Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    63s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2023, 03:42

General

  • Target

    f2b05b334ede2a9df37cf699e7e6e137.exe

  • Size

    37KB

  • MD5

    f2b05b334ede2a9df37cf699e7e6e137

  • SHA1

    3ef4b04f68a1ce7e75edd7d3f74bf71830ca9aba

  • SHA256

    f7d72c2cf94d9b4ff3ed9abec4dc6b3b10891f9e6a58d7db9de3a7debb473a85

  • SHA512

    855601a8791975bfbf8d46fa43ec7ff1dd8469379eb4127f0590cafb90ca963f14950bb2eb87ce0943f9fd6f06dd92d33ffb87f0056da6c00c935cab25381d1e

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 3 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe
    "C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:892
  • C:\Users\Admin\AppData\Local\Temp\A18D.exe
    C:\Users\Admin\AppData\Local\Temp\A18D.exe
    1⤵
    • Executes dropped EXE
    PID:2832
  • C:\Users\Admin\AppData\Local\Temp\407B.exe
    C:\Users\Admin\AppData\Local\Temp\407B.exe
    1⤵
    • Executes dropped EXE
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
        PID:1036
        • C:\Users\Admin\AppData\Local\Temp\Broom.exe
          C:\Users\Admin\AppData\Local\Temp\Broom.exe
          3⤵
            PID:320
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          2⤵
            PID:2224
            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
              "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
              3⤵
                PID:928
            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
              "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
              2⤵
                PID:1460
                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
                  3⤵
                    PID:1648
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                      4⤵
                        PID:1972
                      • C:\Windows\rss\csrss.exe
                        C:\Windows\rss\csrss.exe
                        4⤵
                          PID:892
                          • C:\Windows\system32\schtasks.exe
                            schtasks /delete /tn ScheduledUpdate /f
                            5⤵
                              PID:2628
                            • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                              "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                              5⤵
                                PID:3012
                              • C:\Windows\system32\schtasks.exe
                                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                5⤵
                                • Creates scheduled task(s)
                                PID:2736
                              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                5⤵
                                  PID:1516
                          • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                            "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                            2⤵
                              PID:1184
                              • C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp" /SL5="$201E8,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                3⤵
                                  PID:1216
                              • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                                "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                                2⤵
                                  PID:1820
                              • C:\Users\Admin\AppData\Local\Temp\4397.exe
                                C:\Users\Admin\AppData\Local\Temp\4397.exe
                                1⤵
                                  PID:664
                                • C:\Windows\system32\makecab.exe
                                  "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211034350.log C:\Windows\Logs\CBS\CbsPersist_20231211034350.cab
                                  1⤵
                                    PID:272
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                    1⤵
                                    • Modifies Windows Firewall
                                    PID:1316
                                  • C:\Users\Admin\AppData\Local\Temp\735F.exe
                                    C:\Users\Admin\AppData\Local\Temp\735F.exe
                                    1⤵
                                      PID:1724

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      29KB

                                      MD5

                                      59cd089ad94f50e3eae8d8fb97826f09

                                      SHA1

                                      c7d43c3d25163676a121f6c2b92901073e57be6c

                                      SHA256

                                      7b6e8ff305543727cf59c9bdfb7662d41b8abe3af552639ce306321236a952b9

                                      SHA512

                                      b6c67722a30eb193d1b9c77b732ef97fd3af25565527ca96e734e549078615232b518cc36c57b2299ba1300541452a1e2302282cd3d6bbfe6f7fccdbfe6de9f4

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      182KB

                                      MD5

                                      01df719676856e3e1b25431cc6abef5d

                                      SHA1

                                      d4b99a91762f44798f3a6e6a2afc022b0067b5d8

                                      SHA256

                                      d4a1eaa3eee2549271a682840812243a2260a0b5f68496cbb196b5d3a31a5b8a

                                      SHA512

                                      85e214957c04da0839fa67a14a1f480facc091fb9a1961190365b3188e4b99f6669608ecdd5e8532097dadb792075ff2e06e7e1f323024e45b281091d2581f18

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      136KB

                                      MD5

                                      f47354f5f5b41a08668690480f143c82

                                      SHA1

                                      09d10d77cb09a624cf795952b7a5959299a5d0e8

                                      SHA256

                                      e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d

                                      SHA512

                                      b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      45KB

                                      MD5

                                      e9ad100185218c9d8d07478f1ade00f2

                                      SHA1

                                      d3248f4f7209628f2b49cf1d2ba5e2a36d820fea

                                      SHA256

                                      3cc9f4b6bb4afd6a998b9be024578bb6444d261a5e667c320cf2b90d47876051

                                      SHA512

                                      729555a9a7d913af29bbd8ae5bcd4ac6b6489e6229fd611029ba9c59acfbbae70b1ff9f76d8b3866e7c2dd7c5472c77edd6461b59b2983085a76fa8862bd9c8c

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      64KB

                                      MD5

                                      67d91d7dfd2e3b4a538cb9332272e91e

                                      SHA1

                                      bc44b3caee1c81096ca085f33b7cf50e631849c2

                                      SHA256

                                      a674a3e179fdad3f5818d36a8ba0f32b6baad27e563f2daddf1f27c4601537fe

                                      SHA512

                                      009eb7e14f9434e860a847e86ca79f5caa066a927389f0bae8885d8d2b19253338c51b26886c00e07aaf26f972c708de45588e571d830701e2bf6a44e19bc547

                                    • C:\Users\Admin\AppData\Local\Temp\407B.exe

                                      Filesize

                                      2.1MB

                                      MD5

                                      c2496084b0091309a47a48cee7c37229

                                      SHA1

                                      375882b33312a888870434ab5f6171b4888dc5a4

                                      SHA256

                                      d47db5b619a905807f50ac3df9fda40a028a8b2209522b1261b2fc758874452f

                                      SHA512

                                      0c8a1f27b618c3aed171618dd24b41edca55c0494cce28455ef57de2b597323c51802848906b2710ce98106b66db9e6ab83faa8c73221314999d0783c0ee4a90

                                    • C:\Users\Admin\AppData\Local\Temp\407B.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      c22081e9065850cdda43899c2a9942f1

                                      SHA1

                                      d74bef56c10aa2d55d6d612a8e30e854711dbca4

                                      SHA256

                                      145caeaf960c8d3cbbcf66e67e23d7e8f961c6097165f9c9bb5c11482e199774

                                      SHA512

                                      60bf2e63abe65b68f34cb7831a5033b0bcfea77d4121a11c0f684f42b5f9077c07b4f46fd5d193a19b912b034bb7a5aa223b72a002a70ce681a55598e69c8ff4

                                    • C:\Users\Admin\AppData\Local\Temp\4397.exe

                                      Filesize

                                      119KB

                                      MD5

                                      aeadfa981ecacdc4e7812913b5403ba3

                                      SHA1

                                      14a68f4d1dd7e7084a6760abbdd849e65aadc3df

                                      SHA256

                                      0fb80ea7d320ddd25f8d0ea377ab5fdca00861aaf3595292df43a8a13ccebfa8

                                      SHA512

                                      a821c2d3de629bb1e3339efb887d6b3d577a39351f9eb563fd658620eb9879665b97b8fe3434cbc4b803e947fbb338530ede329ce0a36feedbf87421306bd17c

                                    • C:\Users\Admin\AppData\Local\Temp\4397.exe

                                      Filesize

                                      219KB

                                      MD5

                                      91d23595c11c7ee4424b6267aabf3600

                                      SHA1

                                      ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                                      SHA256

                                      d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                                      SHA512

                                      cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                                    • C:\Users\Admin\AppData\Local\Temp\735F.exe

                                      Filesize

                                      52KB

                                      MD5

                                      8b104f66ed5e09a360531b4bb0e2a51c

                                      SHA1

                                      02114bf12bcac0d1d2a9aa13699a178bccdad0bc

                                      SHA256

                                      bbc198f94875706e7a4f44bd4a4194febf73ad47474dd189746ecd203ed7a7a6

                                      SHA512

                                      6e7415c3f4cc98022ab0e84d8f456fb22dceae0ebe9ed8aafc1183f27dea072b7ab06412ea0a8ba42c7502d9de8fb251ae1b78f31edd8b68115f298674ab1e6f

                                    • C:\Users\Admin\AppData\Local\Temp\735F.exe

                                      Filesize

                                      21KB

                                      MD5

                                      37538ec36382843b0cf173e0ffcf6ffa

                                      SHA1

                                      fbe115339744b574d153d4345bf17888c8adbdea

                                      SHA256

                                      a0311e71e97f9b98078dfd364e37688ef2efbae3b55306da6909026dc6f2756d

                                      SHA512

                                      01223df75febe07036d2fcd4b99e5c3fd40fa2a30db58d03e4c0f7ad078727544a029221be3ba226655a352b507d8fde30a0322184dfbd2e0176767606e828f6

                                    • C:\Users\Admin\AppData\Local\Temp\A18D.exe

                                      Filesize

                                      401KB

                                      MD5

                                      f88edad62a7789c2c5d8047133da5fa7

                                      SHA1

                                      41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                                      SHA256

                                      eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                                      SHA512

                                      e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                                    • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                                      Filesize

                                      62KB

                                      MD5

                                      67440156c189e004c995cd311c01e524

                                      SHA1

                                      3f85ca6bfd6cbe75048cade970bb594912aaf1ba

                                      SHA256

                                      9b02cfe45a1ef0f3de49a9408d2a21fb7a37a939576c32540282b27df47af597

                                      SHA512

                                      e16635466536db3e8f77fe168040d0c9fa8e8f4eab96cee1d5aaa82453b10455f5fae8e0340865f5b5c008eb266d55a7cdd97ab3d26ad0f3a35c0553579f4dfa

                                    • C:\Users\Admin\AppData\Local\Temp\Cab8AD4.tmp

                                      Filesize

                                      23KB

                                      MD5

                                      6a85480f7ad7293592bd27ae118ba590

                                      SHA1

                                      0dad2b6b50b27837b3f67cb183b533808e9d100f

                                      SHA256

                                      8ea5efc85d666c13e1eabbf31bb13a86cec83825005d2364e0b73f7651d14cf5

                                      SHA512

                                      f4a4ad1eadae7a4b3a22f6819f4351187f838f6f23c742fd6904058aed210d8da79f4bf657aaf4bff9634b36316d72873f5a4bb52a71182b68df42d13ad1ec35

                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      454KB

                                      MD5

                                      bede382d95d90398b70eb5cedf620760

                                      SHA1

                                      e88169a7471a870806162f328c64f500d5f84bfa

                                      SHA256

                                      468b08a4e25132793ec388807d41a3ca76d3ca690d7df31139598b83e7305e6d

                                      SHA512

                                      b841ba21e496f956dfe7e730f152181e540dfeaff0641cd8e07af4fded710e0879489d27e6ef86f984c9bf9e98bca3a5f75e479d58226c6284e5b8df473998ae

                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      202KB

                                      MD5

                                      dd8e66eef385bff9cc60f7a04a6a0994

                                      SHA1

                                      9d144861dbab5cbaf589b80cf0eff4f263946ca8

                                      SHA256

                                      b25fe50b37cad831a4d6070b44f183115314ac1299fdad6f3af98b78b8b85acc

                                      SHA512

                                      0d9670c37bcffcdd6e31641183e68b0fb0e4718483655b15a6168e46e07b15cc3de04a54be92659bd764ef0a958aa7b637f1541a4110c8bbadd8a5b49fe8f606

                                    • C:\Users\Admin\AppData\Local\Temp\Tar9095.tmp

                                      Filesize

                                      12KB

                                      MD5

                                      f93c08f88904e8712e169f4e1974a764

                                      SHA1

                                      fcc6851595ac816bed58ca284eeef80c9133cb6f

                                      SHA256

                                      22342ee5f573ddc4b4665d979dda0820c5fb24c09d2a717e53195fe5a1f55f52

                                      SHA512

                                      489525d3ad33ea03ef7257bac57360b11baf27968e6c4cd4b1919f441d6324b4611bb8e58dc4c9ad4a5ee5bfa415b3e15fa46053278525b34c2aa546d15c9741

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      78KB

                                      MD5

                                      0d12ca33de92f37d494473ad881f6a5a

                                      SHA1

                                      4e0397d1906673c93554c95b99639f045c735cb5

                                      SHA256

                                      7ddc32174078e915c81d2a0a836eaeae67fa5914e5ee8d30da132121fafed789

                                      SHA512

                                      2ba154304544248a9d0f32caad2cdf87b4be62e4f1b5ebc94274dadf78c2518e4fd0c4ae56423e89d4e0b4c7486bb50fdc1f7655b1cd8727876614a62e5d9e75

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                                      Filesize

                                      66KB

                                      MD5

                                      82327680509e772853237cf86fcb4417

                                      SHA1

                                      75a146ea57d8464d69b590bf36d6446f153ace20

                                      SHA256

                                      21c07b7889f71a8d7fa80fe553b70e4ae98f2fe083561499315828c4d759319f

                                      SHA512

                                      51bbd865fb1bc0e5d58222a13e4e20a4d350c10b7ba641de23458da7c28ef03b17c0716204f25ce67d41258755f0d1f26077d20850434121ca6b75a543bb02dc

                                    • C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp

                                      Filesize

                                      191KB

                                      MD5

                                      2b18b7be3421f88babd79d276d03a388

                                      SHA1

                                      035e7cac0a9fef80ea0d628e4b54eff6071e5815

                                      SHA256

                                      3b4781d78a633f6ad455271d144d28b9fc940a194bbe283229dc7a4905ca467a

                                      SHA512

                                      454e1755547fb7c324032d7aca25b4bbe793ab7b07e12f0afe72d0c726a1c10d6843d97292dbfbb67cdaf4c91a0247501a32201add21e38cde6616da717416ae

                                    • C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp

                                      Filesize

                                      164KB

                                      MD5

                                      1174db328d775861aedadabde26c9c06

                                      SHA1

                                      d42819f5b37e9a86180ec36be9d83410e88c8d97

                                      SHA256

                                      42f6af9b4c924792262b473ced55877c0a391a444a7415c77a44b8ba9d7a714b

                                      SHA512

                                      a4a24a0a7c83130aa29f4d9560cf519774a7bb5918118c6871ebc900fc332a5dba127dbc54a87c8ebc19361728899dddcfdf9f4fe80c86e579c948bb787c0250

                                    • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                      Filesize

                                      144KB

                                      MD5

                                      81e588841e6002a5f0f76babb3eddaa8

                                      SHA1

                                      9b697d9c31cbc296625fd7c7a74a3e949e78125c

                                      SHA256

                                      4218c89256dd9df5461cff9db484f72c9bde6787c735fe2347ad576a6fc5064a

                                      SHA512

                                      63b3b78c1599ca98725137401860d851af10b72e6d59bced10b8f865d979097f3a6847fc29c96154321138d3f29afbc4caff88054d65fbbbe0fe64aadbb8a4fe

                                    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      51KB

                                      MD5

                                      8a3db489279c699b376a9f288bffca66

                                      SHA1

                                      4f350ac5cdeb0ea5d286d1892c12923ce1e1eb43

                                      SHA256

                                      0f03e23f82fa561aed651283ae3aab5a6ea2bf71b901495b7f57c7dc0a101fea

                                      SHA512

                                      fff900c0159e5d73a75286e91e61151c00d429e9372745ad534bde5ffdd59071298c8a91dff2f02d7ca589885520f405f761bde27b3fdb8d5078ae70d548dfba

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      113KB

                                      MD5

                                      89c6bcfc5cdfc721da6449cb0e7c20a6

                                      SHA1

                                      42c1bcefb941993944c32f83368c3de6bbfb1f50

                                      SHA256

                                      21d81cbf8cc091679f9c2c4326618859b1a485adacf2b1ce053146e2d7184ddc

                                      SHA512

                                      e168159742e3f84c2485c7ac3dfc69dcdf2302ed4a0bcfb6a85fc42ee2dc2f28cdb13f058fe2dacdf00001909a5ea8ab31f666406eb8c7a8874a0a5c38e0235e

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      194KB

                                      MD5

                                      7f66beca7edae9e7479315c77c255865

                                      SHA1

                                      b56e1ba3b5b5a31168955c75ccec8c1263fbc8db

                                      SHA256

                                      f0152d80368dbdaba94dc2d25da067bedcdd73299880c622c4102f0cd312fe9d

                                      SHA512

                                      010730bb9bb31ddb62665e062fe51ab819374a530d7a59b5f28a4a6df26725bcd8431e50e4f124eca104605a3e0a3b14eee3c219d59a7823e24dd5e48ea66b1a

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      229KB

                                      MD5

                                      1b8e907c57fb4813e4261d2a2728e5b7

                                      SHA1

                                      64d5f87d1f82ab7f3ebdbdf119d007471f248ab6

                                      SHA256

                                      807fa7e64dc59f1f708b021eb52ee8a92c77e173674a5443d13b008497f5de4c

                                      SHA512

                                      97098c5871b2fd9a882347e5a79c32e4413a35af17559a48d3f55b6e662b4abb736b2b0613338425d0d4c218d7f701ac181c852510028e0a17e7fccfed0ae3bb

                                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      128KB

                                      MD5

                                      5a3179d15184b45850bf245e892f98b3

                                      SHA1

                                      c897b5644d8eb2b7a271c959bbd651509af1cc44

                                      SHA256

                                      b49e0cc77cacc82ebcf1cc86e57d3265915561fca32a72d42a60fd0253c6559d

                                      SHA512

                                      18bc62ac3b4a85bfa272c28763999741631e1e5da7df61aa85b6f9b9b4d381b9818e7b6dde3f1114dfe7f34a44e68eda016be6d69bc2a8ac40ecac0cb60da1da

                                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      65KB

                                      MD5

                                      1a8e84170d6f3d504105da8950fbad7e

                                      SHA1

                                      b27ad5efa7f3c11c08e54f4a765fc3e6c7eec04e

                                      SHA256

                                      3e534a25381885102d4d2bfd0e23de874cb8fa58bd02f3b421f9e019f9f0a80f

                                      SHA512

                                      4d9431beaafc82e0c98aebac7bf5adfcd1412ec2c9e9e18bd25dcdffc3d8f62ce1cfa15e762c6a01ad7f9bfaacd079afa8d96d560808d8ffe3e81c0e4e15c504

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      199KB

                                      MD5

                                      5c956541fb9e4988a6bf6727621f0915

                                      SHA1

                                      89e432a390e4cbdada26e38cfba88241a17ba526

                                      SHA256

                                      026761c6ec9d3852cf898ed3d0866e74f03584b737447a7137fbc94e7f526428

                                      SHA512

                                      73527602fdda3b70ef958fd40cb8c56011c7dc9aae36ebd5445bedec65ae3c14fc1b6504a35719dd237364f5e93262d4fc57d45b9c7b526c5ed1fedae951fae6

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      1KB

                                      MD5

                                      2264d77194cb550fd290c9b334abffe4

                                      SHA1

                                      d6f85c34ac3cb7a181f3418c2d6cdcd6c72c3e90

                                      SHA256

                                      518a62a9fedebb7cf95872e1caf4e6178b91ec6f6449b7eb7176c9cbea413e14

                                      SHA512

                                      adbefe28cbb918d4ec971e1c2133d2baf347e41326f78fd11ee204ddb9c4a4a075c28c7b5aac2db312e2a758d3f9be4c57a9eec5d973f49aaa19b7b462c4191d

                                    • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      54KB

                                      MD5

                                      de8ba4fe7d3f0d7e393d58059b8ab4bf

                                      SHA1

                                      9b492b8e32c8650f58014273b0634ab7a8c153fc

                                      SHA256

                                      af81230fea202c62a696616d39bbf1f796a1350ef340e926748d0fbe94bfd536

                                      SHA512

                                      d763e0dcf154998addc89a92f7b9735d5100e4569ab79dbe97b48475bcb9fe5c54505251181dfb87295538fcc0176af958b7e39e42029e6b4e5fcef71105f1c8

                                    • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      102KB

                                      MD5

                                      9d8f33c854882492d14d87cc724bba3a

                                      SHA1

                                      78778531a865a6b11fd3fcf21325174bfdbd13b9

                                      SHA256

                                      78d99e897872b511a6923a1b8d1f67f2ea85212a9c274e161c86dee1cdea6e57

                                      SHA512

                                      c69cd6e2cda37b3234921965b2bb23a424b05797b90a1b9b22128e0cc20d751afd8f4e5501eabcdd3114b8c5abc230dead0e2ee888480337fdc4848e59443b0f

                                    • \Users\Admin\AppData\Local\Temp\Broom.exe

                                      Filesize

                                      135KB

                                      MD5

                                      0d047ccea1d1718f1ed6e9a3b047059b

                                      SHA1

                                      7ef06026d39f30eb5d48004936d1236158d823dd

                                      SHA256

                                      618270cd66a8a532ceb28d8f3dfa35e290a6e0112c584017d1b1f653dab317b0

                                      SHA512

                                      f9de17024a40e3b6d169c5f6820d274c95f4a570cc1f90e0ddb1fc244771b882208e793b4467d573a3fe20393f5fd65c17448e26f98568b2019e1387abf0a12a

                                    • \Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      364KB

                                      MD5

                                      21b413756f9c36e2baa957153b688061

                                      SHA1

                                      33cc87ec09798b5cfba13349be85c43cc6121501

                                      SHA256

                                      70d6f1113247c8ddc69324946fa71930af2d99424847e4f78139cf1d62f29f21

                                      SHA512

                                      6da7cc071b6bf9ae8a1e8d5185aef3d830ae90c5a0492955e0f047e6c4df0a686f268577f1eedec946a3a0076c838b06bd2658b2f403d744b94e5e212e430f55

                                    • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      82KB

                                      MD5

                                      ed64aa1cec486f16cc01015952d060d3

                                      SHA1

                                      db190a8e9b15e4b60739f4e5b9ee29b6eb9eae3e

                                      SHA256

                                      6bec3bcc47420dbc3c4f44e844ff7f3469f5a6f14b8af96c25f84731227aa13c

                                      SHA512

                                      4e1334168e60105f6bcc27d13b58e9f5f7cbd969370dca903ad0ccdc7f0bf3f29d2ac74934b80fb29db6938541b4c45f87d43efd8dd0fbeb8fcce8eb9b69604c

                                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                                      Filesize

                                      78KB

                                      MD5

                                      576d592aead0bcc402d5caecd94e9f21

                                      SHA1

                                      cbafd8f0cb211d30a77ae46b1810f77bd7570f69

                                      SHA256

                                      de0d22c01d83027bd02ecd2b4f148d3e43a9226e70ef1840a4ef58a670295dfe

                                      SHA512

                                      642a928a2f38cc5f8ca5ddabab6b1f0050d4092f174562e6e2dfbda422310893e5b66448c52341104ec6861a42ffe8218e4eb78d09f3a50256ee5c4e55bc7b90

                                    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                                      Filesize

                                      129KB

                                      MD5

                                      41d7cee863594deea47967d498d893f2

                                      SHA1

                                      72f7e570a9513fcc817869a5e16e3820260e4090

                                      SHA256

                                      92501612e5b0c8b08b030987630206fa1139ac5a5897d8acb79281901c7a6b64

                                      SHA512

                                      ac2445bba21d430301000c22d3f3937759c6c542b56002e7e012a70db577858a4f834aebd9f6ff8c453bc9a9b9527bfcd1007748778601c1fc476b9c74e577dd

                                    • \Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_iscrypt.dll

                                      Filesize

                                      2KB

                                      MD5

                                      a69559718ab506675e907fe49deb71e9

                                      SHA1

                                      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                      SHA256

                                      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                      SHA512

                                      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                    • \Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_isdecmp.dll

                                      Filesize

                                      13KB

                                      MD5

                                      a813d18268affd4763dde940246dc7e5

                                      SHA1

                                      c7366e1fd925c17cc6068001bd38eaef5b42852f

                                      SHA256

                                      e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                                      SHA512

                                      b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                                    • \Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_shfoldr.dll

                                      Filesize

                                      22KB

                                      MD5

                                      92dc6ef532fbb4a5c3201469a5b5eb63

                                      SHA1

                                      3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                      SHA256

                                      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                      SHA512

                                      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                    • \Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp

                                      Filesize

                                      17KB

                                      MD5

                                      4f90bbab05684e79f8c3506a1120a3b4

                                      SHA1

                                      8553f777f6b42635b7913d307c0cbe0674b7aac5

                                      SHA256

                                      2c4c605e0d6e4ce4f36cd2ce70d2c569d8372204c0ca77eb57bb1729c5eeba42

                                      SHA512

                                      5aa0b76db11fa2cb2c76e43a883261b534ec9c8c3f39a9dcf2459156b1f5c7d7fb234d4e60ebc0f2e322b25bb0e4d4ba53278279520fbb871490dc7fdbc10577

                                    • \Users\Admin\AppData\Local\Temp\latestX.exe

                                      Filesize

                                      70KB

                                      MD5

                                      96101dce8e6a49c5c5db044a5bcb3294

                                      SHA1

                                      fafc7470b37b18a77111baa300032461539be149

                                      SHA256

                                      79b80e398a1220af759558fd69b83155dc33338c45a986fc0c9811220044a376

                                      SHA512

                                      0043c79044ebacb3f0700a8bbc2ee20157a601dfa2eb02bcc9567477feed3c6451cbb682775114fdba6c487498646409bc6583e5fed96198f01e2958cebdd16f

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      175KB

                                      MD5

                                      ef8e510e5d1270e3aa1fdb50a07326cd

                                      SHA1

                                      77b97ddfef358bd56cf55f2692e83290af69cc8b

                                      SHA256

                                      28b9fa5929518dd6a30daebbefe6e0c04a947e932fe37ceeb84e21266be2815e

                                      SHA512

                                      8f4c91952d06c26ae321a3e18134e3442e9778f185e179d0d4d054503fd0f21ddcd7083c751e8852b13e35ee663e6c05df380649689b80729d6a9b83ae38fea5

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      148KB

                                      MD5

                                      0848c4ad6dd36449a7c2342279193672

                                      SHA1

                                      e39d4ba5b6d94a61aa50d96486af82d5de92b38d

                                      SHA256

                                      bec9c78c42cffdfcbcca1247f6806b85dc0a48b0c56c3ce7816c4f04c374bb2e

                                      SHA512

                                      8f83b0299308ae0c44a09946777a389deee9ad471f33ec3f7161d850f43cc470386a4a85723561d73ca4421f65fbc5855f09d4f82c67bf8d985177a5f0da012b

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      64KB

                                      MD5

                                      99a0ddc602051d534da340253d497b6a

                                      SHA1

                                      8b2ed02fad938d0a610cee25b2ad2a12e8a40437

                                      SHA256

                                      600fc8c2215daaa79f878cecfb4781eeeb41bdce021fdd5c19b4ccb5d9ddb26f

                                      SHA512

                                      ff2a5650ea6875b03b3cdd938149e208194fdd733e91450ad8a1853a0df9e53c5736e949a61a2f0de64b5d1bbceac22462663286a7ef8840d04d007b89166e37

                                    • \Users\Admin\AppData\Local\Temp\symsrv.dll

                                      Filesize

                                      122KB

                                      MD5

                                      087a521e8eb51c16cf8a8e7240baf281

                                      SHA1

                                      b156a5aa37170a84c7f72473f5fd4e9ae265302a

                                      SHA256

                                      bc7a213751eb5c5ad997c051a97d06c4a968578d2c6ca62610266a5928ac49ba

                                      SHA512

                                      9f5600d276bf18ffbe03f2173872f2a4443376716fbcce0ae4d0e60a15af6abe5def081e66e7988d11e4cb695cc0bd2015d2f0e03e6aa3e7eb0da40f597a45a9

                                    • \Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      291KB

                                      MD5

                                      cde750f39f58f1ec80ef41ce2f4f1db9

                                      SHA1

                                      942ea40349b0e5af7583fd34f4d913398a9c3b96

                                      SHA256

                                      0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                                      SHA512

                                      c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                                    • \Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      178KB

                                      MD5

                                      e444235e7e5bbe262dc9f4174f8b9112

                                      SHA1

                                      9a43766d4dfbe849854274cd99962ac262e6c6bc

                                      SHA256

                                      188033fb56b41e1f3073d2f0e299a1571fdb26e27badd36f7c1a2ccab92eea6e

                                      SHA512

                                      c7d0a1b7e1891544e811f9da4c02304e8c4cf64f00cc12177469d004d1f4403a32cd5990cabb042b8500dc73075de0843022398c458325e7fc1671893b0f03bd

                                    • \Windows\rss\csrss.exe

                                      Filesize

                                      184KB

                                      MD5

                                      80e6191ae7c782fae9544c8945ba806f

                                      SHA1

                                      12a148d1ece9f446d33ee6e2f1246f8bd3b31d2e

                                      SHA256

                                      695f97004ec815bae89661ef92d23988cd54c751d8727a561a6d0eddbf0fad4b

                                      SHA512

                                      c2ec53a9a0cb20cdf46fc46dc0c574b6d21122840b8a600afc74f0e43c230783b885b9acabc92fecac414b0e8af7d6fa0f033844fea8e6e0b20be53a27f99b42

                                    • \Windows\rss\csrss.exe

                                      Filesize

                                      160KB

                                      MD5

                                      f47387d57ee88e5f84f102af3460d919

                                      SHA1

                                      60f3dbcfa56d34cf4b7c7b29433dc89ad3924aa0

                                      SHA256

                                      b40d8c050edcfbfcd22fa8b65cdd62f7345984b4d959311bcefb1b04bf8b25c8

                                      SHA512

                                      1b577d4e52d9d55ffc7e2d87d7ae146ed4b2d57a56231abf5b9fe34e49dd4e1c9e52714e3ac5d58c58aea7944a17869bbd79ecdda76102c51fc53a76549be116

                                    • memory/320-78-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/320-151-0x0000000000400000-0x0000000000965000-memory.dmp

                                      Filesize

                                      5.4MB

                                    • memory/320-171-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/664-54-0x0000000000180000-0x00000000001BC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/664-64-0x0000000007090000-0x00000000070D0000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/664-152-0x0000000007090000-0x00000000070D0000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/664-53-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/664-133-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/892-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/892-177-0x0000000002650000-0x0000000002A48000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/892-174-0x0000000002650000-0x0000000002A48000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/892-0-0x0000000000400000-0x000000000040B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/892-2-0x0000000000400000-0x000000000040B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/928-135-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/928-127-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/928-123-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/928-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1184-73-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/1184-138-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/1216-92-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1216-176-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1216-155-0x0000000000400000-0x00000000004BD000-memory.dmp

                                      Filesize

                                      756KB

                                    • memory/1252-134-0x00000000037B0000-0x00000000037C6000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/1252-1-0x0000000002190000-0x00000000021A6000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/1460-131-0x0000000002700000-0x0000000002AF8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1460-113-0x0000000002B00000-0x00000000033EB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/1460-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1460-80-0x0000000002700000-0x0000000002AF8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1460-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1460-130-0x0000000002B00000-0x00000000033EB000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/1460-110-0x0000000002700000-0x0000000002AF8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1568-28-0x0000000000FD0000-0x0000000002486000-memory.dmp

                                      Filesize

                                      20.7MB

                                    • memory/1568-27-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1568-115-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1648-132-0x00000000026D0000-0x0000000002AC8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1648-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1648-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1648-153-0x00000000026D0000-0x0000000002AC8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1724-161-0x0000000000060000-0x0000000000612000-memory.dmp

                                      Filesize

                                      5.7MB

                                    • memory/1724-162-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1724-173-0x0000000005420000-0x0000000005460000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/1820-175-0x000000013FA00000-0x000000013FFA1000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2224-125-0x00000000001B0000-0x00000000001B9000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/2224-126-0x0000000000270000-0x0000000000370000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/2224-199-0x0000000000270000-0x0000000000370000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/2832-17-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2832-20-0x0000000074040000-0x000000007472E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2832-18-0x0000000002040000-0x0000000002080000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/2832-21-0x0000000002040000-0x0000000002080000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/2832-12-0x0000000000080000-0x00000000000BC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/3012-200-0x0000000140000000-0x00000001405E8000-memory.dmp

                                      Filesize

                                      5.9MB

                                    • memory/3012-185-0x0000000140000000-0x00000001405E8000-memory.dmp

                                      Filesize

                                      5.9MB