C:\Windows\system32\LogonUI.exe
                                                      "LogonUI.exe" /flags:0x1
                                                      1⤵
                                                        PID:1876

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\80E3.tmp\x.cmd

                                                        Filesize

                                                        76B

                                                        MD5

                                                        5156c0df260ccc7bc13b73b6de4d9a25

                                                        SHA1

                                                        e6f8b1f6ef658a1f5772b83c898088330184d291

                                                        SHA256

                                                        565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88

                                                        SHA512

                                                        d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39

                                                      • C:\Users\Public\Desktop\Hacking.vbs

                                                        Filesize

                                                        182B

                                                        MD5

                                                        81c5f570e4fb185d0d675c450741f28b

                                                        SHA1

                                                        cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a

                                                        SHA256

                                                        0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376

                                                        SHA512

                                                        2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936

                                                      • C:\Users\Public\temp\1.vbs

                                                        Filesize

                                                        41B

                                                        MD5

                                                        8896267f3335510e6144e7550a713db8

                                                        SHA1

                                                        9dd5a753186af59997b07c058707ad6faa390ffa

                                                        SHA256

                                                        8781a103faaa21cb3053eb21257cf6668f82419248e503a7afd33b8a5509b26b

                                                        SHA512

                                                        696fdcfb7d67dcc97d3309eee1bb1b7dd29f36d29d0dacb4bae2b099b8b73ec50c63915f7045acc105633505d9d366d97aedc9e126af841473ec309c918683b8

                                                      • C:\Users\Public\temp\UAC.reg

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        466d1ca357921fc04f74e66066ea45a0

                                                        SHA1

                                                        a24d0b8c2203b04649fa40d2bf7d9d5c5113ec84

                                                        SHA256

                                                        1b4e45d04ef96b92b7cca062439ccf80e6e2c2172f99d11cc6587d7d76a11976

                                                        SHA512

                                                        ddaf720acc0ef7e4d80750f7babd839f51bfe4596dfe68e1d1acf2736c6badb31cd9f929ec61e64c6e101e5f5b54a37fdcb925e6d3f5ac15f78689da1cadd636

                                                      • C:\Users\Public\temp\color.reg

                                                        Filesize

                                                        362B

                                                        MD5

                                                        d20ff0fc43ce58afd773c66d3caaf48c

                                                        SHA1

                                                        1eaa1f45afc6a5bcc3ced232e9583a0b791326e2

                                                        SHA256

                                                        4eabe39af865548013371e299ce238d14c68587770bb7c4a3f1c3480b2f57727

                                                        SHA512

                                                        6dcabefd5dcc0a0101824db1013bcf2ebfc293985aade65a4b626f31010ffbc9d244e9507fde496d74c9770788c44a5b7511c8819ee23fae55860b82a05d3bec

                                                      • C:\Users\Public\temp\dead.exe

                                                        Filesize

                                                        1.6MB

                                                        MD5

                                                        f2a055b5634373f384692c2daaedf299

                                                        SHA1

                                                        41d6f65378f2360c48bcc6684baddf9c62585086

                                                        SHA256

                                                        926d3b91619e6a5d327f09b6d95d46486777910c9ca4965c6e0917c30b9561d8

                                                        SHA512

                                                        4656d7d8e5e74c3c490a008e8a06b73f05bb971d458d04c8bec55ec3d25afe2644ee70be98b826f7f397b05e6ed7bc02d14ed88661c12d1651a31dde9478f69b

                                                      • C:\Users\Public\temp\death.reg

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        bd6a649075e3eaf9fe3d6569614f4016

                                                        SHA1

                                                        c2facb5fb74a54d955564044cd6e777d79f6698d

                                                        SHA256

                                                        879fd141377eec559c7e54374294fcb5880a5feed559a7b04f450425de7b3e18

                                                        SHA512

                                                        d16fc905cc8c739e47d2d9f8eb2069a1713f729b0e9a86b6eddab1b18d7d62eee27d8384edb5b86e4d4b06fb6a759eaa6768eaa3cd4fefd3c8ea5d1e6094567d

                                                      • C:\Users\Public\temp\dos.vbs

                                                        Filesize

                                                        23B

                                                        MD5

                                                        23873c064655ec26585bb489cab1965c

                                                        SHA1

                                                        575d47d57ddb6ffb5335f5d48f6bd222e17af599

                                                        SHA256

                                                        828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63

                                                        SHA512

                                                        44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348

                                                      • C:\Users\Public\temp\here.reg

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        afedbb9b1c857745f4b93259bb68af47

                                                        SHA1

                                                        e33964e90622b62d645097f88de405a99a95a518

                                                        SHA256

                                                        b44cd8aac57b1b103386b1d014ef0695b6fe5cad198b59f55210900e889bb099

                                                        SHA512

                                                        22634bbd6dc8ced9b655ed6110b318f297173f367836e5962dd9a7d095261bd242fa6a7018065d83deb45089b913e1feee9186dc8fe55cfa0a66b747fd458650

                                                      • C:\Users\Public\temp\im.reg

                                                        Filesize

                                                        272B

                                                        MD5

                                                        e7862fe74b0443aebfdb2d78271dba13

                                                        SHA1

                                                        df9a7e05451fdae88d1b32497d06b2b37edc68a5

                                                        SHA256

                                                        5cbe571b4df6796806e1236519af8411f30e00c155ba4d7d354d97c195ec6af9

                                                        SHA512

                                                        320bff1f377cb7e787a752c7bf3472b4d3de000ad107a0ab32e7f40ef626951cdbe2a2ef135bcd470247bdc39fb447c138754d8a5b3c1bb67b11d64498a348a2

                                                      • C:\Users\Public\temp\inkfile.reg

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        be427a3d883b3a74c41df28362a82e04

                                                        SHA1

                                                        8df9504ece63b98c90c78f63d657a03697b96d52

                                                        SHA256

                                                        fa810840aa6b3b1747cfa0afe48708796d428e7212114b4ce459d65e3e3e67ba

                                                        SHA512

                                                        afcffc62b3894169b70bc49c0ecae82a2c643395714e4dfc69f892059116b52a2d89d570cf20928e6c0a7eada225c963992caa3af217db6d0c18641c31288bcf

                                                      • C:\Users\Public\temp\main.bat

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        5f54a2c61397eb3d4f1bc8e9736fec2a

                                                        SHA1

                                                        5c3ad25b0bff96ad74d2743b15089847d6be2d40

                                                        SHA256

                                                        9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968

                                                        SHA512

                                                        d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f

                                                      • C:\Users\Public\temp\matrix.bat

                                                        Filesize

                                                        113B

                                                        MD5

                                                        284e7e79635ec15370bb7530d20f6b7e

                                                        SHA1

                                                        471f6b7bc91a8c6b51f291c75126a38b082a92ce

                                                        SHA256

                                                        4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235

                                                        SHA512

                                                        3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24

                                                      • C:\Users\Public\temp\mover.exe

                                                        Filesize

                                                        548KB

                                                        MD5

                                                        c1978e4080d1ec7e2edf49d6c9710045

                                                        SHA1

                                                        b6a87a32d80f6edf889e99fb47518e69435321ed

                                                        SHA256

                                                        c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                                                        SHA512

                                                        2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                                                      • C:\Users\Public\temp\no.reg

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        b407fa400d23edf1a710633435228c90

                                                        SHA1

                                                        4acce131047a4e73dcc61fb038d24e27b2217cc9

                                                        SHA256

                                                        2a222c741e76128ffec9ad0576798ce79d89babb43c2b2fb321cbf6567c262a7

                                                        SHA512

                                                        ef7bd2ca4380b99ee7a5f247334d053dd5c60c0d3449d69bb657f2caa7572c8800d438aff7ee428481971d26c576f2dd0b5868128ab365f1400a6ed28a0670aa

                                                      • C:\Users\Public\temp\op.vbs

                                                        Filesize

                                                        16B

                                                        MD5

                                                        b03f8296e9ca8c4e0775aa97046e7b0f

                                                        SHA1

                                                        ad54c88af769649efbf634050050da2a93fb5699

                                                        SHA256

                                                        9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98

                                                        SHA512

                                                        1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d

                                                      • C:\Users\Public\temp\password.reg

                                                        Filesize

                                                        324B

                                                        MD5

                                                        b5d54b3eb5911fea78c8f3b2324f4831

                                                        SHA1

                                                        b5b86aefd16f54eef78927b8beb4e7eb96c580bc

                                                        SHA256

                                                        2a04d7384902f4325784e3577b26e79922c967c9be4cd3614f68014321bf8896

                                                        SHA512

                                                        92eb3b28459e944f6e487ef65b3ea6d8335f22954de4470dd0ca5dbe256a9d699103e3a01a579fe244bf4de7931df7de6d355f08e9209129b296ebc548306e59

                                                      • C:\Users\Public\temp\random.vbs

                                                        Filesize

                                                        70B

                                                        MD5

                                                        2b53c3dc6e4a5163a648f40d033d781f

                                                        SHA1

                                                        c5301bf506ffdeb6c4c3a76912ac308392fd7ab3

                                                        SHA256

                                                        d1ef7d97b3dce60d792a8dd7e8604390e61f63353c5523155e2ab3c63356e267

                                                        SHA512

                                                        554922008e914afe2c254bbc3da600d77d23215fff4f50e74c6fe5554f4c0f23ca2c372cfef2d8d572edc2244e2f68bc5d2244f5a48f454866ed4ab172693cb4

                                                      • C:\Users\Public\temp\res.exe

                                                        Filesize

                                                        6.6MB

                                                        MD5

                                                        776dd00ae50da7caffb62266523e4e2c

                                                        SHA1

                                                        f1b8a51d907cedc1dde94447b7762fa3d8f1985b

                                                        SHA256

                                                        5cbba3a61797133ca5887c37e3692403d144a7d2b590c9c59d3ac048ea106093

                                                        SHA512

                                                        969c68fa162aa24464bf279fc81bca2e8288afbd394b2825d64f01e90de786b60f6531635eead8a4444c895d4067ebe2ebcf33d4699df5131f7c6d54adeabd71

                                                      • C:\Users\Public\temp\run.vbs

                                                        Filesize

                                                        56B

                                                        MD5

                                                        362843e8fcf8e162e48abd29903e1246

                                                        SHA1

                                                        4621eac5ff7725d92a591565aa5af49bfcc41123

                                                        SHA256

                                                        243615ac3ba7603b2693224de5b0dd60e06d40f6ee8684df5b31ba921219bf9e

                                                        SHA512

                                                        e77afbefa77003cd11aca77043b97b67bdfff0dad6733298bcec86502558004621579e1c32becf2f81ddb06664e3878bd1d9bccee5ef4b5c7c0c791d54c11d09

                                                      • C:\Users\Public\temp\systemmessage.reg

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        7a82011ff8c254ea97e49cd6cea313e6

                                                        SHA1

                                                        ef46f610cc7f82866c7ccd14ae0f4e89eea2b568

                                                        SHA256

                                                        5b8e55e319108b9cfe305cc818b063fb39a3b832c55be01f6e7de77f2d2f1b60

                                                        SHA512

                                                        1063e84b30ac06b9600cff1c7eb56972ed9ce5d1200517439261c2955001e0907e45bcc8b14e500450377d355c71b656a711e8c7b3812a6aee77fe2f5656cd85

                                                      • C:\Users\Public\temp\update.vbs

                                                        Filesize

                                                        137B

                                                        MD5

                                                        75f0b9500755a92762ae7e92770ee671

                                                        SHA1

                                                        6162edc92ce09dae4ec438378f0a24a50eca4e17

                                                        SHA256

                                                        4e6280573d50f767191c41a3f5cf465b27bc0bdaff9132873c99236634ae5e04

                                                        SHA512

                                                        25016f615ca12005fa85b2761a21ed1f1bf6211bdc44983c6b26088cef487e3da52cdc124a64019f95b214de3cbe410e37b2f037298e3eccbc2fb3e4361be145

                                                      • C:\Users\Public\temp\virus.reg

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        4af82811a5a2b8cb619c83e4b61d7d78

                                                        SHA1

                                                        f353e56635c6493864f740502042f4f0fcff5cee

                                                        SHA256

                                                        bf2befa4e44b28bca76ec7b76f2386910f7edd659ee95022b864d4ebf411e037

                                                        SHA512

                                                        8a5ee1b0ab26189d9b5bd2b4208829733a9892aacf3461b3a9bec80f234a5dcf01b836f86c73f2a799fb3194a63c4cc1ca410efe734a626aed74424a22f3df60

                                                      • C:\Users\Public\temp\wii.vbs

                                                        Filesize

                                                        37B

                                                        MD5

                                                        ac910281f16a464b6257102b715ffafc

                                                        SHA1

                                                        590add7ed48a1d5fa78093812ef88f9d0dfbb7c5

                                                        SHA256

                                                        afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e

                                                        SHA512

                                                        a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad

                                                      • C:\Users\Public\temp\x.exe

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • C:\Windows\Web\you cant escape.exe

                                                        Filesize

                                                        6.9MB

                                                        MD5

                                                        a4035661f9ec4f866ef34e9c9af987b2

                                                        SHA1

                                                        5012570f90766ff783400fa9b3a7bd83c3167313

                                                        SHA256

                                                        e4678b1c602e58d89c4847d5a2492f8f8802221724ab54d755b10e8757f0cfc9

                                                        SHA512

                                                        c9cd7253974f631f81818f82b1af948f1746ced6d0d5c7d5dec7ceb7b7d255358f0744b37150a7caaea09ec22f67bb9c53ff0044d4634f5c781dbbd0da36230f

                                                      • \Users\Public\temp\x.exe

                                                        Filesize

                                                        22KB

                                                        MD5

                                                        9d0cbe0006b8e6760679bf893c5d848f

                                                        SHA1

                                                        a85c9378a962f1f3454ec34ce596dea318031618

                                                        SHA256

                                                        41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c

                                                        SHA512

                                                        13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2

                                                      • memory/1468-309-0x0000000140000000-0x0000000140126000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1468-186-0x0000000140000000-0x0000000140126000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1528-305-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1752-306-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1772-302-0x0000000002E10000-0x0000000002E11000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/1876-310-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2088-229-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2088-308-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-226-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-227-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-225-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-184-0x0000000002ED0000-0x0000000002FF6000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2152-228-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-224-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2152-232-0x00000000022D0000-0x00000000022E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2520-304-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2864-307-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2912-303-0x0000000000400000-0x0000000000410000-memory.dmp

                                                        Filesize

                                                        64KB