Analysis

  • max time kernel
    25s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:29

Errors

Reason
Machine shutdown

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer.exe

  • Size

    24.3MB

  • MD5

    9126205f1460c950981fecec5f7d5950

  • SHA1

    c52f01a0aa92ffec52e23a6130c1ada98e4bb9ff

  • SHA256

    f74e97e2b94d1ff8f1fe3ad9f8c13438c07a72a4a35e39a2d45948a80bbf4053

  • SHA512

    1d5637a8b350295deff1703e9ea4e861d3daba0c63a83cd001df0074e910a92cfa0b46099435b99f1d6c7d0f505b7e294f576bae2526974007f2e8e69239e34a

  • SSDEEP

    786432:58l+gc4HHiVwrdsiVTJ/cGSsMLRjuc5PGpUH:58l+grWgbTJPyLUcZGpA

Malware Config

Signatures

  • UAC bypass 3 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\run.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\temp\main.bat" "
        3⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im explorer.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2440
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\update.vbs"
          4⤵
            PID:1588
          • C:\Windows\SysWOW64\timeout.exe
            timeout 20
            4⤵
            • Delays execution with timeout.exe
            PID:2832
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
            4⤵
            • Sets desktop wallpaper using registry
            PID:3472
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            4⤵
              PID:2764
            • C:\Windows\SysWOW64\reg.exe
              Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
              4⤵
                PID:4964
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
                4⤵
                  PID:2496
                • C:\Windows\SysWOW64\reg.exe
                  reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
                  4⤵
                  • Modifies registry key
                  PID:4704
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:2956
                  • C:\Windows\SysWOW64\reg.exe
                    reg import virus.reg
                    4⤵
                      PID:4480
                    • C:\Windows\SysWOW64\reg.exe
                      reg import here.reg
                      4⤵
                      • UAC bypass
                      PID:1940
                    • C:\Windows\SysWOW64\reg.exe
                      reg import death.reg
                      4⤵
                        PID:3784
                      • C:\Windows\SysWOW64\reg.exe
                        reg import no.reg
                        4⤵
                        • UAC bypass
                        PID:4828
                      • C:\Windows\SysWOW64\reg.exe
                        reg import password.reg
                        4⤵
                          PID:2632
                        • C:\Windows\SysWOW64\reg.exe
                          reg import color.reg
                          4⤵
                            PID:844
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                            4⤵
                              PID:8
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                              4⤵
                                PID:1624
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                4⤵
                                  PID:388
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                  4⤵
                                    PID:1632
                                  • C:\Users\Public\temp\mover.exe
                                    mover.exe
                                    4⤵
                                      PID:1560
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                      4⤵
                                        PID:4608
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                        4⤵
                                          PID:1552
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                          4⤵
                                            PID:4004
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
                                            4⤵
                                              PID:2716
                                            • C:\Users\Public\temp\x.exe
                                              x.exe
                                              4⤵
                                                PID:5036
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B4.tmp\x.cmd""
                                                  5⤵
                                                    PID:4264
                                                • C:\Users\Public\temp\x.exe
                                                  x.exe
                                                  4⤵
                                                    PID:2648
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B3.tmp\x.cmd""
                                                      5⤵
                                                        PID:4176
                                                    • C:\Users\Public\temp\x.exe
                                                      x.exe
                                                      4⤵
                                                        PID:2324
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B2.tmp\x.cmd""
                                                          5⤵
                                                            PID:3572
                                                        • C:\Users\Public\temp\x.exe
                                                          x.exe
                                                          4⤵
                                                            PID:1732
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B1.tmp\x.cmd""
                                                              5⤵
                                                                PID:3508
                                                            • C:\Users\Public\temp\x.exe
                                                              x.exe
                                                              4⤵
                                                                PID:1380
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\x.cmd""
                                                                  5⤵
                                                                    PID:3836
                                                                • C:\Users\Public\temp\x.exe
                                                                  x.exe
                                                                  4⤵
                                                                    PID:3684
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6BF.tmp\x.cmd""
                                                                      5⤵
                                                                        PID:4260
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg import im.reg
                                                                      4⤵
                                                                        PID:3492
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg import systemmessage.reg
                                                                        4⤵
                                                                          PID:1836
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                          4⤵
                                                                          • Modifies registry key
                                                                          PID:3840
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg import UAC.reg
                                                                          4⤵
                                                                            PID:1236
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg import inkfile.reg
                                                                            4⤵
                                                                              PID:4860
                                                                            • C:\Windows\SysWOW64\shutdown.exe
                                                                              shutdown /r /t 0
                                                                              4⤵
                                                                                PID:540
                                                                        • C:\Windows\system32\LogonUI.exe
                                                                          "LogonUI.exe" /flags:0x4 /state0:0xa3948855 /state1:0x41c64e6d
                                                                          1⤵
                                                                            PID:3712

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Users\Admin\AppData\Local\Temp\A6B2.tmp\x.cmd

                                                                            Filesize

                                                                            76B

                                                                            MD5

                                                                            5156c0df260ccc7bc13b73b6de4d9a25

                                                                            SHA1

                                                                            e6f8b1f6ef658a1f5772b83c898088330184d291

                                                                            SHA256

                                                                            565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88

                                                                            SHA512

                                                                            d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39

                                                                          • C:\Users\Public\Desktop\lol.vbs

                                                                            Filesize

                                                                            70B

                                                                            MD5

                                                                            2b53c3dc6e4a5163a648f40d033d781f

                                                                            SHA1

                                                                            c5301bf506ffdeb6c4c3a76912ac308392fd7ab3

                                                                            SHA256

                                                                            d1ef7d97b3dce60d792a8dd7e8604390e61f63353c5523155e2ab3c63356e267

                                                                            SHA512

                                                                            554922008e914afe2c254bbc3da600d77d23215fff4f50e74c6fe5554f4c0f23ca2c372cfef2d8d572edc2244e2f68bc5d2244f5a48f454866ed4ab172693cb4

                                                                          • C:\Users\Public\temp\1.vbs

                                                                            Filesize

                                                                            41B

                                                                            MD5

                                                                            8896267f3335510e6144e7550a713db8

                                                                            SHA1

                                                                            9dd5a753186af59997b07c058707ad6faa390ffa

                                                                            SHA256

                                                                            8781a103faaa21cb3053eb21257cf6668f82419248e503a7afd33b8a5509b26b

                                                                            SHA512

                                                                            696fdcfb7d67dcc97d3309eee1bb1b7dd29f36d29d0dacb4bae2b099b8b73ec50c63915f7045acc105633505d9d366d97aedc9e126af841473ec309c918683b8

                                                                          • C:\Users\Public\temp\UAC.reg

                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            466d1ca357921fc04f74e66066ea45a0

                                                                            SHA1

                                                                            a24d0b8c2203b04649fa40d2bf7d9d5c5113ec84

                                                                            SHA256

                                                                            1b4e45d04ef96b92b7cca062439ccf80e6e2c2172f99d11cc6587d7d76a11976

                                                                            SHA512

                                                                            ddaf720acc0ef7e4d80750f7babd839f51bfe4596dfe68e1d1acf2736c6badb31cd9f929ec61e64c6e101e5f5b54a37fdcb925e6d3f5ac15f78689da1cadd636

                                                                          • C:\Users\Public\temp\color.reg

                                                                            Filesize

                                                                            362B

                                                                            MD5

                                                                            d20ff0fc43ce58afd773c66d3caaf48c

                                                                            SHA1

                                                                            1eaa1f45afc6a5bcc3ced232e9583a0b791326e2

                                                                            SHA256

                                                                            4eabe39af865548013371e299ce238d14c68587770bb7c4a3f1c3480b2f57727

                                                                            SHA512

                                                                            6dcabefd5dcc0a0101824db1013bcf2ebfc293985aade65a4b626f31010ffbc9d244e9507fde496d74c9770788c44a5b7511c8819ee23fae55860b82a05d3bec

                                                                          • C:\Users\Public\temp\dead.exe

                                                                            Filesize

                                                                            1.6MB

                                                                            MD5

                                                                            f2a055b5634373f384692c2daaedf299

                                                                            SHA1

                                                                            41d6f65378f2360c48bcc6684baddf9c62585086

                                                                            SHA256

                                                                            926d3b91619e6a5d327f09b6d95d46486777910c9ca4965c6e0917c30b9561d8

                                                                            SHA512

                                                                            4656d7d8e5e74c3c490a008e8a06b73f05bb971d458d04c8bec55ec3d25afe2644ee70be98b826f7f397b05e6ed7bc02d14ed88661c12d1651a31dde9478f69b

                                                                          • C:\Users\Public\temp\death.reg

                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            bd6a649075e3eaf9fe3d6569614f4016

                                                                            SHA1

                                                                            c2facb5fb74a54d955564044cd6e777d79f6698d

                                                                            SHA256

                                                                            879fd141377eec559c7e54374294fcb5880a5feed559a7b04f450425de7b3e18

                                                                            SHA512

                                                                            d16fc905cc8c739e47d2d9f8eb2069a1713f729b0e9a86b6eddab1b18d7d62eee27d8384edb5b86e4d4b06fb6a759eaa6768eaa3cd4fefd3c8ea5d1e6094567d

                                                                          • C:\Users\Public\temp\dos.vbs

                                                                            Filesize

                                                                            23B

                                                                            MD5

                                                                            23873c064655ec26585bb489cab1965c

                                                                            SHA1

                                                                            575d47d57ddb6ffb5335f5d48f6bd222e17af599

                                                                            SHA256

                                                                            828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63

                                                                            SHA512

                                                                            44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348

                                                                          • C:\Users\Public\temp\here.reg

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            afedbb9b1c857745f4b93259bb68af47

                                                                            SHA1

                                                                            e33964e90622b62d645097f88de405a99a95a518

                                                                            SHA256

                                                                            b44cd8aac57b1b103386b1d014ef0695b6fe5cad198b59f55210900e889bb099

                                                                            SHA512

                                                                            22634bbd6dc8ced9b655ed6110b318f297173f367836e5962dd9a7d095261bd242fa6a7018065d83deb45089b913e1feee9186dc8fe55cfa0a66b747fd458650

                                                                          • C:\Users\Public\temp\im.reg

                                                                            Filesize

                                                                            272B

                                                                            MD5

                                                                            e7862fe74b0443aebfdb2d78271dba13

                                                                            SHA1

                                                                            df9a7e05451fdae88d1b32497d06b2b37edc68a5

                                                                            SHA256

                                                                            5cbe571b4df6796806e1236519af8411f30e00c155ba4d7d354d97c195ec6af9

                                                                            SHA512

                                                                            320bff1f377cb7e787a752c7bf3472b4d3de000ad107a0ab32e7f40ef626951cdbe2a2ef135bcd470247bdc39fb447c138754d8a5b3c1bb67b11d64498a348a2

                                                                          • C:\Users\Public\temp\inkfile.reg

                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            be427a3d883b3a74c41df28362a82e04

                                                                            SHA1

                                                                            8df9504ece63b98c90c78f63d657a03697b96d52

                                                                            SHA256

                                                                            fa810840aa6b3b1747cfa0afe48708796d428e7212114b4ce459d65e3e3e67ba

                                                                            SHA512

                                                                            afcffc62b3894169b70bc49c0ecae82a2c643395714e4dfc69f892059116b52a2d89d570cf20928e6c0a7eada225c963992caa3af217db6d0c18641c31288bcf

                                                                          • C:\Users\Public\temp\main.bat

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            5f54a2c61397eb3d4f1bc8e9736fec2a

                                                                            SHA1

                                                                            5c3ad25b0bff96ad74d2743b15089847d6be2d40

                                                                            SHA256

                                                                            9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968

                                                                            SHA512

                                                                            d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f

                                                                          • C:\Users\Public\temp\matrix.bat

                                                                            Filesize

                                                                            113B

                                                                            MD5

                                                                            284e7e79635ec15370bb7530d20f6b7e

                                                                            SHA1

                                                                            471f6b7bc91a8c6b51f291c75126a38b082a92ce

                                                                            SHA256

                                                                            4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235

                                                                            SHA512

                                                                            3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24

                                                                          • C:\Users\Public\temp\mover.exe

                                                                            Filesize

                                                                            548KB

                                                                            MD5

                                                                            c1978e4080d1ec7e2edf49d6c9710045

                                                                            SHA1

                                                                            b6a87a32d80f6edf889e99fb47518e69435321ed

                                                                            SHA256

                                                                            c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                                                                            SHA512

                                                                            2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                                                                          • C:\Users\Public\temp\no.reg

                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            b407fa400d23edf1a710633435228c90

                                                                            SHA1

                                                                            4acce131047a4e73dcc61fb038d24e27b2217cc9

                                                                            SHA256

                                                                            2a222c741e76128ffec9ad0576798ce79d89babb43c2b2fb321cbf6567c262a7

                                                                            SHA512

                                                                            ef7bd2ca4380b99ee7a5f247334d053dd5c60c0d3449d69bb657f2caa7572c8800d438aff7ee428481971d26c576f2dd0b5868128ab365f1400a6ed28a0670aa

                                                                          • C:\Users\Public\temp\o.vbs

                                                                            Filesize

                                                                            182B

                                                                            MD5

                                                                            81c5f570e4fb185d0d675c450741f28b

                                                                            SHA1

                                                                            cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a

                                                                            SHA256

                                                                            0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376

                                                                            SHA512

                                                                            2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936

                                                                          • C:\Users\Public\temp\op.vbs

                                                                            Filesize

                                                                            16B

                                                                            MD5

                                                                            b03f8296e9ca8c4e0775aa97046e7b0f

                                                                            SHA1

                                                                            ad54c88af769649efbf634050050da2a93fb5699

                                                                            SHA256

                                                                            9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98

                                                                            SHA512

                                                                            1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d

                                                                          • C:\Users\Public\temp\password.reg

                                                                            Filesize

                                                                            324B

                                                                            MD5

                                                                            b5d54b3eb5911fea78c8f3b2324f4831

                                                                            SHA1

                                                                            b5b86aefd16f54eef78927b8beb4e7eb96c580bc

                                                                            SHA256

                                                                            2a04d7384902f4325784e3577b26e79922c967c9be4cd3614f68014321bf8896

                                                                            SHA512

                                                                            92eb3b28459e944f6e487ef65b3ea6d8335f22954de4470dd0ca5dbe256a9d699103e3a01a579fe244bf4de7931df7de6d355f08e9209129b296ebc548306e59

                                                                          • C:\Users\Public\temp\res.exe

                                                                            Filesize

                                                                            6.4MB

                                                                            MD5

                                                                            52e4f5549c922e83939e9cb6b506e5b7

                                                                            SHA1

                                                                            887ac0e1cf821abcc4ea349475577122c2cfe682

                                                                            SHA256

                                                                            985aa256302b2c2902c357727c1b0f3c90c55464c99ceb349f84598f03f737bd

                                                                            SHA512

                                                                            240ae255f049c10511088133f1f2891f5eedbb28f898a9b7af5f8a740ffc4f67c05f81396886c41051d2590fdb48d8806812d7827d5b8d373143eddee93620a5

                                                                          • C:\Users\Public\temp\run.vbs

                                                                            Filesize

                                                                            56B

                                                                            MD5

                                                                            362843e8fcf8e162e48abd29903e1246

                                                                            SHA1

                                                                            4621eac5ff7725d92a591565aa5af49bfcc41123

                                                                            SHA256

                                                                            243615ac3ba7603b2693224de5b0dd60e06d40f6ee8684df5b31ba921219bf9e

                                                                            SHA512

                                                                            e77afbefa77003cd11aca77043b97b67bdfff0dad6733298bcec86502558004621579e1c32becf2f81ddb06664e3878bd1d9bccee5ef4b5c7c0c791d54c11d09

                                                                          • C:\Users\Public\temp\systemmessage.reg

                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            7a82011ff8c254ea97e49cd6cea313e6

                                                                            SHA1

                                                                            ef46f610cc7f82866c7ccd14ae0f4e89eea2b568

                                                                            SHA256

                                                                            5b8e55e319108b9cfe305cc818b063fb39a3b832c55be01f6e7de77f2d2f1b60

                                                                            SHA512

                                                                            1063e84b30ac06b9600cff1c7eb56972ed9ce5d1200517439261c2955001e0907e45bcc8b14e500450377d355c71b656a711e8c7b3812a6aee77fe2f5656cd85

                                                                          • C:\Users\Public\temp\update.vbs

                                                                            Filesize

                                                                            137B

                                                                            MD5

                                                                            75f0b9500755a92762ae7e92770ee671

                                                                            SHA1

                                                                            6162edc92ce09dae4ec438378f0a24a50eca4e17

                                                                            SHA256

                                                                            4e6280573d50f767191c41a3f5cf465b27bc0bdaff9132873c99236634ae5e04

                                                                            SHA512

                                                                            25016f615ca12005fa85b2761a21ed1f1bf6211bdc44983c6b26088cef487e3da52cdc124a64019f95b214de3cbe410e37b2f037298e3eccbc2fb3e4361be145

                                                                          • C:\Users\Public\temp\virus.reg

                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            4af82811a5a2b8cb619c83e4b61d7d78

                                                                            SHA1

                                                                            f353e56635c6493864f740502042f4f0fcff5cee

                                                                            SHA256

                                                                            bf2befa4e44b28bca76ec7b76f2386910f7edd659ee95022b864d4ebf411e037

                                                                            SHA512

                                                                            8a5ee1b0ab26189d9b5bd2b4208829733a9892aacf3461b3a9bec80f234a5dcf01b836f86c73f2a799fb3194a63c4cc1ca410efe734a626aed74424a22f3df60

                                                                          • C:\Users\Public\temp\wii.vbs

                                                                            Filesize

                                                                            37B

                                                                            MD5

                                                                            ac910281f16a464b6257102b715ffafc

                                                                            SHA1

                                                                            590add7ed48a1d5fa78093812ef88f9d0dfbb7c5

                                                                            SHA256

                                                                            afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e

                                                                            SHA512

                                                                            a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad

                                                                          • C:\Users\Public\temp\x.exe

                                                                            Filesize

                                                                            22KB

                                                                            MD5

                                                                            9d0cbe0006b8e6760679bf893c5d848f

                                                                            SHA1

                                                                            a85c9378a962f1f3454ec34ce596dea318031618

                                                                            SHA256

                                                                            41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c

                                                                            SHA512

                                                                            13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2

                                                                          • C:\Windows\Web\you cant escape.exe

                                                                            Filesize

                                                                            7.5MB

                                                                            MD5

                                                                            3b20f94fe041b673d479249786b2b88e

                                                                            SHA1

                                                                            efe7933d17fff624a624a9f9ea354ddd0cd85621

                                                                            SHA256

                                                                            e728dda4121db4fea7f90288fc87a64fb16985eced0fd1a4ebcd2a17bf196731

                                                                            SHA512

                                                                            f5a0618bbfe3929300d80071ebca9565e4a08d1dd275eea96408e4bfe30ccd4619fd07b8d43ef00db8f31307d6b7f88046f48153ddef7df4099cf554d8e97f49

                                                                          • memory/1380-187-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/1560-138-0x0000000140000000-0x0000000140126000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                          • memory/1560-185-0x0000000140000000-0x0000000140126000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                          • memory/1732-190-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/2324-149-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/2324-189-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/2648-191-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/3684-186-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/5036-188-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                            Filesize

                                                                            64KB