Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 02:59

General

  • Target

    cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe

  • Size

    161KB

  • MD5

    6b08812a6837ef81f21ddd7dc04aadcb

  • SHA1

    ef9acb2bd522fd21e7ee1bdfd1c6ac6522ee5952

  • SHA256

    cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6

  • SHA512

    51534f2963b483c91eca6bdd8aa04cd2441d9c24dc6da276c057c3137714510a4ddda9a25845890748887f096cc31889093c3389c8219e0a90911d166c2e3e7d

  • SSDEEP

    3072:6iZpyDaHgA6pqu3oHS8rys0iCXlRTmmXR8su4:6qpyMMpWyKpURf

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .wisz

  • offline_id

    4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.1

Botnet

e2da5861d01d391b927839bbec00e666

C2

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes
  • profile_id_v2

    e2da5861d01d391b927839bbec00e666

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

  • DcRat 5 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Vidar Stealer 5 IoCs
  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs 7 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 8 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs
  • Detects executables Discord URL observed in first stage droppers 4 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 4 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 4 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 4 IoCs
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 25 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe
    "C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1984
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A3818EEB-2F67-490D-832B-698D71A791AB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Roaming\ggaujte
      C:\Users\Admin\AppData\Roaming\ggaujte
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:2328
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        3⤵
        • Executes dropped EXE
        PID:1640
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
          4⤵
          • DcRat
          • Creates scheduled task(s)
          PID:1556
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:2036
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        3⤵
        • Executes dropped EXE
        PID:2188
  • C:\Users\Admin\AppData\Local\Temp\B107.exe
    C:\Users\Admin\AppData\Local\Temp\B107.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\B107.exe
      C:\Users\Admin\AppData\Local\Temp\B107.exe
      2⤵
      • DcRat
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\d03ea5d4-e539-4448-8664-d65c9af83172" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\B107.exe
        "C:\Users\Admin\AppData\Local\Temp\B107.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Users\Admin\AppData\Local\Temp\B107.exe
          "C:\Users\Admin\AppData\Local\Temp\B107.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
            "C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:592
            • C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
              "C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe"
              6⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of WriteProcessMemory
              PID:560
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1452
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2860
          • C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
            "C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
              "C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe"
              6⤵
              • Executes dropped EXE
              PID:2816
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:3036
  • C:\Users\Admin\AppData\Local\Temp\8400.exe
    C:\Users\Admin\AppData\Local\Temp\8400.exe
    1⤵
    • Executes dropped EXE
    PID:2396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 124
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1592
  • C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B9F.bat" "
    1⤵
      PID:1644
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
        2⤵
          PID:2636
      • C:\Users\Admin\AppData\Local\Temp\9AEA.exe
        C:\Users\Admin\AppData\Local\Temp\9AEA.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
        • C:\Users\Admin\AppData\Local\Temp\9AEA.exe
          "C:\Users\Admin\AppData\Local\Temp\9AEA.exe"
          2⤵
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:1240
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2036
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:2764
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2840
              • C:\Windows\system32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:2172
                • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                  "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  PID:2888
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                  • Executes dropped EXE
                  PID:2364
          • C:\Users\Admin\AppData\Local\Temp\A97B.exe
            C:\Users\Admin\AppData\Local\Temp\A97B.exe
            1⤵
            • Executes dropped EXE
            PID:1608
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240307030120.log C:\Windows\Logs\CBS\CbsPersist_20240307030120.cab
            1⤵
            • Drops file in Windows directory
            PID:2924
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Modifies Installed Components in the registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2324
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x514
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1864

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            285f2d7ac11b816c0b93dddd72f3f074

            SHA1

            70bfc113e962459afabde81294847754bf7ae540

            SHA256

            fa170ab755d01dd13745aa6c2bbc19a90b57ff0abf67574147a2389e97899939

            SHA512

            5c0148dd35a8a626d003269910b7ca283bd3619d658f968d04b268674f188e6f00ba5f26dc1f59847e02929770d70075546027fc5e1e2cff85ffb93c71b7797e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            67KB

            MD5

            753df6889fd7410a2e9fe333da83a429

            SHA1

            3c425f16e8267186061dd48ac1c77c122962456e

            SHA256

            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

            SHA512

            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

            Filesize

            724B

            MD5

            8202a1cd02e7d69597995cabbe881a12

            SHA1

            8858d9d934b7aa9330ee73de6c476acf19929ff6

            SHA256

            58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

            SHA512

            97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            2801de9920c6baea37c2489b87217d33

            SHA1

            c12fc198e96342f58d7a94306b361aafa7a05715

            SHA256

            7a38a893365733cf00d0ae05d1f4a4e23b343d034aa369602e12d6717495f679

            SHA512

            29762b08b24efc5d078f980c0055ff95c0668ba2912337d08aa00cc8fcdb15f20f87fb0d526a149a9f1f084d126189f1ca54fe3dd3b90b100b5ece3a5ab98732

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            fbcb2263030fefb2e0709ec8e80c29f5

            SHA1

            f94c3db1ee468bc4857808206ea2a1d2da59add8

            SHA256

            820805d1e7d5aa90287991b4167755eaa079c8df840f5a32e5779bb97bfaf9b7

            SHA512

            29386e93517e28e6e41f9688dedcd62d9c06cfd22586530dfe68b8cd365ac6491496c3311a74334e8d7e811a3956b0c9837c36693fb36168400f06996d2be538

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            07c8a5a45acffa02672f3dfd2d4bc209

            SHA1

            25d304cb84ff447de7d80c92b1e8512e97e439fd

            SHA256

            8a679531ad28dbeafda183c7ce982b540353dc668a8818e24a7f3c42fbbd8c4a

            SHA512

            bc6bf973fc339357adc230f56dd5d79681c11f455aa862298b5f9098c1db77d99467f36f9fc077b38517e4743f3313ecf8ec3cbab0e2defd92e75f2e00346abc

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            6f63321f5f5d2b2f9d0be768d26806d0

            SHA1

            edff18216c1c35a7a218892c762d52f0a4f744d9

            SHA256

            04d7392e2490d7e9f33f78c48135b9b996ad331c127d1665468ac6ee343e8bb0

            SHA512

            4a1573654c2e6ad2790b65e7812985d527184eece19c17af8a2890af434cfc35327479beb049528ba41524ad252ec339c10f144afe2e019b8816dc76511608ea

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            a40854e3666f6b70c1d51090e809da79

            SHA1

            125ca6388974e07cee0a2cf1961f3cf3eed67018

            SHA256

            608274be4d04b052405ed19dd81191589580bfdde006ed47349006623a1fd528

            SHA512

            96a306567634a27fc649625503bc47d73a8be6814309551e5c0da2586dee70bb26fb615049f583bbc4fd64be7d83ac3dd2b30bd029b53f6cd3cbe9b7c48e97be

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

            Filesize

            392B

            MD5

            c07b8918d69c84ec46746d67bb13882b

            SHA1

            573bf65977d8b835740353c9df50e27ed236c3cb

            SHA256

            9020a9a03876703b31f10286c161f0e63b8f45e0949591a8ff4ada02ad8b2b0d

            SHA512

            3c80d37d130eb02276eb92f20d7d237207d02e4db81807b6754ab1d120d7676ab7557a0bad77fcb7f4d243538894f42dfcd3dfbc47a4559fdca072bcf2b0c268

          • C:\Users\Admin\AppData\Local\Temp\8400.exe

            Filesize

            6.7MB

            MD5

            74cf066c5c492eb825b36550b1e38326

            SHA1

            8f211213fbd6905b5e44bf2af07e481832198a7f

            SHA256

            24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4

            SHA512

            24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

          • C:\Users\Admin\AppData\Local\Temp\8B9F.bat

            Filesize

            77B

            MD5

            55cc761bf3429324e5a0095cab002113

            SHA1

            2cc1ef4542a4e92d4158ab3978425d517fafd16d

            SHA256

            d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

            SHA512

            33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

          • C:\Users\Admin\AppData\Local\Temp\9AEA.exe

            Filesize

            4.1MB

            MD5

            1047d7617f162d488920965b0a8b876c

            SHA1

            059afd73ca2f9b7c358979a6f1cc99c5424281a2

            SHA256

            58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c

            SHA512

            698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

          • C:\Users\Admin\AppData\Local\Temp\A97B.exe

            Filesize

            7.8MB

            MD5

            8babbf946d6940eada5665365bf991a8

            SHA1

            6fed66e0d53ba25408f215ac93cc31d47686f9e7

            SHA256

            dec503a2ada818c3f62f5266223d0798f8be864b78069da5e9e6d5be96480fc8

            SHA512

            a2faee99ebb8cd1fe785ebba8fcd89f13914a4f8260997ab43f0cbbcf1182f0beed6f67aa54d902d0c1946b012183a6678378fb8ea154d26ac64c0cde38aad2a

          • C:\Users\Admin\AppData\Local\Temp\B107.exe

            Filesize

            709KB

            MD5

            b4496d2224777403415440dfe5f13a86

            SHA1

            5c175589db78cce01a9730eb85e2898bdafe2a5a

            SHA256

            d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548

            SHA512

            0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

          • C:\Users\Admin\AppData\Local\Temp\CabC34F.tmp

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\TarE58F.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • C:\Users\Admin\AppData\Local\Temp\TarE74A.tmp

            Filesize

            175KB

            MD5

            dd73cead4b93366cf3465c8cd32e2796

            SHA1

            74546226dfe9ceb8184651e920d1dbfb432b314e

            SHA256

            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

            SHA512

            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

            Filesize

            622KB

            MD5

            a72b8d7d2a4c95bb95291333dad0f299

            SHA1

            340d4d5616108f8792a5dc6e5ffa9aaf76c17b30

            SHA256

            d124b8192df1fb8abc403345d7e449f7f4198a96112a8b3679dd91021c5343ae

            SHA512

            179afd00f8f6ba55d5620e9347bcb6b6d4928f14f814cacc7885fa80a21934fd29a66311a2f41f6d3c5ebe8484aaec3e53033782b53c229168631a04dfb7b2c5

          • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

            Filesize

            5.3MB

            MD5

            1afff8d5352aecef2ecd47ffa02d7f7d

            SHA1

            8b115b84efdb3a1b87f750d35822b2609e665bef

            SHA256

            c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

            SHA512

            e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

            Filesize

            147KB

            MD5

            1e0dc10583d56a7d52f474775f2e7f6d

            SHA1

            13bd4ef3d097a4f5ff603d81a1473eb4e7e47cf8

            SHA256

            8cce58bc29d929fcd68e8f149818482575eb14dd31546b49c3a7bd64c2b4f0e3

            SHA512

            d301a6c078bd0ac7fd8b7a519a90dd74ebabc59010f0c1d517f19b52fd36e30b2e4495300f6859c8c7a72e8e63777ab146173cee8f8bc3fb2ea826ecd585d733

          • C:\Users\Admin\AppData\Roaming\ggaujte

            Filesize

            161KB

            MD5

            6b08812a6837ef81f21ddd7dc04aadcb

            SHA1

            ef9acb2bd522fd21e7ee1bdfd1c6ac6522ee5952

            SHA256

            cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6

            SHA512

            51534f2963b483c91eca6bdd8aa04cd2441d9c24dc6da276c057c3137714510a4ddda9a25845890748887f096cc31889093c3389c8219e0a90911d166c2e3e7d

          • \Users\Admin\AppData\Local\Temp\8400.exe

            Filesize

            2.7MB

            MD5

            ab9d7e76980389ff965ec48450dec3b2

            SHA1

            e57dcc457df70558c157359e148e3f8eed5e75ce

            SHA256

            de64653f0b9de1b5b785d673c11184e41369ae2e1d9461bc35323ebdd7ed066e

            SHA512

            0f691cc9f09303693899e7b5788cfc44360d4f8ebab4bf19ce5f98349d6d854931a5a555cc13617e34f5c49625ec0ce0cfcad0a5c79af1c92036eec43feef0bd

          • \Users\Admin\AppData\Local\Temp\8400.exe

            Filesize

            1.9MB

            MD5

            52b3771dbbce31889417e6998ece0eff

            SHA1

            4f1cede4c6d9466afcb6535bf8a95dc413b47307

            SHA256

            f0295fce13d569822734997dc6978fdfee3d2d5f8bc4d799811b414161f4fb8b

            SHA512

            82c193a095f4533c38b4a6ca263f0686440b400cf1c39665d4ed42b56140a059b44927f064fe67f051c2bfb3158e116db63c5280a83f85425e03de52568ef88d

          • \Users\Admin\AppData\Local\Temp\8400.exe

            Filesize

            1.5MB

            MD5

            8fc4b25ebdbc8c21a0f2ec2ce67b524d

            SHA1

            985f7e751116a82a60a1268beaa33313c2aa09c4

            SHA256

            0062cb5b16bc9000f88068923d06d1b8892d3eb5f951828688908ed2fec24ef4

            SHA512

            bc67115197e44f3532731e2c3b9d130b7768db1968dbfbe81ea1ea2fc40e54a90e2a8934e8a55ab63d73b5d446a53c8fc999d3da35dcb2b0eabfd825bee59efb

          • \Users\Admin\AppData\Local\Temp\A97B.exe

            Filesize

            7.5MB

            MD5

            f252a3dfd11f05e2314783081c0c4b5c

            SHA1

            d0ed1604fc16b02adfeec1ec793ea863fe2a4abc

            SHA256

            851f51b86f3b3ef32336319c96c96c52f2cd4e1b26fd2ec1766e8c52a33624a0

            SHA512

            f15a2bddf5ba66fb94d77e700c200d0d169fb83fe5dfae75ced66aa7abebaa7695853157a0f532786bfda72eb503c927fd9403dda6cd2e3177d43b84a6dfeaf6

          • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

            Filesize

            1.5MB

            MD5

            9dff555b1d58255f7e0832757c06b9df

            SHA1

            acc751850de6e59efb92dbd01fb5924c29225d2e

            SHA256

            527c55ff3e2df25f6b6e14db946cf22fcc8cefbbd46b62133c473f92750f3a49

            SHA512

            ffcdc62c51cc216c689517536319f781c4b013e3b40bb807d322751feabc90b19dfdc2411cce188cbb5cfa376e70825f492e6bd787353bbcd25f0108912fff23

          • \Users\Admin\AppData\Local\Temp\dbghelp.dll

            Filesize

            64KB

            MD5

            2a1cb59786bb9ef9b0346b1088b4ff87

            SHA1

            609c3351ac97a0a18c6977f238b8d95b0a1146d4

            SHA256

            f7e146bfc1eb0b4d7b9c34828784ec949168888fec6ec92b702395766bca3359

            SHA512

            96c1a487b2a8facb49c2d63caa658d8d4652d79cada5eeb8dc9b956cb989c58d43bce1a09574262827f1f7ce8b1aef1cf6a65834242c42c6892f58c9b3f14d7f

          • \Users\Admin\AppData\Local\Temp\symsrv.dll

            Filesize

            41KB

            MD5

            e584d9ddc0b1a70f87a1293933d9a72b

            SHA1

            835402fced4c4677b85b8268e8c055706bd887d6

            SHA256

            6b3355da81521afd36bf54c23ddf0fc5ba21ffb6fa9ca44910f9597f0645494f

            SHA512

            f99c334bbc58578ba19e1053dbe5e3e3416259b0ef7e2bb126afaf22829448071a29fc731d49e86134f5788033fd63b365261fa1bede4ccf514f8aba3be2de35

          • \Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe

            Filesize

            219KB

            MD5

            d37b17fc3b9162060a60cd9c9f5f7e2c

            SHA1

            5bcd761db5662cebdb06f372d8cb731a9b98d1c5

            SHA256

            36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f

            SHA512

            04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

          • \Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe

            Filesize

            299KB

            MD5

            41b883a061c95e9b9cb17d4ca50de770

            SHA1

            1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

            SHA256

            fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

            SHA512

            cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

          • memory/560-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/560-110-0x0000000000400000-0x0000000000645000-memory.dmp

            Filesize

            2.3MB

          • memory/560-278-0x0000000000400000-0x0000000000645000-memory.dmp

            Filesize

            2.3MB

          • memory/560-113-0x0000000000400000-0x0000000000645000-memory.dmp

            Filesize

            2.3MB

          • memory/560-114-0x0000000000400000-0x0000000000645000-memory.dmp

            Filesize

            2.3MB

          • memory/592-107-0x0000000002050000-0x0000000002150000-memory.dmp

            Filesize

            1024KB

          • memory/592-109-0x0000000000230000-0x0000000000262000-memory.dmp

            Filesize

            200KB

          • memory/1056-565-0x0000000000400000-0x00000000022EF000-memory.dmp

            Filesize

            30.9MB

          • memory/1056-563-0x0000000003C10000-0x0000000004008000-memory.dmp

            Filesize

            4.0MB

          • memory/1056-652-0x0000000000400000-0x00000000022EF000-memory.dmp

            Filesize

            30.9MB

          • memory/1144-16-0x0000000002D60000-0x0000000002D76000-memory.dmp

            Filesize

            88KB

          • memory/1144-4-0x0000000002140000-0x0000000002156000-memory.dmp

            Filesize

            88KB

          • memory/1240-559-0x0000000003CB0000-0x00000000040A8000-memory.dmp

            Filesize

            4.0MB

          • memory/1240-560-0x0000000000400000-0x00000000022EF000-memory.dmp

            Filesize

            30.9MB

          • memory/1240-649-0x0000000000400000-0x00000000022EF000-memory.dmp

            Filesize

            30.9MB

          • memory/1744-61-0x0000000000340000-0x00000000003D2000-memory.dmp

            Filesize

            584KB

          • memory/1744-60-0x0000000000340000-0x00000000003D2000-memory.dmp

            Filesize

            584KB

          • memory/1984-5-0x0000000000400000-0x0000000001F00000-memory.dmp

            Filesize

            27.0MB

          • memory/1984-3-0x0000000000400000-0x0000000001F00000-memory.dmp

            Filesize

            27.0MB

          • memory/1984-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

            Filesize

            44KB

          • memory/1984-1-0x0000000000290000-0x0000000000390000-memory.dmp

            Filesize

            1024KB

          • memory/2036-664-0x0000000000332000-0x0000000000342000-memory.dmp

            Filesize

            64KB

          • memory/2120-90-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-91-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-262-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-92-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-88-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-68-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-69-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-82-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2120-83-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2240-539-0x0000000000400000-0x00000000022EF000-memory.dmp

            Filesize

            30.9MB

          • memory/2240-538-0x0000000003FE0000-0x00000000048CB000-memory.dmp

            Filesize

            8.9MB

          • memory/2240-537-0x0000000003BE0000-0x0000000003FD8000-memory.dmp

            Filesize

            4.0MB

          • memory/2324-644-0x0000000004310000-0x0000000004311000-memory.dmp

            Filesize

            4KB

          • memory/2324-657-0x0000000004310000-0x0000000004311000-memory.dmp

            Filesize

            4KB

          • memory/2328-288-0x0000000000940000-0x0000000000A40000-memory.dmp

            Filesize

            1024KB

          • memory/2348-269-0x00000000008D2000-0x00000000008E3000-memory.dmp

            Filesize

            68KB

          • memory/2348-270-0x0000000000220000-0x0000000000224000-memory.dmp

            Filesize

            16KB

          • memory/2396-389-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-301-0x0000000000200000-0x0000000000201000-memory.dmp

            Filesize

            4KB

          • memory/2396-305-0x0000000000930000-0x0000000001523000-memory.dmp

            Filesize

            11.9MB

          • memory/2396-432-0x00000000003C0000-0x00000000003C1000-memory.dmp

            Filesize

            4KB

          • memory/2396-304-0x0000000000200000-0x0000000000201000-memory.dmp

            Filesize

            4KB

          • memory/2396-429-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-443-0x0000000000930000-0x0000000001523000-memory.dmp

            Filesize

            11.9MB

          • memory/2396-422-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-417-0x00000000774D0000-0x00000000774D1000-memory.dmp

            Filesize

            4KB

          • memory/2396-415-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-308-0x0000000000200000-0x0000000000201000-memory.dmp

            Filesize

            4KB

          • memory/2396-378-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-356-0x00000000774CF000-0x00000000774D0000-memory.dmp

            Filesize

            4KB

          • memory/2396-357-0x00000000774D0000-0x00000000774D1000-memory.dmp

            Filesize

            4KB

          • memory/2396-309-0x00000000774D0000-0x00000000774D1000-memory.dmp

            Filesize

            4KB

          • memory/2396-310-0x0000000000210000-0x0000000000211000-memory.dmp

            Filesize

            4KB

          • memory/2420-58-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2420-37-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2420-36-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2420-33-0x0000000000400000-0x0000000000537000-memory.dmp

            Filesize

            1.2MB

          • memory/2420-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2432-31-0x00000000037C0000-0x00000000038DB000-memory.dmp

            Filesize

            1.1MB

          • memory/2432-26-0x0000000000230000-0x00000000002C2000-memory.dmp

            Filesize

            584KB

          • memory/2432-27-0x0000000000230000-0x00000000002C2000-memory.dmp

            Filesize

            584KB

          • memory/2520-19-0x0000000000400000-0x0000000001F00000-memory.dmp

            Filesize

            27.0MB

          • memory/2520-14-0x0000000002340000-0x0000000002440000-memory.dmp

            Filesize

            1024KB

          • memory/2520-15-0x0000000000400000-0x0000000001F00000-memory.dmp

            Filesize

            27.0MB

          • memory/2816-268-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

          • memory/2816-275-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

          • memory/2816-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2816-276-0x0000000000410000-0x0000000000477000-memory.dmp

            Filesize

            412KB

          • memory/2816-273-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

          • memory/2888-586-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

          • memory/2888-572-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB