Analysis

  • max time kernel
    134s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 03:18

General

  • Target

    29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe

  • Size

    161KB

  • MD5

    fb8ddd837ad8b94f1faf0b4920ce7b2b

  • SHA1

    c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b

  • SHA256

    29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee

  • SHA512

    db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74

  • SSDEEP

    1536:IwYZ5gZyjech8y/nK/bobGPgeMWKQxljH3PBe/8YkfbM9Wzw1mE3SmJQENYmAzTa:YiZpyDz/WVPX/9CWz9xmJQMYmAzsX

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .wisz

  • offline_id

    4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.1

Botnet

e2da5861d01d391b927839bbec00e666

C2

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes
  • profile_id_v2

    e2da5861d01d391b927839bbec00e666

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

  • DcRat 5 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Vidar Stealer 6 IoCs
  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 16 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
    "C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2208
  • C:\Users\Admin\AppData\Local\Temp\EA9D.exe
    C:\Users\Admin\AppData\Local\Temp\EA9D.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\EA9D.exe
      C:\Users\Admin\AppData\Local\Temp\EA9D.exe
      2⤵
      • DcRat
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\93807114-f534-48d5-b1e4-250b12fbfd4a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2640
      • C:\Users\Admin\AppData\Local\Temp\EA9D.exe
        "C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Users\Admin\AppData\Local\Temp\EA9D.exe
          "C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
            "C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
              "C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"
              6⤵
              • Executes dropped EXE
              • Modifies system certificate store
              PID:2104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1444
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2696
          • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
            "C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3044
            • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
              "C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1652
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4753503D-9C6A-40C0-A96F-E3DB8D6AA53D} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
    1⤵
      PID:2296
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        PID:1956
        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
          3⤵
          • Executes dropped EXE
          PID:2148
          • C:\Windows\SysWOW64\schtasks.exe
            /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
            4⤵
            • DcRat
            • Creates scheduled task(s)
            PID:864
      • C:\Users\Admin\AppData\Roaming\harcbch
        C:\Users\Admin\AppData\Roaming\harcbch
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:1036
    • C:\Users\Admin\AppData\Local\Temp\1F16.exe
      C:\Users\Admin\AppData\Local\Temp\1F16.exe
      1⤵
      • Executes dropped EXE
      PID:1936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 124
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:296
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\32E5.bat" "
      1⤵
        PID:848
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
          2⤵
            PID:1148
        • C:\Users\Admin\AppData\Local\Temp\41F3.exe
          C:\Users\Admin\AppData\Local\Temp\41F3.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2472
          • C:\Users\Admin\AppData\Local\Temp\41F3.exe
            "C:\Users\Admin\AppData\Local\Temp\41F3.exe"
            2⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2548
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              3⤵
                PID:2840
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:1324
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe
                3⤵
                  PID:2676
                  • C:\Windows\system32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    4⤵
                    • DcRat
                    • Creates scheduled task(s)
                    PID:848
                  • C:\Windows\system32\schtasks.exe
                    schtasks /delete /tn ScheduledUpdate /f
                    4⤵
                      PID:1752
                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                      4⤵
                        PID:744
                      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                        4⤵
                          PID:2780
                  • C:\Windows\system32\makecab.exe
                    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240308032022.log C:\Windows\Logs\CBS\CbsPersist_20240308032022.cab
                    1⤵
                      PID:2460
                    • C:\Users\Admin\AppData\Local\Temp\6369.exe
                      C:\Users\Admin\AppData\Local\Temp\6369.exe
                      1⤵
                      • Executes dropped EXE
                      PID:1248
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:2648
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x51c
                        1⤵
                          PID:2796

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                          Filesize

                          1KB

                          MD5

                          a757a2a5fb2249733650563a36836fc7

                          SHA1

                          0e3f0f05d3fb61398e507bcde88a32ec5a88b4a8

                          SHA256

                          5b75679110beb7d514c1f6c7b993cd540dd29856da2e2e995bafb70e77d2bf4b

                          SHA512

                          8ed6aa61e91d640f2a8983fa67d937b2abcc5f5c43375a739773b991414094121efc4a049436dd39e45d8e627e57779f1c89352a606dffa406382d875de46b97

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                          Filesize

                          67KB

                          MD5

                          753df6889fd7410a2e9fe333da83a429

                          SHA1

                          3c425f16e8267186061dd48ac1c77c122962456e

                          SHA256

                          b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                          SHA512

                          9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                          Filesize

                          724B

                          MD5

                          8202a1cd02e7d69597995cabbe881a12

                          SHA1

                          8858d9d934b7aa9330ee73de6c476acf19929ff6

                          SHA256

                          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

                          SHA512

                          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                          Filesize

                          410B

                          MD5

                          f1a1355c24cea347e0b9839d27266ff2

                          SHA1

                          aa16684d6ff980f252d753931830de0cb9dcbe00

                          SHA256

                          04bba3927fa7ceca147277002c36d32e6352a989d91d81afd7011949ad6bd6ef

                          SHA512

                          150b2f84f1461cda01092125a51c6bdd249cf448560367f08275192faa936e03526f9eda21c98458e057b7fe09a0a1c8f1cd3492d9662b8bd5041ec9dca21056

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          304B

                          MD5

                          6b036c055f4aad0c00b50c463e387b40

                          SHA1

                          6588eb4c56777b71f2c7511eb8018da84ec4d19f

                          SHA256

                          063827a24a9dde07629920af417623ab1e3c082a8b4ed9c4978bbacf927e4429

                          SHA512

                          edacb63b8f88904dd5fcc108f2bc1f8079662317c05deca9e38764a41897062781d5a4942a0bc9beede69aab39bb3af570ad8bdd8d17efa4a139431b898b3eac

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          304B

                          MD5

                          4c770d8b00ba45736a2e680300799e20

                          SHA1

                          ea5b9b8fdd4037e0d10ef0556404bdf1206a591d

                          SHA256

                          f27af90da678568af3a833934cea24f1707bebdcb35826d30969f7ba729e367f

                          SHA512

                          035b409f488adc436ed4763eb6dc6e60eeb4ecd0925d07af7edec24718af520690592697a112318166e3765086688d15e46a2a7f98d6f64a370ab138664498ca

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          304B

                          MD5

                          e3efb4ad1a28ca69ce0471253b644400

                          SHA1

                          027b0955063d057c244a92624e9b1d562a27f12b

                          SHA256

                          42ae11f65fa99fd18ac5c0b07d87d6764372ca71e085df94ed79d9910ecec74f

                          SHA512

                          b76f6b06994187f570fa1107a2e3de5c5890ec4b9790459e64fa78dd99bb1bd0f36f67fad5f184d7529512ae32b4a0890694b52b23071f8d6e594604cc32c201

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          304B

                          MD5

                          1a05839f32656c4e266f2b31fe4bed21

                          SHA1

                          3ae8b7dfe496ec329fa5ba7647e2acdfab97a05b

                          SHA256

                          9bafe38819a2e8878e8280cf3b03ffe8c84c31c1395d1741eed2fa311234f7b9

                          SHA512

                          9bea2d55b970cf1d7a8ceb269364044199897b00a79b7190fc207cd962956b94ea80a043f770578f0137eae008c942e4ffea57069c1fc38119b1550f234feb61

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          344B

                          MD5

                          d090cdf599f93236b4bdf0039372b90d

                          SHA1

                          0473ed06ebc9d985f458cd287cb741ba925efa82

                          SHA256

                          9ce2b4a227293e203a6989feea2286f1e39c2adaef54512e3a4ccade7805b5f5

                          SHA512

                          a7197d6a317ebd44811bcbbe9a8a801d63a2d99115989cf3072ec9cb3c6ffac6631aab48a614da5c8ac524b55d5d19baf2cbb615fb5378e44ebd8487e2afe911

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                          Filesize

                          392B

                          MD5

                          3ff1bc7c53cf232b58189187c7079204

                          SHA1

                          defd944164108bb59e7f8f8d7481b772eb7e8645

                          SHA256

                          9dc09a0cb90bd61414059817047e59b78e96af2aea1ee2fd8feccd419ab9c756

                          SHA512

                          fb8950828dbba95a5749f0a95e2be818ab50e585df36df18cf997f01ba6783dde692968436619f86b32d08464aeb0f122e71174db00b586a9fcdeec2757eea1b

                        • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

                          Filesize

                          192KB

                          MD5

                          5c883ef6d1ad03173f30db4fc691d0a7

                          SHA1

                          4007444885a94ad3092e287a196249bc6c1301ef

                          SHA256

                          b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e

                          SHA512

                          125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816

                        • C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

                          Filesize

                          299KB

                          MD5

                          41b883a061c95e9b9cb17d4ca50de770

                          SHA1

                          1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                          SHA256

                          fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                          SHA512

                          cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                        • C:\Users\Admin\AppData\Local\Temp\1F16.exe

                          Filesize

                          6.5MB

                          MD5

                          9e52aa572f0afc888c098db4c0f687ff

                          SHA1

                          ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

                          SHA256

                          4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

                          SHA512

                          d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

                        • C:\Users\Admin\AppData\Local\Temp\32E5.bat

                          Filesize

                          77B

                          MD5

                          55cc761bf3429324e5a0095cab002113

                          SHA1

                          2cc1ef4542a4e92d4158ab3978425d517fafd16d

                          SHA256

                          d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                          SHA512

                          33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                        • C:\Users\Admin\AppData\Local\Temp\41F3.exe

                          Filesize

                          4.2MB

                          MD5

                          531e650166bd34380a22fc420d157565

                          SHA1

                          d2746da211530bc003ffc48904aade9edea63749

                          SHA256

                          0446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd

                          SHA512

                          ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f

                        • C:\Users\Admin\AppData\Local\Temp\41F3.exe

                          Filesize

                          128KB

                          MD5

                          35c893e969426e8575c90e31140b4418

                          SHA1

                          3c7081254af5161ed32d2cd180957f7c177143e5

                          SHA256

                          3c1539b6cc4d4c166736ca5ac4fd2af4f847916417e269e9d8e72c7abb7dfca0

                          SHA512

                          c6d6754ccf0c20d66f619f75520a4cb0e7811b9d8df390580a573351474cfe3e551192296c7991abf8fe9fec43db5af9b50c6dae255efa281354f4d26255c055

                        • C:\Users\Admin\AppData\Local\Temp\6369.exe

                          Filesize

                          128KB

                          MD5

                          6ae4f4b0c586a01c107f80dd6355354f

                          SHA1

                          384550d5f815aade2ca06586c54e4732862b3b52

                          SHA256

                          b8aa2c428216817d3879531763c4a18c93f949b16105eab19d777960540a4d6b

                          SHA512

                          5021e9a7b6845b0acc951b0d9c89622c3eed1a978944e9ee87231d4d59e57fde5d211c6e8705e2ac61396e8334670c01528aefbbbf0b10bddb1ff5a8818d8031

                        • C:\Users\Admin\AppData\Local\Temp\Cab1890.tmp

                          Filesize

                          65KB

                          MD5

                          ac05d27423a85adc1622c714f2cb6184

                          SHA1

                          b0fe2b1abddb97837ea0195be70ab2ff14d43198

                          SHA256

                          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                          SHA512

                          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                        • C:\Users\Admin\AppData\Local\Temp\EA9D.exe

                          Filesize

                          769KB

                          MD5

                          fed6be759155cfd181809b6037a91abe

                          SHA1

                          41cc6892cc5ee0a7c2bffbb4fbd0df3567d16936

                          SHA256

                          f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b

                          SHA512

                          187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc

                        • C:\Users\Admin\AppData\Local\Temp\Tar651A.tmp

                          Filesize

                          171KB

                          MD5

                          9c0c641c06238516f27941aa1166d427

                          SHA1

                          64cd549fb8cf014fcd9312aa7a5b023847b6c977

                          SHA256

                          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                          SHA512

                          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                        • C:\Users\Admin\AppData\Local\Temp\Tar6723.tmp

                          Filesize

                          175KB

                          MD5

                          dd73cead4b93366cf3465c8cd32e2796

                          SHA1

                          74546226dfe9ceb8184651e920d1dbfb432b314e

                          SHA256

                          a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                          SHA512

                          ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                          Filesize

                          1.7MB

                          MD5

                          13aaafe14eb60d6a718230e82c671d57

                          SHA1

                          e039dd924d12f264521b8e689426fb7ca95a0a7b

                          SHA256

                          f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                          SHA512

                          ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                        • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          64KB

                          MD5

                          03e03703fe5fc79e7f1d5e44e3c27b1e

                          SHA1

                          8f25ba10b5e479ae63c4c3867475502e1a6499fa

                          SHA256

                          504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e

                          SHA512

                          1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

                        • C:\Users\Admin\AppData\Roaming\harcbch

                          Filesize

                          161KB

                          MD5

                          fb8ddd837ad8b94f1faf0b4920ce7b2b

                          SHA1

                          c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b

                          SHA256

                          29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee

                          SHA512

                          db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          2.0MB

                          MD5

                          19f916293b92fe0442fa99a063133136

                          SHA1

                          8546eea89ccc6a14d49989ad4dcd3a61b5b506cb

                          SHA256

                          26386feb18e3de155565c3c59a7a1c750c237033011ddce042a50a58ff4f2960

                          SHA512

                          610c60faa230ac11a0df3adfc6588e3f859ba821eaf483a7654a6980822772772466d19d0d447d71310c9c8a60ef78d679b1a62f4de3287fb7e0b49d5b9031c6

                        • \Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe

                          Filesize

                          219KB

                          MD5

                          d37b17fc3b9162060a60cd9c9f5f7e2c

                          SHA1

                          5bcd761db5662cebdb06f372d8cb731a9b98d1c5

                          SHA256

                          36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f

                          SHA512

                          04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

                        • \Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

                          Filesize

                          256KB

                          MD5

                          164bc11a628ff1722c833c8e2642aca5

                          SHA1

                          56d2d17695a85b876b736933a7f1cd5cf2acfdb1

                          SHA256

                          e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330

                          SHA512

                          099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b

                        • \Users\Admin\AppData\Local\Temp\1F16.exe

                          Filesize

                          3.9MB

                          MD5

                          1d017007945d9fd40318c4d1e2bef800

                          SHA1

                          f014362a16b798c2475e54f13d6918421cd00871

                          SHA256

                          d463f17969d74e8ac1ccd7b1e1ca21fc5ccf025920f1a1be3aeeaa0eb03f0fdf

                          SHA512

                          f0f0778f820fb840f585dcf13c4793dcc8c0f908e3b0a0baec388d6c8696b7ca5f59902b5e84f21070bebd6e897b2a6a1a12312fd0575129e2e8a6cf9a0c7167

                        • \Users\Admin\AppData\Local\Temp\1F16.exe

                          Filesize

                          3.2MB

                          MD5

                          a608f61eaa0defa4af7c6779114e10ee

                          SHA1

                          8e8e6e9c91a6932681a6748565cdf54ad9ac01cc

                          SHA256

                          3e3e07470c28d903408e581394a479fb15911212ea26b85c335c1bdeab87dfa6

                          SHA512

                          4c02c4c5ae7f0e876a030f84bf8646bcf8bb694566f6e3ad8fd23ff3107b937f24b2871288b4cb36bc09234b952e7d329b3c0a1046ea2a15e2ce26af34a9a219

                        • \Users\Admin\AppData\Local\Temp\6369.exe

                          Filesize

                          192KB

                          MD5

                          2bd1aca75be77faf41c4bce644b4fc8b

                          SHA1

                          a4b2767b2163173aae22124d4e78715ae9eaf188

                          SHA256

                          e2480e0438058403732c979ee61fefe67d2502fbf9aaee8e7b956dda7b9085eb

                          SHA512

                          cf144941ecaf50b768d94c4f43305fe809218833997e2099622802e5a5247a1ff64bed3f41b96ad0d914ad12700b0e737c26b545a4ef403520095c99c0a0d9c8

                        • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                          Filesize

                          281KB

                          MD5

                          d98e33b66343e7c96158444127a117f6

                          SHA1

                          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                          SHA256

                          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                          SHA512

                          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                        • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                          Filesize

                          576KB

                          MD5

                          79d239e8c3993b4122bc6c69aa75b98e

                          SHA1

                          00b153573dbb5e073483ed20fa52c0e858ef50e3

                          SHA256

                          416f2e005ca28fe636aa88cdf9a58d1301053d93a29d4201fb0eb711885b3e52

                          SHA512

                          52c1a997f64b317071d37c114d3869055c5085802c1742ac7f471b6960671927707edf27ee44907912d47533a7c0be274279af1ab78fd1da3803c524af5a27ba

                        • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                          Filesize

                          1.5MB

                          MD5

                          f0616fa8bc54ece07e3107057f74e4db

                          SHA1

                          b33995c4f9a004b7d806c4bb36040ee844781fca

                          SHA256

                          6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

                          SHA512

                          15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

                        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          5.3MB

                          MD5

                          1afff8d5352aecef2ecd47ffa02d7f7d

                          SHA1

                          8b115b84efdb3a1b87f750d35822b2609e665bef

                          SHA256

                          c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                          SHA512

                          e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                        • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                          Filesize

                          128KB

                          MD5

                          9d1816a549b92f97216a11d5e541b2ce

                          SHA1

                          02abed0ad44b8cde7640ad8661816ea0c0f68572

                          SHA256

                          a3549e3cfff43ae683b5b5a40a881e979c176e4bb67f13ece117f2f96c20d9bd

                          SHA512

                          a29425491cc9db686223586a7a88774065a064fe0582221e19d81b5edd575ad939e0bc98d4191d93ca45e70d9580ec1c55fed25c91ddb253ab1ef5c251cf1967

                        • \Users\Admin\AppData\Local\Temp\symsrv.dll

                          Filesize

                          163KB

                          MD5

                          5c399d34d8dc01741269ff1f1aca7554

                          SHA1

                          e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

                          SHA256

                          e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

                          SHA512

                          8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

                        • \Windows\rss\csrss.exe

                          Filesize

                          2.2MB

                          MD5

                          241ee2ba95babc9e093d2d579824864c

                          SHA1

                          2264e7489180768976392e51ee8dea62c12a0277

                          SHA256

                          b4f4da977eab5e59a886a8aa0f26d42484bd9af56aa93e299126cb952a3a04cd

                          SHA512

                          2d58f91991d71b66d5dcb3048f30b6af495385b537f1e353ae73e1943c5f578dfab28c0149d08a980b76bd95eaed3dbbd9c19b81d5fdebefcb7e483ffc1370d6

                        • \Windows\rss\csrss.exe

                          Filesize

                          2.1MB

                          MD5

                          c7cfac667cecc66fd8ed28c6b21e7f3c

                          SHA1

                          b18f4285a7e0a08a33c1a9bd5f18733d7de3083a

                          SHA256

                          954be76c57653e85459fc1213daffa1e9b9489a0ebda7b20a41f2dea4ef44fb5

                          SHA512

                          609efd107b717d7537054ebad93e0d065926cc208e05855f4394b7040d71474b468cf8a74fe845503cd048615087bf2196d6d952a5c140946a852be8e25fde74

                        • memory/744-500-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                        • memory/1036-291-0x0000000000400000-0x0000000001F00000-memory.dmp

                          Filesize

                          27.0MB

                        • memory/1036-311-0x0000000000400000-0x0000000001F00000-memory.dmp

                          Filesize

                          27.0MB

                        • memory/1036-290-0x0000000000230000-0x0000000000330000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1200-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

                          Filesize

                          88KB

                        • memory/1200-306-0x0000000002C90000-0x0000000002CA6000-memory.dmp

                          Filesize

                          88KB

                        • memory/1936-304-0x0000000000080000-0x0000000000081000-memory.dmp

                          Filesize

                          4KB

                        • memory/1936-348-0x00000000001E0000-0x00000000001E1000-memory.dmp

                          Filesize

                          4KB

                        • memory/1936-296-0x0000000000A90000-0x0000000001775000-memory.dmp

                          Filesize

                          12.9MB

                        • memory/1936-301-0x0000000000080000-0x0000000000081000-memory.dmp

                          Filesize

                          4KB

                        • memory/1936-468-0x0000000000A90000-0x0000000001775000-memory.dmp

                          Filesize

                          12.9MB

                        • memory/1936-308-0x0000000000080000-0x0000000000081000-memory.dmp

                          Filesize

                          4KB

                        • memory/1936-303-0x0000000000A90000-0x0000000001775000-memory.dmp

                          Filesize

                          12.9MB

                        • memory/1956-282-0x00000000002F0000-0x00000000003F0000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1960-74-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-61-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-75-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-79-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-82-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-81-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-83-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-106-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/1960-60-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2064-110-0x0000000002080000-0x0000000002180000-memory.dmp

                          Filesize

                          1024KB

                        • memory/2064-112-0x0000000000240000-0x0000000000272000-memory.dmp

                          Filesize

                          200KB

                        • memory/2104-118-0x0000000000400000-0x0000000000645000-memory.dmp

                          Filesize

                          2.3MB

                        • memory/2104-267-0x0000000000400000-0x0000000000645000-memory.dmp

                          Filesize

                          2.3MB

                        • memory/2104-114-0x0000000000400000-0x0000000000645000-memory.dmp

                          Filesize

                          2.3MB

                        • memory/2104-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                          Filesize

                          4KB

                        • memory/2104-121-0x0000000000400000-0x0000000000645000-memory.dmp

                          Filesize

                          2.3MB

                        • memory/2104-261-0x0000000000400000-0x0000000000645000-memory.dmp

                          Filesize

                          2.3MB

                        • memory/2124-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                          Filesize

                          4KB

                        • memory/2124-125-0x0000000000400000-0x0000000000406000-memory.dmp

                          Filesize

                          24KB

                        • memory/2124-128-0x0000000000400000-0x0000000000406000-memory.dmp

                          Filesize

                          24KB

                        • memory/2124-129-0x0000000000400000-0x0000000000406000-memory.dmp

                          Filesize

                          24KB

                        • memory/2208-1-0x0000000002070000-0x0000000002170000-memory.dmp

                          Filesize

                          1024KB

                        • memory/2208-5-0x0000000000400000-0x0000000001F00000-memory.dmp

                          Filesize

                          27.0MB

                        • memory/2208-2-0x0000000000220000-0x000000000022B000-memory.dmp

                          Filesize

                          44KB

                        • memory/2208-3-0x0000000000400000-0x0000000001F00000-memory.dmp

                          Filesize

                          27.0MB

                        • memory/2392-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                          Filesize

                          4KB

                        • memory/2392-48-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2392-24-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2392-27-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2392-28-0x0000000000400000-0x0000000000537000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/2472-436-0x0000000003B00000-0x00000000043EB000-memory.dmp

                          Filesize

                          8.9MB

                        • memory/2472-450-0x0000000000400000-0x0000000001E13000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2472-434-0x0000000003700000-0x0000000003AF8000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2472-435-0x0000000000400000-0x0000000001E13000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2472-451-0x0000000003700000-0x0000000003AF8000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2528-19-0x0000000003410000-0x000000000352B000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/2528-18-0x0000000000220000-0x00000000002B2000-memory.dmp

                          Filesize

                          584KB

                        • memory/2528-17-0x0000000000220000-0x00000000002B2000-memory.dmp

                          Filesize

                          584KB

                        • memory/2548-452-0x0000000003830000-0x0000000003C28000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2548-453-0x0000000000400000-0x0000000001E13000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2548-464-0x0000000000400000-0x0000000001E13000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2676-476-0x0000000003570000-0x0000000003968000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2676-477-0x0000000000400000-0x0000000001E13000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2824-51-0x00000000002F0000-0x0000000000382000-memory.dmp

                          Filesize

                          584KB

                        • memory/2824-59-0x00000000002F0000-0x0000000000382000-memory.dmp

                          Filesize

                          584KB

                        • memory/2824-53-0x00000000002F0000-0x0000000000382000-memory.dmp

                          Filesize

                          584KB

                        • memory/3044-119-0x0000000000890000-0x0000000000990000-memory.dmp

                          Filesize

                          1024KB

                        • memory/3044-120-0x0000000000220000-0x0000000000224000-memory.dmp

                          Filesize

                          16KB