Resubmissions

22-08-2024 15:33

240822-sy6bqsvbng 7

10-03-2024 16:21

240310-ttpc4aga89 10

10-03-2024 12:34

240310-prvpwacf93 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 12:34

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    b11c3fad2e48022f58635df7368d6441

  • SHA1

    63883fee892ac1e0d44f568913931c0d59b343d1

  • SHA256

    2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80

  • SHA512

    6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023

  • SSDEEP

    49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .wisz

  • offline_id

    4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Vidar Stealer 1 IoCs
  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs 7 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 5 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 38 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe
        "C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp" /SL5="$60160,1697450,56832,C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:1500
      • C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe
        "C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
          C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
          C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:584
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
            5⤵
              PID:1272
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                6⤵
                  PID:1736
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:560
          • C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
            "C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
            • C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
              "C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"
              4⤵
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Adds Run key to start application
              • Checks for VirtualBox DLLs, possible anti-VM trick
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  6⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:892
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:1732
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:2904
                • C:\Windows\system32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  6⤵
                    PID:2400
                  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Modifies system certificate store
                    PID:1096
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    6⤵
                    • Executes dropped EXE
                    PID:2336
            • C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe
              "C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe"
              3⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1872
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            2⤵
              PID:2540
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240310123451.log C:\Windows\Logs\CBS\CbsPersist_20240310123451.cab
            1⤵
            • Drops file in Windows directory
            PID:2536
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\3B6B.bat" "
            1⤵
              PID:2640
              • C:\Windows\system32\reg.exe
                reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                2⤵
                  PID:2068
              • C:\Users\Admin\AppData\Local\Temp\6F19.exe
                C:\Users\Admin\AppData\Local\Temp\6F19.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                PID:2484
                • C:\Users\Admin\AppData\Local\Temp\6F19.exe
                  C:\Users\Admin\AppData\Local\Temp\6F19.exe
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  PID:1876
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls "C:\Users\Admin\AppData\Local\bf75f872-64ea-4beb-9242-0cdc8b441b91" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                    3⤵
                    • Modifies file permissions
                    PID:556
                  • C:\Users\Admin\AppData\Local\Temp\6F19.exe
                    "C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    PID:2948
                    • C:\Users\Admin\AppData\Local\Temp\6F19.exe
                      "C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2732
                      • C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe
                        "C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2072
                        • C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe
                          "C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"
                          6⤵
                          • Executes dropped EXE
                          • Modifies system certificate store
                          PID:2536
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1448
                            7⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:376

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                Filesize

                1KB

                MD5

                f461bbe62b7d0ecb6d410ecb2a8f5f99

                SHA1

                49a22334941d9830647f4a14e27ce8fae99b2f21

                SHA256

                da736c5fd3b804a5b5ef646ba348ff5579773279225880400fb0e4b317ffaa77

                SHA512

                418d85dbbc53bf458095a49908481cd7ea4836f5602726c26aa0a20563a5b185e8cab076932e317674e63164246ca962b424732ef7f10788a58b8e36d99b8e96

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                67KB

                MD5

                753df6889fd7410a2e9fe333da83a429

                SHA1

                3c425f16e8267186061dd48ac1c77c122962456e

                SHA256

                b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                SHA512

                9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                Filesize

                724B

                MD5

                8202a1cd02e7d69597995cabbe881a12

                SHA1

                8858d9d934b7aa9330ee73de6c476acf19929ff6

                SHA256

                58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

                SHA512

                97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                Filesize

                410B

                MD5

                f2909676fb8ee02c35614f2b40e0eaac

                SHA1

                c06ba7b1c343da8c5a1d40829d4343c2cf258837

                SHA256

                77a760a8d9cc583d1ad30b3843fa5232c83bbb6d761ece67f48487b4bee34e02

                SHA512

                9002bf1d25a1267d31e1c1428c40432c3ec727b0da4099fec5c307391426caeb46fdef1446f6d1a4de7832330a84307457231930eb12ec23e1e02fd5333cd0be

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                80e016c08a337d423b0ed3c4888c07d8

                SHA1

                f737d3efa1282ba8caefbd0d144d73bfaf5ad76d

                SHA256

                add7ce69f6f50c6e6966953f1923652373bb22ef29dade2077668b8cd9108398

                SHA512

                20304feb78ab758a5b204506d165f67de528fa43d23e04887037c95b1193d11e7d5f5dc98b0c9b22cdca048e294a9477c9573667efd54032e3fe9e32d47fefa9

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                fa11f347ee87e890bba56ad98e5f8f59

                SHA1

                3be5964c311fd6636449f4ba3aef19d3794dc8ca

                SHA256

                676ee5f935449e8ee1239796ae768a86905b5709973a4d721c03d6b938a0d584

                SHA512

                2e9c32fd657828079fdbf3618b5a091b101e9be3cde328db70a9a2c5f9e306f2c0c36475d129285d291e2345bcc779efe84794583936272cf5373827cafb85d6

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                17419eb8ce7fecd54fb1c48bf233d0a1

                SHA1

                8142fa6ac9e59fc61bc1e8395357cc593b52593e

                SHA256

                6b8ed5bf7421d81239f24fd924ba59ffd1b79317ae7f6969e371af9416f5bbe1

                SHA512

                9cafd96fb1679408b41fad56c80ddc8d4a0cdd201257e7439d8fa36637474d2d2b8943e95d104a9745767440d31ea5fda17672cc434c0fb28303335356d19a89

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

                Filesize

                392B

                MD5

                eb96f07633ddfd91017eb8346bc61045

                SHA1

                b5b67767a37275a59e1a05bb4dbc9e2f5061ec1c

                SHA256

                f535edcbdcb9404a4f27a98f45942c99e00ba38ad49a55d44dce61d6b0a66c5a

                SHA512

                d3d270572494b64d440bacfef96880a84364e7a401b66d318a4004d0ad4017b09ea5e8a834387d78df00233ba7622bc37b4504339fe8c9049f6a785dfb115a67

              • C:\Users\Admin\AppData\Local\Temp\3B6B.bat

                Filesize

                77B

                MD5

                55cc761bf3429324e5a0095cab002113

                SHA1

                2cc1ef4542a4e92d4158ab3978425d517fafd16d

                SHA256

                d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                SHA512

                33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

              • C:\Users\Admin\AppData\Local\Temp\6F19.exe

                Filesize

                700KB

                MD5

                b5012ad3f7b79ece2bf795a53b69fd9e

                SHA1

                40cffd108e02bc172f9c632e6da0d6abe468846f

                SHA256

                1e85da371e7d28623567725f04af71d792c7e3323f42fddd53500e691249002a

                SHA512

                b7bfe32b5dae377b773d67e9cb7fde7e4052514cfd928252963babafa0234429a5a2c28dfd7ff38c3fcb9a728e742506f7b3c095a04cd950f1296a0e664878b5

              • C:\Users\Admin\AppData\Local\Temp\6F19.exe

                Filesize

                640KB

                MD5

                2fbbb06d9f40eed8c34d9583c74e73ae

                SHA1

                bde94386fac3f4d6df9bdabc4f1022916eacf968

                SHA256

                2dabe2118e640c35b540c93af67e96899f70d7d41c2e14cfc18ec237739c41d1

                SHA512

                26cd70a382d2bd07a1c1dac1a89258b2e0e0a441c77f599926e4ec0724652432a96a5bf538fe60c4667238fd989e5c6ef5e7a98c295a3276aa6312d054b6fe72

              • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                Filesize

                1.3MB

                MD5

                eeec6de42a9722eade59935376fdae88

                SHA1

                d4a4682680674e9f151a2a5544795758e4d9d824

                SHA256

                d8079f789a1d2d6dc9c4362243db3bf5ff9433a4dd938bef103620a7a6d34b48

                SHA512

                db4d3b7d3955bae64d27333b7404f096c75121de71f902121382cccaf79dc4ed16cf04b5fdaf80f7e5d78fb3d5aeeff5a0dbacc1cf1ec79d9a31acfc05bdbeb3

              • C:\Users\Admin\AppData\Local\Temp\Tar55A6.tmp

                Filesize

                175KB

                MD5

                dd73cead4b93366cf3465c8cd32e2796

                SHA1

                74546226dfe9ceb8184651e920d1dbfb432b314e

                SHA256

                a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                SHA512

                ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

              • C:\Users\Admin\AppData\Local\Temp\osloader.exe

                Filesize

                591KB

                MD5

                e2f68dc7fbd6e0bf031ca3809a739346

                SHA1

                9c35494898e65c8a62887f28e04c0359ab6f63f5

                SHA256

                b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                SHA512

                26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

              • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                Filesize

                128B

                MD5

                11bb3db51f701d4e42d3287f71a6a43e

                SHA1

                63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                SHA256

                6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                SHA512

                907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

              • C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe

                Filesize

                832KB

                MD5

                3cb379bc5693907e79679015e56e1045

                SHA1

                7362d306923507aa12e94eb7dbcae9f30f398df2

                SHA256

                6daca81b06d8f24046407bf14712583deb94ba329f1611c7f33de7ec097d15fc

                SHA512

                b59dfb846621cb4e99271003885daddf01895fb7ada553ce7be77c42c8ccfcf252ec187562d58f11eabed2ebece64f71e0a65b63d9019b8803e6b105ffb770ca

              • C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe

                Filesize

                832KB

                MD5

                482dd0af025d3f44d682c90e31226693

                SHA1

                3ba175cf8249b21ac966419e67d42d4d448bc3a8

                SHA256

                75a57865393d70ec57a6bfd8dd4c1a6947391500600b1b1c6fe66e5b35a8b0a8

                SHA512

                ea2fef120bf3a0c75de5426d547c76f07d910b05d678daed9b37c9c98f441e3054aa4e6702e399500cfa953de9f2a3f62974f9cfbf148259a544d5f03c1f1559

              • C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe

                Filesize

                896KB

                MD5

                8a8590f9ead0c82250938616f05ed580

                SHA1

                c453ea2dfa02f192c473459d57776470adb27701

                SHA256

                2a8e165b9a5970c01678e7aad11c8c762875b58e0bf34a4c5ebd5ee5c50c214f

                SHA512

                b673a68911349b02e6b973f8f05f37a946d6e5b8ca98cfd63c7da1411b39d6d84f7e4e82e35bdd22676190aceeebb849754dc2278a28fccf31aca1db354e29a7

              • C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe

                Filesize

                4.1MB

                MD5

                fbd8c3441a6860996d762513c9db1bc9

                SHA1

                bf1c2916cec7eeb327d0857a1f484268425a7239

                SHA256

                dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a

                SHA512

                c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216

              • C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe

                Filesize

                172KB

                MD5

                38783b735530ec3595f8cfc57704e0a4

                SHA1

                297d2424423506702a6f42fff06b37a89a9fc8e6

                SHA256

                95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d

                SHA512

                980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f

              • \ProgramData\mozglue.dll

                Filesize

                593KB

                MD5

                c8fd9be83bc728cc04beffafc2907fe9

                SHA1

                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                SHA256

                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                SHA512

                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              • \ProgramData\nss3.dll

                Filesize

                2.0MB

                MD5

                1cc453cdf74f31e4d913ff9c10acdde2

                SHA1

                6e85eae544d6e965f15fa5c39700fa7202f3aafe

                SHA256

                ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                SHA512

                dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              • \Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe

                Filesize

                219KB

                MD5

                d37b17fc3b9162060a60cd9c9f5f7e2c

                SHA1

                5bcd761db5662cebdb06f372d8cb731a9b98d1c5

                SHA256

                36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f

                SHA512

                04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

              • \Users\Admin\AppData\Local\Temp\BroomSetup.exe

                Filesize

                1.4MB

                MD5

                83136f38c4a7f35670b7c621ddb3758b

                SHA1

                775896a3b1508a92c700c7ecf0618623eac9a8fe

                SHA256

                9e7a82abd386798c82788cbd73d4b8f0c20a8a489f1092254d796312c30d9fe3

                SHA512

                551ea18d199376198e42c9c6cec25bc7e9a97c9fa5b699b48ba1fd4e62658b82e3898ab9e4dc56cc81db7676e2dfb1075e4533724f0734973db0f856c2a55f15

              • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                Filesize

                1.7MB

                MD5

                13aaafe14eb60d6a718230e82c671d57

                SHA1

                e039dd924d12f264521b8e689426fb7ca95a0a7b

                SHA256

                f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                SHA512

                ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

              • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                Filesize

                1.5MB

                MD5

                f0616fa8bc54ece07e3107057f74e4db

                SHA1

                b33995c4f9a004b7d806c4bb36040ee844781fca

                SHA256

                6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

                SHA512

                15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

              • \Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp

                Filesize

                690KB

                MD5

                085aca27fe0b6d4c479500fb4a586129

                SHA1

                88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3

                SHA256

                6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7

                SHA512

                a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b

              • \Users\Admin\AppData\Local\Temp\is-SLHBC.tmp\_isetup\_iscrypt.dll

                Filesize

                2KB

                MD5

                a69559718ab506675e907fe49deb71e9

                SHA1

                bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                SHA256

                2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                SHA512

                e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

              • \Users\Admin\AppData\Local\Temp\is-SLHBC.tmp\_isetup\_shfoldr.dll

                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

              • \Users\Admin\AppData\Local\Temp\nst8835.tmp\INetC.dll

                Filesize

                21KB

                MD5

                2b342079303895c50af8040a91f30f71

                SHA1

                b11335e1cb8356d9c337cb89fe81d669a69de17e

                SHA256

                2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                SHA512

                550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

              • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                Filesize

                5.3MB

                MD5

                1afff8d5352aecef2ecd47ffa02d7f7d

                SHA1

                8b115b84efdb3a1b87f750d35822b2609e665bef

                SHA256

                c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                SHA512

                e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

              • \Users\Admin\AppData\Local\Temp\symsrv.dll

                Filesize

                163KB

                MD5

                5c399d34d8dc01741269ff1f1aca7554

                SHA1

                e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

                SHA256

                e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

                SHA512

                8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

              • \Users\Admin\AppData\Local\Temp\syncUpd.exe

                Filesize

                200KB

                MD5

                4daa194c9f29f77b6a97afcc50793020

                SHA1

                fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f

                SHA256

                421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e

                SHA512

                0638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05

              • \Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe

                Filesize

                1.8MB

                MD5

                d51f80d00267e9fc01cc48ac8f95011d

                SHA1

                b6ef313ff8d11539efea9dc5af320c02322cf7cd

                SHA256

                6b7b6ad3d8629398cec54420ad9e9680c0af3cebffb3472ae74529d54413610f

                SHA512

                345aef01f0915cfcf2bf63a0d6306e4c6cc94dd2c4e6f697f3950223426fe633ac4ae132948a9523422a0d5249cf2ff266252e1b25f1e1f796525af409303541

              • \Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe

                Filesize

                704KB

                MD5

                78441713602f8860f76dcb726d35c787

                SHA1

                be11ed46be79a6bf22290a887cc289d7a9bdeb48

                SHA256

                99e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af

                SHA512

                ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6

              • \Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe

                Filesize

                1.1MB

                MD5

                a986ce3528016c2ffcde420bb96b512d

                SHA1

                8b585b93affe59368178e9023d996313d7f47c9d

                SHA256

                2649c645c83931d868558ef841c1ff6d0b7437e04afe2d42aa3767335ad020d7

                SHA512

                ac7856b4e02c388655220169396f248d16f03ed1bb42a37754941dc6b8156cb71fe3ea6eeac8a96a4ec2d83b19bfe46d1a1b9a23bb40fc4aa7f71b1b8656035e

              • \Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe

                Filesize

                2.0MB

                MD5

                328adf79d56fef9b88089e2ccb17c8a0

                SHA1

                35a90318f8ab8ec3f99ca37b9d4b212e78867420

                SHA256

                d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b

                SHA512

                f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667

              • \Windows\rss\csrss.exe

                Filesize

                2.5MB

                MD5

                2ec31076d683cf595adf4cbafa1decaf

                SHA1

                2eb30b05f06b5b2fb713f5b3c9a77e688a960da5

                SHA256

                9ad06ce953efb55a21808915e20a9ad7207f81ad0c12c1dbd61bdb78118c3aeb

                SHA512

                3ffd9fe7fd9d4574c7e39a6c5f80d09a82f87b281b1c74f088afe421f7b8b306262ba0f6156fad262f036b69c5a51e5f0a3ff62be54e51097b94919c041f1a08

              • memory/1216-250-0x00000000029D0000-0x00000000029E6000-memory.dmp

                Filesize

                88KB

              • memory/1408-174-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1500-193-0x0000000000240000-0x0000000000241000-memory.dmp

                Filesize

                4KB

              • memory/1536-258-0x0000000002670000-0x0000000002A68000-memory.dmp

                Filesize

                4.0MB

              • memory/1536-259-0x0000000002A70000-0x000000000335B000-memory.dmp

                Filesize

                8.9MB

              • memory/1536-247-0x0000000002670000-0x0000000002A68000-memory.dmp

                Filesize

                4.0MB

              • memory/1536-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

                Filesize

                9.1MB

              • memory/1732-326-0x0000000002620000-0x0000000002A18000-memory.dmp

                Filesize

                4.0MB

              • memory/1872-254-0x0000000000220000-0x000000000022B000-memory.dmp

                Filesize

                44KB

              • memory/1872-253-0x00000000005A3000-0x00000000005B1000-memory.dmp

                Filesize

                56KB

              • memory/1872-251-0x0000000000400000-0x0000000000437000-memory.dmp

                Filesize

                220KB

              • memory/1876-413-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/1876-459-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/1876-421-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/1876-411-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

              • memory/2072-513-0x00000000001C0000-0x00000000001F2000-memory.dmp

                Filesize

                200KB

              • memory/2072-511-0x0000000000342000-0x000000000035E000-memory.dmp

                Filesize

                112KB

              • memory/2152-323-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

              • memory/2484-416-0x0000000000220000-0x00000000002B2000-memory.dmp

                Filesize

                584KB

              • memory/2484-408-0x0000000000220000-0x00000000002B2000-memory.dmp

                Filesize

                584KB

              • memory/2484-420-0x0000000001E20000-0x0000000001F3B000-memory.dmp

                Filesize

                1.1MB

              • memory/2728-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

              • memory/2728-192-0x00000000746A0000-0x0000000074D8E000-memory.dmp

                Filesize

                6.9MB

              • memory/2728-2-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-15-0x0000000004220000-0x0000000004260000-memory.dmp

                Filesize

                256KB

              • memory/2728-14-0x00000000746A0000-0x0000000074D8E000-memory.dmp

                Filesize

                6.9MB

              • memory/2728-11-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-0-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-4-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-6-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-13-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2728-9-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

              • memory/2732-495-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/2732-484-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/2732-485-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/2732-489-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/2732-503-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

              • memory/2824-314-0x0000000000400000-0x0000000000D1C000-memory.dmp

                Filesize

                9.1MB

              • memory/2824-315-0x00000000024B0000-0x00000000028A8000-memory.dmp

                Filesize

                4.0MB

              • memory/2824-276-0x00000000024B0000-0x00000000028A8000-memory.dmp

                Filesize

                4.0MB

              • memory/2828-502-0x0000000000400000-0x000000000063B000-memory.dmp

                Filesize

                2.2MB

              • memory/2828-504-0x0000000000803000-0x0000000000818000-memory.dmp

                Filesize

                84KB

              • memory/2828-505-0x0000000000220000-0x0000000000247000-memory.dmp

                Filesize

                156KB

              • memory/2828-277-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                Filesize

                972KB

              • memory/2948-469-0x0000000000360000-0x00000000003F2000-memory.dmp

                Filesize

                584KB

              • memory/2948-462-0x0000000000360000-0x00000000003F2000-memory.dmp

                Filesize

                584KB