Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    68s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2023, 03:01

General

  • Target

    aa96cbc9b53138883480cee00d2e6e41.exe

  • Size

    37KB

  • MD5

    aa96cbc9b53138883480cee00d2e6e41

  • SHA1

    6ee4d8308087e804e958012cb364e05b454c40fe

  • SHA256

    0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79

  • SHA512

    cad1962f44d941705d16d734fa88f15c8a56eba62c95c5648d7c24d87eef3c8e760a42642d2dbbae4a5f602274d4d775c4b6367751abf8922a96e9814b72aff3

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe
    "C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1464
  • C:\Users\Admin\AppData\Local\Temp\9869.exe
    C:\Users\Admin\AppData\Local\Temp\9869.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1944
  • C:\Users\Admin\AppData\Local\Temp\4B34.exe
    C:\Users\Admin\AppData\Local\Temp\4B34.exe
    1⤵
    • Executes dropped EXE
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
        PID:1056
        • C:\Users\Admin\AppData\Local\Temp\Broom.exe
          C:\Users\Admin\AppData\Local\Temp\Broom.exe
          3⤵
            PID:2136
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          2⤵
            PID:364
            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
              "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
              3⤵
                PID:1996
            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
              "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
              2⤵
                PID:2072
                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
                  3⤵
                    PID:1272
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                      4⤵
                        PID:2648
                      • C:\Windows\rss\csrss.exe
                        C:\Windows\rss\csrss.exe
                        4⤵
                          PID:2624
                          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                            5⤵
                              PID:2992
                            • C:\Windows\system32\schtasks.exe
                              schtasks /delete /tn ScheduledUpdate /f
                              5⤵
                                PID:2692
                              • C:\Windows\system32\schtasks.exe
                                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                5⤵
                                • Creates scheduled task(s)
                                PID:2660
                              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                5⤵
                                  PID:2832
                          • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                            "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                            2⤵
                              PID:1936
                              • C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp" /SL5="$90118,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                3⤵
                                  PID:2212
                              • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                                "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                                2⤵
                                  PID:2044
                              • C:\Users\Admin\AppData\Local\Temp\4DE4.exe
                                C:\Users\Admin\AppData\Local\Temp\4DE4.exe
                                1⤵
                                  PID:2604
                                • C:\Windows\system32\makecab.exe
                                  "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211030245.log C:\Windows\Logs\CBS\CbsPersist_20231211030245.cab
                                  1⤵
                                    PID:2148
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                    1⤵
                                    • Modifies Windows Firewall
                                    PID:2724
                                  • C:\Users\Admin\AppData\Local\Temp\97FE.exe
                                    C:\Users\Admin\AppData\Local\Temp\97FE.exe
                                    1⤵
                                      PID:2092

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      65KB

                                      MD5

                                      ac05d27423a85adc1622c714f2cb6184

                                      SHA1

                                      b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                      SHA256

                                      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                      SHA512

                                      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      93KB

                                      MD5

                                      653a6d9615b6b9ac863d01ddc6f0c3fb

                                      SHA1

                                      97b245404ebf7a39d2314980ea80057d2e63b356

                                      SHA256

                                      764aae9f89a867aac0417d98c8b11baadf4d7ecce096a3696c3d10d13c258ef7

                                      SHA512

                                      72635ab631f89ec6450d1e2d38af909d8fdcee72d9e1f5adcd23bb3606aff121395a6a152377e8154e517775e8c0fd6124b45d59c9e44e67f8da6166bf954b0a

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      145KB

                                      MD5

                                      490cbf4f78c815da77b5b324b96573b7

                                      SHA1

                                      435fffa97177ea3e6f03ac5178f2717a911eb381

                                      SHA256

                                      3a2f9de8544e0f8e4e237748f8324768eee628185ccd162681ceff4346b86f65

                                      SHA512

                                      c936db9345fb0c583bbe8c6eb2014cedf4cf1927df2ed72ae7bec183056ad56f16eaf9c7e4e434acdaf50dae55c4ccf782c0912b797dee84de8cba406b86e6f1

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      392KB

                                      MD5

                                      a9eccbd1034678a4cdc39bf412b688f9

                                      SHA1

                                      11c16ad6f390256afce8509f3e88ad210223997a

                                      SHA256

                                      f1e3f3cc4e3bf28658d048c5807d79024b45262555d3f6011aec5ce67bf40c71

                                      SHA512

                                      7554a6daa4ae86de0ef853072e3d9dd7f43e76ddf6a9b540c4ff44f96007b25b5e0a1b3e3e281e39a44a32512fea2e7638d71db3d5e76c539a94283cae20ce6f

                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      57KB

                                      MD5

                                      8ebf66ed4d6f5d5518a786683cec8f9f

                                      SHA1

                                      a8f844ac07f8178ffcd8efd1ae413bbd6b049fd0

                                      SHA256

                                      ffc5e3d73d3a8e3a3d788a8eebea9c3e88d95ee54e4809e73ad52217cd3c1d7d

                                      SHA512

                                      fad67759d4dd19a1896dd36aff295aedc412dc2c95af0f2130b8099cfb3fb43657f38de20a811e5b34d0855d793381671b188bbbb51b3e8edc017e2b55a9dc70

                                    • C:\Users\Admin\AppData\Local\Temp\4B34.exe

                                      Filesize

                                      707KB

                                      MD5

                                      4a875eb3f8d3eab41f6bca197e2b5313

                                      SHA1

                                      e6bb66150ff2cf2c5552588aa0aeacf0268c45a0

                                      SHA256

                                      5546ae7557cfdb4bd925392e09aa8cd29d593314d4d8d0c62ea40f74cd21981b

                                      SHA512

                                      fca0a3f18b94480f3b70392157e0afd0fff05da13239011f40b1b2c4b61d2169edd6baf2244a2fcb7818518c61ef48311553dd7cccb19240f6d3e6dd02509144

                                    • C:\Users\Admin\AppData\Local\Temp\4B34.exe

                                      Filesize

                                      545KB

                                      MD5

                                      461c3ebab9fc1d3d085ee5da1001e592

                                      SHA1

                                      9289dd4b9a567ac508b31e309c9974f5f755b00e

                                      SHA256

                                      d74e9d77751baba77e2731cfa140602234c542b51c24559b05a4280c4dc6efeb

                                      SHA512

                                      90537bd4f9bb9229967bac03778d5246a5d8a0e35e774eb39408aea782b9abe253b087b784f7cec231c8c3c3af8fe8655b9bd873cd2fa58a3cbec7e0995b6752

                                    • C:\Users\Admin\AppData\Local\Temp\4DE4.exe

                                      Filesize

                                      219KB

                                      MD5

                                      91d23595c11c7ee4424b6267aabf3600

                                      SHA1

                                      ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                                      SHA256

                                      d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                                      SHA512

                                      cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                                    • C:\Users\Admin\AppData\Local\Temp\97FE.exe

                                      Filesize

                                      54KB

                                      MD5

                                      780d6aca8db33507e72145129c6b2a90

                                      SHA1

                                      4c626aa92eb1f701d38d81e4341f8fb4ea44c74f

                                      SHA256

                                      dc8e21fdcf599815cbacada8d15f003a78d62e2893611b08282d44d58d250330

                                      SHA512

                                      54d56a1594974d0d8867954e5c650311e282ae3bf9f4d1783e65aefa051b0ccee82804aa6d3e898706c1db41d67ab2b7798c6ac5daef61ba74691eeaab66ce2b

                                    • C:\Users\Admin\AppData\Local\Temp\97FE.exe

                                      Filesize

                                      76KB

                                      MD5

                                      30af8e48cae56a2228154de349f736d6

                                      SHA1

                                      de143f1d7632547d99df44ffa414f5457e8597fd

                                      SHA256

                                      c4391be2f2c7fc30aa7696e3bc9727387cc024dbdb0ffccc3a37753efb438af7

                                      SHA512

                                      8094e9cd487522d6a3841de147fca15ad6d56e5d6ebd5f1e9214aa1f95824dd6a3babd8493b2201ee672f9e36b170684a212463ba1de580360fe6e89bb941760

                                    • C:\Users\Admin\AppData\Local\Temp\9869.exe

                                      Filesize

                                      401KB

                                      MD5

                                      f88edad62a7789c2c5d8047133da5fa7

                                      SHA1

                                      41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                                      SHA256

                                      eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                                      SHA512

                                      e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                                    • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                                      Filesize

                                      38KB

                                      MD5

                                      63009a68d0950b2c2a1aadef3def223e

                                      SHA1

                                      8dbbf6c5274ff6f2333a938800b6c5c11c1651a7

                                      SHA256

                                      19df0d1baeee7814422853bca0e0a58587fa5b57b3efb23ac9fc698609ef6bfd

                                      SHA512

                                      99cc107c5e317c020e24388c89167ec6f37cc2ca2dba392c245fc6037816d4f63a49738d3d750018bd5b1a5bb13ccfc68bed65c656d50a5e85dbe905efd6864f

                                    • C:\Users\Admin\AppData\Local\Temp\Cab9974.tmp

                                      Filesize

                                      61KB

                                      MD5

                                      f3441b8572aae8801c04f3060b550443

                                      SHA1

                                      4ef0a35436125d6821831ef36c28ffaf196cda15

                                      SHA256

                                      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

                                      SHA512

                                      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      227KB

                                      MD5

                                      1177642cf2797fc047aa2e431df702f5

                                      SHA1

                                      8e47b321ebb7b1db639ef06875413a3b6a53a3ef

                                      SHA256

                                      d9d0b19232fcc0ff689302fb6898e22e5f2c12a3bc6000573f8da14ca3f5e897

                                      SHA512

                                      c874e30508f38583996b21bb8779367c8737bdc58b07f3c904d21c15167018c906e534a9fd32acbd32b83ad390a17eaa8088c49eb5b99402de8326aedb6ecaf4

                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      112KB

                                      MD5

                                      14971f481b7062c76d586575793337ff

                                      SHA1

                                      b304d1e004374c6ddacea5d1dd1badfb801ac999

                                      SHA256

                                      4742418697a0dd017f770b3f8d13d33dd9e6ed7ae233561dd0acdb404cbceb70

                                      SHA512

                                      8e229e2a5c45ba626f544db50aa191fc7594924daeaf113a76e8fbd41f6d7685cb3a3780f524a2905cc597d6ab100e3b0c5c1f3ca38001fc5d212dcf984a1b12

                                    • C:\Users\Admin\AppData\Local\Temp\Tar9AD2.tmp

                                      Filesize

                                      171KB

                                      MD5

                                      9c0c641c06238516f27941aa1166d427

                                      SHA1

                                      64cd549fb8cf014fcd9312aa7a5b023847b6c977

                                      SHA256

                                      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                                      SHA512

                                      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      195KB

                                      MD5

                                      8641c55ecd048d914a89425fa77f33f8

                                      SHA1

                                      2409eef9c6e628ba73385c97cf0b7cb5415e4e8f

                                      SHA256

                                      e583efc7e2802726c4eb36261e783568e570b55f34df58d373c30232a02826b0

                                      SHA512

                                      548895ec69d1b438d1fa02d03edb06a7c49113a8c052baf3555b28150285180fd4509fb95665a3756eb97cc0008903d14354412a67f6136286256afac05cc35b

                                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                                      Filesize

                                      1KB

                                      MD5

                                      14899bb280b156e4ca42a95df5724e36

                                      SHA1

                                      47dc380d86b9b6b654f0c5dd25ac363e62fa6147

                                      SHA256

                                      48c72dd6c6350a8cc7b7e8b690718240b701c44b77a82e8af8a1dd0550ed314d

                                      SHA512

                                      b1fc5b75e4ab585f4c9d611aa515e15dedb9aebf6edfc2980dcd9801d9a2ba5a1923761a344ca141bc4fd6c20be247d0f48cfcbf6aaec52319695362853ff644

                                    • C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

                                      Filesize

                                      209KB

                                      MD5

                                      fe5a53ccca0d99dc5308f3a5df0d426c

                                      SHA1

                                      0d0cba649af01c93ed89cb77a945e51225d27214

                                      SHA256

                                      6cb952f13d4bf199e360eb24afc9b2b48517951710dc364808365a4761b31b61

                                      SHA512

                                      e691f6f565806a4526f868721b7b612c3297102f8dce982b4060107f019a45d5c6bcaeda82ffb0e8ec0e2ff0f2afd7211bbcfd48f50ca3b5a240dd569a695fb2

                                    • C:\Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

                                      Filesize

                                      350KB

                                      MD5

                                      b3101acef672de20bfdf289831d417df

                                      SHA1

                                      55bdac3cbe4d1bf9a1ec2931f8b33c69f0534465

                                      SHA256

                                      5e66b081ca5dd4933beb8fb303132b2b07d9a91222fb40f4abd9e296e7757a98

                                      SHA512

                                      37af58b427dc3bea188bab6f0ed903b607e9785a8a39f7ec63e50149eeb843cf0e584f4c6f0db4569e5c903ae9469fa6f535d6f2bfd7ec454c15f691e2bbb98d

                                    • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                      Filesize

                                      270KB

                                      MD5

                                      b3ee5b12f915d23a16ab60aa658ffc55

                                      SHA1

                                      eb7e76cbe53eab2b53fd2df73a997f7f0d9b278d

                                      SHA256

                                      6fdf155a1d7f9c5b2305b4e39347c7e30d503d5052ead22ce48d4573504b813e

                                      SHA512

                                      6fef588f129e4deb314d84a3f9c368f65ba54f9dc87ce16c5e818ea83ca8e029cfc2feefa9c6f0fe8b6345447d17769e393ff1840d17547485f7aff645f19e5c

                                    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      124KB

                                      MD5

                                      f35d3db92eeaae158ce7a3968a14efb8

                                      SHA1

                                      dc79375693220b702f188812f6f27188ce39181a

                                      SHA256

                                      98e3483cf55dd294d049f221da621e999774542429e1a8e2618908fdc12705a4

                                      SHA512

                                      57b0520dad1b96aeb9852254a37097126bf99bce31849a575fbe4d31044f6088285ee364dd6f21b0f4e7f922b7d71d68bbaa855d0b2f654e30750c7cdb610389

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      81KB

                                      MD5

                                      4ee506a6edf0bc61874eb6fc4316a75f

                                      SHA1

                                      4113b714cf6cb7024c8c357dc0ca1007049dc0fb

                                      SHA256

                                      b4e3602a5b1ca0070240aaec3a925fab39a25c9f85702971db2d6aff7e79e0cd

                                      SHA512

                                      02bf33df67049cb65ab0fd1379e6d6a485f3cd6e1010d1dd1f915af6df03b60dbdeb2c0839b2568992518d5d5fca3350aaa8d4787c8b5b9e34f19901d4b5ef53

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      83KB

                                      MD5

                                      3853b0e25d668535f82213dd99a5b948

                                      SHA1

                                      d303667679c997f9ea72134067de271579e99f41

                                      SHA256

                                      d72834ede42cab598bbc58083e2bc7de2389d53ed0bb67233cc1fdab2e330a89

                                      SHA512

                                      e38965188bee24f387004438e82c3f48a2278a9e8edab85725e261230b597890e15850b911fe92db40e8ba5217471da81c9ff472cae178e5c6f4632144a39623

                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      291KB

                                      MD5

                                      cde750f39f58f1ec80ef41ce2f4f1db9

                                      SHA1

                                      942ea40349b0e5af7583fd34f4d913398a9c3b96

                                      SHA256

                                      0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                                      SHA512

                                      c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      167KB

                                      MD5

                                      63a431b1aa1cbd6b34033bee5c519229

                                      SHA1

                                      147767e6c65e26226dcb07dc36898669c431a351

                                      SHA256

                                      298a029ebdcf1d60fcb250bea2abc4c387b2fead7b4169fbe7055a1bcae9d875

                                      SHA512

                                      b8145471f71036e3eacb75bd91bd080fc3c7a931b65d7d8a5bc5dba3eb4f48185aa0b16e9599a38385f32bd07704b55121b3d56cf90f95283e2bc8170a2fda05

                                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      162KB

                                      MD5

                                      06f60fb2ef4253b1f2056a13f8c23935

                                      SHA1

                                      478442ea8396c1bf1fe498aef41477d61b961547

                                      SHA256

                                      5ff5d392e258ec946c2854d2c9793e956d5bb444bc9199209646cc276b1ff6a6

                                      SHA512

                                      76aa39a89f6433359b31b562114e55b4e8ece593f45722a7cd869fd65a58359423144f63af0495b052078c47b7db9ecc95dfe756ec8f1402b73373392ada2b2a

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      104KB

                                      MD5

                                      20fde3902aa1580a54b0b19b6f024974

                                      SHA1

                                      85718aceb75afe173ec1edff15bbf11eabea48ec

                                      SHA256

                                      4201f2ddcce714a9f9f5299417e8127f3a0d4bc59cbedc30c8b50971ac1ac16d

                                      SHA512

                                      b52f2f9fdefef676036f99543f5c72a7176e5087a2b4e27713b21fc7e29d0b3691208ed3929f82b5b994cb776e9bf5f6ca89659f214105650f0dc11bbd523d21

                                    • C:\Windows\rss\csrss.exe

                                      Filesize

                                      13KB

                                      MD5

                                      145efcb1fca25f73bd3e210de720c6a9

                                      SHA1

                                      a82319c4b3f7873e8c208c9ea9ccb48f0032260d

                                      SHA256

                                      c8eaeb6928c3e1b18e4b25994bb4ddcede51a55a4ec47a9e814ebd5599a6deef

                                      SHA512

                                      4de575af4db91b504d17804280dff8e85c52429052a448132ba8ba31314fddde338ed46eed20ddf4cde9af4b81ccafb3c9fdde4fb94bdacc81aa2843e63c2c79

                                    • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      14KB

                                      MD5

                                      5d5bcb3384713386b7856e32c73f4282

                                      SHA1

                                      56f411ee92f1f352b62c6a5cb7c56e104e6ce136

                                      SHA256

                                      2ffaca3ff0238251c319b5b9213062f70ec1c3f7f581202c9922e72cc4674c64

                                      SHA512

                                      44c9f6bb5d31187b14739ef61304934783c136e8adf9826285859c51214e67b2b9d35bc68b602359153b59f704aa3310550f7b42628a42cf1da6e8c0367f1df7

                                    • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                      Filesize

                                      267KB

                                      MD5

                                      b8cf498ac0af62ed0192294e399f6452

                                      SHA1

                                      bbce0afcfc1691cb4e7deb4bb978f8e7539943be

                                      SHA256

                                      1f0d23231ce495cdb366dceae4891ec31b8aabdf0d157efead2c2c4d4a07af0d

                                      SHA512

                                      1345e6294fec0e626bc2a1b320abcd7d11efbe33f2a406e7ffe5c059cbcce0a0d9dd93f1c37a7debb70068b94152559ad34aeb95ffca67de14012c27e48a27aa

                                    • \Users\Admin\AppData\Local\Temp\Broom.exe

                                      Filesize

                                      307KB

                                      MD5

                                      05886774af294eeed78667daed46d853

                                      SHA1

                                      0ff5ff6ef2c339d8f8c1e25ba3d8f3e3fafd60a6

                                      SHA256

                                      c6d1db6e7fca2ee94f5f3272e80078d821a46b8dcd34bf46eaa67f7ebc9291bf

                                      SHA512

                                      cd897c55d02102002fd06725d17558f7b88433f57e2633557c0fdeb91eea06b3708885d0d534dd1acff4bb12e1185d55b4db6b2d6121225cc80f1dbdf6640b90

                                    • \Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                      Filesize

                                      312KB

                                      MD5

                                      ad289d19b88f23b2f0aaf4ca976fa11e

                                      SHA1

                                      3d9874e7e7ba6b45734035d54b4dbcb2be686a54

                                      SHA256

                                      17ff2bc2dd9fe62f57bda8ed764c89502c9f89625075cf53b99feea503e3c9a5

                                      SHA512

                                      bae52320fb6f5d929d525a6a26e4fb1597b8470ab1fc83255817cd7e598a20b0a4cdb42e96137f8d68c0ca90aa8ba3bcb2146e7e5fd679fd46bac8b98ebcabd1

                                    • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                      Filesize

                                      95KB

                                      MD5

                                      fadf512f1858a17c683d4daf66a558ef

                                      SHA1

                                      7e8d5ce671b60864f6627c61036f63d2c08a55af

                                      SHA256

                                      02842ad9fd4b661127b8c9c24030c0aa24b84e06b2f526d22d382073d2cc0b3b

                                      SHA512

                                      e87770e1882cdd2fa6815c770d6bf495f259257ba0a5a2260a6d80f38fc27346a2ed216ed04904a05b091a1826f7fdddb6b9d8aa85e1a6343265a2b08054463a

                                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                                      Filesize

                                      65KB

                                      MD5

                                      8a2b307b3b29e7f1589055d8a1995981

                                      SHA1

                                      c676cef29e91e921e192b27c460cb6c57453f929

                                      SHA256

                                      911f4db477e737aadcc5070527751a7a019eccfb88556f779d5046ca1f60760e

                                      SHA512

                                      558a0a7d97efe3bd24861016e9c01e3727b3d9c250a37e37aa1baa0d36df43dfabb45472affb43950178bfc3d12e7381b75733c273db2d52643338e57492b3d4

                                    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                                      Filesize

                                      20KB

                                      MD5

                                      7fbab40305099da1a29a7244cf2ceec6

                                      SHA1

                                      8fbdec46a8aacf36f27285dc1614ea5fa601b1ec

                                      SHA256

                                      9854a36359c3e7e591d17cbe31fb5fd7ccb33984166dc57f1bf32411cf2c35f7

                                      SHA512

                                      55600f4d1b4270f4bec08a88f099bd6f5e4291bfdbfa19c7fb1bb5cb74f672c320cdf38a26292e6d2eabee2f59e4578f7a34058a5091888a901f407de976158f

                                    • \Users\Admin\AppData\Local\Temp\is-1AVAA.tmp\tuc3.tmp

                                      Filesize

                                      127KB

                                      MD5

                                      faf37780b80332d441d02a7e26e2c96a

                                      SHA1

                                      247226248a0ac167a2f4b25bd6e50ebf00890e3c

                                      SHA256

                                      7314f22299ecceb3bf6e3bbf81e04f9b8ad512ba9065aa3237c6918d5342bb85

                                      SHA512

                                      5e4414961909904fe261dcac79aaff46fe25eeb8e1fbfc00bb1b94ec8f73086f51af5dd2f789c44e653671c6026fcb2a627cbafbcabea47162ca963c14007448

                                    • \Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_iscrypt.dll

                                      Filesize

                                      2KB

                                      MD5

                                      a69559718ab506675e907fe49deb71e9

                                      SHA1

                                      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                      SHA256

                                      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                      SHA512

                                      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                    • \Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_isdecmp.dll

                                      Filesize

                                      13KB

                                      MD5

                                      a813d18268affd4763dde940246dc7e5

                                      SHA1

                                      c7366e1fd925c17cc6068001bd38eaef5b42852f

                                      SHA256

                                      e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                                      SHA512

                                      b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                                    • \Users\Admin\AppData\Local\Temp\is-I686L.tmp\_isetup\_shfoldr.dll

                                      Filesize

                                      22KB

                                      MD5

                                      92dc6ef532fbb4a5c3201469a5b5eb63

                                      SHA1

                                      3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                      SHA256

                                      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                      SHA512

                                      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                    • \Users\Admin\AppData\Local\Temp\latestX.exe

                                      Filesize

                                      106KB

                                      MD5

                                      086a4e6f0e69edd786756b55cc3dece5

                                      SHA1

                                      a43aedfc2efd7e15f413bfdbce1c32382bde94b0

                                      SHA256

                                      f1681752a22480255690b2bfc89a83a0f170ee61fa2916819af20a342f98f6e8

                                      SHA512

                                      fb2a4963d2b675ff9e127b03ffa67b76a5583255fcf396740c95708a1edb9e7cb90440778ab020cb336d76b8ec98c65a83611f7f81f6967b9247b0b7bc42864e

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      204KB

                                      MD5

                                      45dccb1b8029477ab402875fdb88c515

                                      SHA1

                                      b66b74d03844ab0196d02b50ede92767495ea526

                                      SHA256

                                      86b3d18940d18cdbe793397df62bfe65985ee1edb792bf2d4e411f0af5d4ed8f

                                      SHA512

                                      b7b5a51b922e6725700aeefa19645c32941a34856308018aaa0451e4d5172370354e9e7fb9674124dc1a7f6040cd2b61f82a0a192984f156c43702ee27c27154

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      192KB

                                      MD5

                                      35c8d6357dfc8f991502c65375a29dcd

                                      SHA1

                                      014ea155264cd2c365ed0d52408a2f6c9bb9703e

                                      SHA256

                                      567d11655d1196e65d10ac905da5c35012679a18832841c7b27c71df1492ddd8

                                      SHA512

                                      d000359ea4f59aa0462df9d9d4fce4960f7c325c2f7ae04af605960c8ae1828aa9ccbe6227096f2808ba0999bc5667fd90da7c6d7f8d1ec4e7626c9ed622e4c0

                                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                                      Filesize

                                      138KB

                                      MD5

                                      6ecca294795a99700300ab0f040e27ee

                                      SHA1

                                      f29b9cf5b360eae1ed2484f2b0921d583de6aab9

                                      SHA256

                                      5b8a789397ed95db15c6533d5d1366ef05484757c1cc17f7476924e7a56b8b3b

                                      SHA512

                                      045a330f52afb955509fa040b7824640ca1e0ba8aa78beebcce5938f1010fababd0dc58a6dec10b7af1ec1f73cfb494406ead644494a69f21842290ca97dacad

                                    • \Users\Admin\AppData\Local\Temp\symsrv.dll

                                      Filesize

                                      32KB

                                      MD5

                                      894e5be94497dc2a4e7234606c470fd9

                                      SHA1

                                      33cff98a477467fbda39f09e9898bc95d8a384d1

                                      SHA256

                                      9140c147f571d48cf893524b8db5bee41e6614fce6c4ab598b3b8142e3500b4d

                                      SHA512

                                      35e9bb5011ce6d426d1fcc611be99e8ea8d27f932f9290cef0c9d205647e595278356e34531ccc0438d49c45b7623e2e0ac9af5cc90137a52df438c52b83644b

                                    • \Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      15KB

                                      MD5

                                      4c6c21fde024c715455e162252f56ed0

                                      SHA1

                                      d2f47b3702202118a144e3b79f8b4246751ae2a1

                                      SHA256

                                      b18feac48194921b06144cff0fd1773ba8ff34a4ccf6bed1eddea3f1fbd1d721

                                      SHA512

                                      74a5d14042ee2e7a2c4899a9b4097d4ea84f719500b1f7979211d7f5e80d79116a3704f0317a899f03caee2e2e35f9e5dd6c9ec7866598f214db3d94e2af504e

                                    • \Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      206KB

                                      MD5

                                      f86cf6200f494d752f253cdbd19d803c

                                      SHA1

                                      acd1d3575c240ba5301566543f6dc0ec3042fd42

                                      SHA256

                                      12b9ecb086dab69a1b1a6528f8828eec4d010eaa1dbcb02d28a7142c3664c949

                                      SHA512

                                      eb642fa24ca69b94c221f5e3cf1b427caf727c524235494683a6ba33aadc5e1f481d5424c1d317000dc94f3a64d8be3cd56caaba3b906a200a344638d06f83a0

                                    • \Users\Admin\AppData\Local\Temp\toolspub2.exe

                                      Filesize

                                      114KB

                                      MD5

                                      072cb6354f92d0787ba915a16f932b3a

                                      SHA1

                                      36c1cc6ff40bdc41987a946e0ce1cb3662b6e035

                                      SHA256

                                      ea32f537593cd818d69117d516b8c8c38de59507dec9c87387f6e89f8a16e623

                                      SHA512

                                      92d4c3856604bf64d610dd6f0d4483f6d98958b1562341e971a8a20bdb8361c57074fd0d6e138f9389d97506d1dd855ea3ccb0bd8d46184fc310b185b0b8a74b

                                    • \Users\Admin\AppData\Local\Temp\tuc3.exe

                                      Filesize

                                      205KB

                                      MD5

                                      d659f2336803753a3b4a5850c1f2a61e

                                      SHA1

                                      2adc1088d335bd8396cdddbba84168f80d0747c0

                                      SHA256

                                      a7c221856da6a59db574ee50b9d2071a601b61db4a50c996f17e2e18b018fe6d

                                      SHA512

                                      d7237e17ba31c14e8defa9cdf07bc5556c3f5e06aef795f9b39db9b01ab70c771703a717a289e709a518de4710bde0427c48bd5f179d72713d51fa4f441229a4

                                    • \Windows\rss\csrss.exe

                                      Filesize

                                      184KB

                                      MD5

                                      345be50e2ba05b6ad28a2c2015a5f0c3

                                      SHA1

                                      97d98403ff1437790c6c023f8269f12c26b042b6

                                      SHA256

                                      5e9e90227a5899fb20260ba2d650e29b65659e32a8a45f91d31cfd9ea3d84f13

                                      SHA512

                                      43d6eeb1762c497b9155281a01df2a914c2646464477541a067c436cdb9a73e7736b3a2b544b55c8cd701070b835ddfa543f3148cbd549e65ddc4086f189aaaf

                                    • \Windows\rss\csrss.exe

                                      Filesize

                                      119KB

                                      MD5

                                      c69ea50075cf2d708cb00fcfdc7b228e

                                      SHA1

                                      32113495418e2e7c9c73fe26f118f774da48e3d5

                                      SHA256

                                      baec7ec725bf6c8b9b5b70fa68775e928a9e4c3ea3f955aee11cd5f989cfaec3

                                      SHA512

                                      aaf5b1000e41b232b76d39e5141ed1657df61fd49adf53ef1ca605923b85a1a6d362d3600045d767572123b3ac97053df0fadf8e5c8e9686504eb56aa69f9e6d

                                    • memory/364-120-0x00000000008F0000-0x00000000009F0000-memory.dmp

                                      Filesize

                                      1024KB

                                    • memory/364-121-0x0000000000220000-0x0000000000229000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/1052-103-0x0000000073FC0000-0x00000000746AE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1052-28-0x00000000000F0000-0x00000000015A6000-memory.dmp

                                      Filesize

                                      20.7MB

                                    • memory/1052-27-0x0000000073FC0000-0x00000000746AE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1216-1-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/1216-134-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/1272-133-0x0000000002660000-0x0000000002A58000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1272-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1272-144-0x0000000002660000-0x0000000002A58000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/1272-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/1464-0-0x0000000000400000-0x000000000040B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp

                                      Filesize

                                      44KB

                                    • memory/1936-140-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/1936-74-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/1944-17-0x0000000073F70000-0x000000007465E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1944-18-0x0000000007740000-0x0000000007780000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/1944-21-0x0000000073F70000-0x000000007465E000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/1944-12-0x0000000000080000-0x00000000000BC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/1996-128-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/1996-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1996-135-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/1996-126-0x0000000000400000-0x0000000000409000-memory.dmp

                                      Filesize

                                      36KB

                                    • memory/2044-143-0x000000013F7E0000-0x000000013FD81000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2072-117-0x0000000002A50000-0x000000000333B000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/2072-116-0x0000000002650000-0x0000000002A48000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/2072-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/2072-114-0x0000000002650000-0x0000000002A48000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/2072-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/2072-131-0x0000000002A50000-0x000000000333B000-memory.dmp

                                      Filesize

                                      8.9MB

                                    • memory/2092-216-0x0000000073CE0000-0x00000000743CE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2092-215-0x0000000000840000-0x0000000000DF2000-memory.dmp

                                      Filesize

                                      5.7MB

                                    • memory/2092-217-0x0000000004FE0000-0x0000000005020000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/2136-139-0x0000000000400000-0x0000000000965000-memory.dmp

                                      Filesize

                                      5.4MB

                                    • memory/2136-167-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2136-79-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2212-141-0x0000000000400000-0x00000000004BD000-memory.dmp

                                      Filesize

                                      756KB

                                    • memory/2212-169-0x0000000000240000-0x0000000000241000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2212-89-0x0000000000240000-0x0000000000241000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2604-142-0x0000000002020000-0x0000000002060000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/2604-38-0x0000000000880000-0x00000000008BC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/2604-40-0x0000000073FC0000-0x00000000746AE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2604-44-0x0000000002020000-0x0000000002060000-memory.dmp

                                      Filesize

                                      256KB

                                    • memory/2604-132-0x0000000073FC0000-0x00000000746AE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2604-155-0x0000000073FC0000-0x00000000746AE000-memory.dmp

                                      Filesize

                                      6.9MB

                                    • memory/2624-168-0x00000000027F0000-0x0000000002BE8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/2624-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                      Filesize

                                      9.1MB

                                    • memory/2624-170-0x00000000027F0000-0x0000000002BE8000-memory.dmp

                                      Filesize

                                      4.0MB

                                    • memory/2992-183-0x0000000140000000-0x00000001405E8000-memory.dmp

                                      Filesize

                                      5.9MB

                                    • memory/2992-192-0x0000000140000000-0x00000001405E8000-memory.dmp

                                      Filesize

                                      5.9MB