Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    25s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 00:06

General

  • Target

    a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

  • Size

    4.2MB

  • MD5

    1e1367bc0d13538c296df4d1592b72d1

  • SHA1

    27b3152f52b2b73cab9f45649cb4538ecc968dc1

  • SHA256

    a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58

  • SHA512

    f37f4af5da0aaa0bf1e6db760e346369f1537e38d2cca73a97517b830f37470482f5d70701d7602822830e56d0cf10d477daddbb4a639cfae48912ff4053a2eb

  • SSDEEP

    98304:aYLh9C6qib1x6o3UOsZWL+vhPvzRWq6AjxvWbrtUTrUHO0F:aYLh9CWb3bFsgL4Nvz8Qjx+NcIO0F

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 9 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 27 IoCs
  • UPX dump on OEP (original entry point) 37 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 21 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 9 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:788
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:796
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:60
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2472
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2484
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2740
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3532
                  • C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
                    "C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1532
                    • C:\Windows\SysWOW64\explorer.exe
                      explorer.exe
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3356
                      • C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe
                        "C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe"
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:3112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3700
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            6⤵
                              PID:1788
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
                              6⤵
                              • Modifies firewall policy service
                              • UAC bypass
                              • Windows security bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Windows security modification
                              • Checks whether UAC is enabled
                              • Drops file in Windows directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2032
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
                                7⤵
                                  PID:5940
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2032
                                    8⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:6064
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
                                      9⤵
                                        PID:5208
                                        • C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                                          "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
                                          10⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          PID:5144
                                          • C:\Windows\SysWOW64\mscaps.exe
                                            "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                                            11⤵
                                            • Executes dropped EXE
                                            PID:2248
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
                                5⤵
                                  PID:3188
                              • C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe
                                "C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe"
                                4⤵
                                • Modifies firewall policy service
                                • UAC bypass
                                • Windows security bypass
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Windows security modification
                                • Checks whether UAC is enabled
                                • Enumerates connected drives
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • System policy modification
                                PID:2596
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                          1⤵
                            PID:3668
                          • C:\Windows\system32\DllHost.exe
                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                            1⤵
                              PID:3848
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:3948
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:4012
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:4092
                                  • C:\Windows\System32\RuntimeBroker.exe
                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    1⤵
                                      PID:4148
                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                      1⤵
                                        PID:3588
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:1168
                                        • C:\Windows\system32\backgroundTaskHost.exe
                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                          1⤵
                                            PID:856
                                          • C:\Windows\system32\BackgroundTaskHost.exe
                                            "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                            1⤵
                                              PID:4944
                                            • C:\Windows\System32\RuntimeBroker.exe
                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                              1⤵
                                                PID:4332
                                              • C:\Windows\System32\RuntimeBroker.exe
                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                1⤵
                                                  PID:5600

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx

                                                  Filesize

                                                  1.5MB

                                                  MD5

                                                  8ead51ea7c9febebf7b09410405cde01

                                                  SHA1

                                                  6ee38d2e277c9f3f2e2d606f3b07c77dbe56f6a7

                                                  SHA256

                                                  f71eb25ca27f1ecc7214a5370b0a46301d4d5e638fd156e428bbc7d7098ec5a0

                                                  SHA512

                                                  0c34ae64ad4bd2b02821b9f3de09bd1a6b0bcbec146a007b931f010342584f3e99522da3dd53346345bb0b2a9944d57ed84f361884a459ed297d3d1331e2865a

                                                • C:\Users\Admin\AppData\Local\Temp\0E5739AD_Rar\@AE374C.tmp.exe

                                                  Filesize

                                                  1.8MB

                                                  MD5

                                                  86b87accec5ec6e6c4271b9b670054cc

                                                  SHA1

                                                  13bb9c1688577a1111f74b265f4ff13aa5197030

                                                  SHA256

                                                  9dc916650464ef5e95f011674d1e9170fca1e2444e830f46fece885cce73fcb0

                                                  SHA512

                                                  668ea5ca5952d7d1ea79e3d9372345a27595b72e736b5907c114f4e96e19d25e2a27eb5cf70f40a08ca892453c6780be672a80029e767c37b3df371cc3d483a1

                                                • C:\Users\Admin\AppData\Local\Temp\0E5746CD_Rar\WdExt.exe

                                                  Filesize

                                                  1.8MB

                                                  MD5

                                                  5ea2ede28b2cf2390a39810c95b89164

                                                  SHA1

                                                  43ab175a483620a15ddf3fbe7e96877e752af316

                                                  SHA256

                                                  271b69ef4dd707ee9327c028a108e3bbce8c3809ae29d1c77cc4dba523c05baf

                                                  SHA512

                                                  db5fc5be84c17b92c86e6a9f8f3a4fcea0df677150bf958e8e4b5331222e6dca43199ad7aabf6b94a14bef799340b1d1b6d6c412316316ad672fbdfd26af49c0

                                                • C:\Users\Admin\AppData\Local\Temp\5DFE.tmp

                                                  Filesize

                                                  406B

                                                  MD5

                                                  37512bcc96b2c0c0cf0ad1ed8cfae5cd

                                                  SHA1

                                                  edf7f17ce28e1c4c82207cab8ca77f2056ea545c

                                                  SHA256

                                                  27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

                                                  SHA512

                                                  6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

                                                • C:\Users\Admin\AppData\Local\Temp\@AE374C.tmp.exe

                                                  Filesize

                                                  1.9MB

                                                  MD5

                                                  a2a46a902064e2ad4c37efbe93f77d1f

                                                  SHA1

                                                  58ff1afc67ef5d4aa3b99a779c5dec3d61a790e4

                                                  SHA256

                                                  62ded7af7b10cfa24cde9274965783394860251729367214ddd1cf8937a9a46b

                                                  SHA512

                                                  2126ce892d9565d63b4fd5f0da5f0e26eb3b8dfb6c0024cc2589d91e17439edd39679d2e9cb7c1ddfeb1212b6bfd13ef5bc4c2bbe652d518c67f469f5a6b2f29

                                                • C:\Users\Admin\AppData\Local\Temp\a7a3cc761e50d432e16faaa68a84b4021cafb93612320296ac2919779f047d58.exe

                                                  Filesize

                                                  2.3MB

                                                  MD5

                                                  f050d0a9a5883cd5e8baa26368b61996

                                                  SHA1

                                                  8be868ffdc5b8af4c80326b0cbbbcfa2bd7a77c8

                                                  SHA256

                                                  0e1cfe13289b0090412a0115f081b23a1df1cb1805829944fef881cdde950bc1

                                                  SHA512

                                                  ef2e11ce11658e7ada516013ae39130842b87adbd29007fb6c19f14c9245ffe173f72f5303cb85dd8c7b29917b8433b8a33a8dfcac3fe177ad8a9a6ab404f6e8

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  df2c63605573c2398d796370c11cb26c

                                                  SHA1

                                                  efba97e2184ba3941edb008fcc61d8873b2b1653

                                                  SHA256

                                                  07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

                                                  SHA512

                                                  d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4C6B.tmp

                                                  Filesize

                                                  229KB

                                                  MD5

                                                  6f90e1169d19dfde14d6f753f06c862b

                                                  SHA1

                                                  e9bca93c68d7df73d000f4a6e6eb73a343682ac5

                                                  SHA256

                                                  70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

                                                  SHA512

                                                  f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4C7C.tmp

                                                  Filesize

                                                  120KB

                                                  MD5

                                                  f558c76b0376af9273717fa24d99ebbf

                                                  SHA1

                                                  f84bcece5c6138b62ef94e9d668cf26178ee14cc

                                                  SHA256

                                                  01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a

                                                  SHA512

                                                  2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4C8D.tmp

                                                  Filesize

                                                  126KB

                                                  MD5

                                                  02ae22335713a8f6d6adf80bf418202b

                                                  SHA1

                                                  4c40c11f43df761b92a5745f85a799db7b389215

                                                  SHA256

                                                  ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4

                                                  SHA512

                                                  727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4CAD.tmp

                                                  Filesize

                                                  89KB

                                                  MD5

                                                  09203a9741b91f3a9ed01c82dcb8778d

                                                  SHA1

                                                  13e6f3fb169cd6aa5e4d450417a7e15665a2e140

                                                  SHA256

                                                  63149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2

                                                  SHA512

                                                  9e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4CEC.tmp

                                                  Filesize

                                                  99KB

                                                  MD5

                                                  9a27bfb55dd768ae81ca8716db2da343

                                                  SHA1

                                                  55da0f4282bd838f72f435a5d4d24ac15b04482b

                                                  SHA256

                                                  5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26

                                                  SHA512

                                                  d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4CFD.tmp

                                                  Filesize

                                                  172KB

                                                  MD5

                                                  2634fa3a332c297711cb59d43f54ffce

                                                  SHA1

                                                  8e2b68d0ee4e792efb1945ba86eceb87f07087d2

                                                  SHA256

                                                  27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740

                                                  SHA512

                                                  84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4D0E.tmp

                                                  Filesize

                                                  276KB

                                                  MD5

                                                  e07c6a9e595f045fadc463dfda44ab16

                                                  SHA1

                                                  e6b199272ade02613f2003c365a4cb1487431e23

                                                  SHA256

                                                  d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc

                                                  SHA512

                                                  f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf

                                                • C:\Users\Admin\AppData\Local\Temp\windonfuw.exe

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  b360fa63134a63f9acfe046d2dfe10d9

                                                  SHA1

                                                  b47a7f2ad61c79e454b55e39b0d7500aca753a17

                                                  SHA256

                                                  03e0c6c4ca8a24f961477887763397045e67862e059f7494014aefc21891d40e

                                                  SHA512

                                                  575673255d389fc6667f46931301925bf4bb3030d7a3f6da3d3e7d878f86bb496ad6706e20191a1daa2e177cacda9b677424327bd9d438c1ad109c4222064102

                                                • C:\Users\Admin\AppData\Local\Temp\wtmps.exe

                                                  Filesize

                                                  276KB

                                                  MD5

                                                  75c1467042b38332d1ea0298f29fb592

                                                  SHA1

                                                  f92ea770c2ddb04cf0d20914578e4c482328f0f8

                                                  SHA256

                                                  3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

                                                  SHA512

                                                  5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

                                                  Filesize

                                                  172KB

                                                  MD5

                                                  daac1781c9d22f5743ade0cb41feaebf

                                                  SHA1

                                                  e2549eeeea42a6892b89d354498fcaa8ffd9cac4

                                                  SHA256

                                                  6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

                                                  SHA512

                                                  190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

                                                  Filesize

                                                  1.9MB

                                                  MD5

                                                  10cd54078039ec4cc42f71e47c096f99

                                                  SHA1

                                                  d2f5e83eedf5fec4fe46f5d229446c13109e46c4

                                                  SHA256

                                                  9a11fab6e5df7374c1a2aed394599d260edb6ce1a7852a62ded511345d162016

                                                  SHA512

                                                  d8adfc9ef7aec2c1217e13b44ddd3e0007530db5e95e0851bc266b99c604a313c2a76acf7c435ef37ebdfb41438062c9a3ed19cc93a94f6a7d250af8ceda6773

                                                • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

                                                  Filesize

                                                  129B

                                                  MD5

                                                  d1073c9b34d1bbd570928734aacff6a5

                                                  SHA1

                                                  78714e24e88d50e0da8da9d303bec65b2ee6d903

                                                  SHA256

                                                  b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

                                                  SHA512

                                                  4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

                                                • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

                                                  Filesize

                                                  126B

                                                  MD5

                                                  58be98efb09349e64113c626851cbcef

                                                  SHA1

                                                  0718f32614234e9a5045043821ab99a14e1409ec

                                                  SHA256

                                                  31c3e3a4adeb10ad24eb3ac021404721b471a3290bb51581d6d4a18fcd13fb5a

                                                  SHA512

                                                  0d400a04100f48be87a492aee07b2732d1e4fc93262c48447384d0be3d66b95a77a15a949832175d681df494144ccf47dc8b755b7e350dc419958d942159ca38

                                                • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

                                                  Filesize

                                                  196B

                                                  MD5

                                                  bdfaecc19d199c62cd73a5dc59aea725

                                                  SHA1

                                                  fdc7a4ab71d7bf37ec634ea24c35ac85b43cbc16

                                                  SHA256

                                                  0fd6f3ee0a9601d63058062290374c86c08c3214b1f670b393a632d654bbb534

                                                  SHA512

                                                  93fcf118c3e97f4e2bb8d06e3dfc47a329730ffd051bfd6ddd56e7e88f4a52b5342ed0b888cc8eb26163842ec6a2f28bf411c9afb1c91d5b2d291560118d9a02

                                                • C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

                                                  Filesize

                                                  102B

                                                  MD5

                                                  3ca08f080a7a28416774d80552d4aa08

                                                  SHA1

                                                  0b5f0ba641204b27adac4140fd45dce4390dbf24

                                                  SHA256

                                                  4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

                                                  SHA512

                                                  0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

                                                • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

                                                  Filesize

                                                  388KB

                                                  MD5

                                                  8d7db101a7211fe3309dc4dc8cf2dd0a

                                                  SHA1

                                                  6c2781eadf53b3742d16dab2f164baf813f7ac85

                                                  SHA256

                                                  93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

                                                  SHA512

                                                  8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

                                                • C:\Windows\SYSTEM.INI

                                                  Filesize

                                                  257B

                                                  MD5

                                                  f53db698c8a8efc5dd8a750739b26580

                                                  SHA1

                                                  f642fc4985c0d9c7518dad81e396ca4821b5e1ad

                                                  SHA256

                                                  439db7cedec9ff20538c399ba7f847e0e4b6619cd890e39bc4f52fe87dab3e78

                                                  SHA512

                                                  419e3f77a8853c5dec0bf8006b7306975235cc7de8f0037a1b6847e5ebb5c85c18b4bf782d56304fe7510f9e69409218efbf9f6d398d72c64bf33794edd46a92

                                                • C:\Windows\SysWOW64\mscaps.exe

                                                  Filesize

                                                  200KB

                                                  MD5

                                                  78d3c8705f8baf7d34e6a6737d1cfa18

                                                  SHA1

                                                  9f09e248a29311dbeefae9d85937b13da042a010

                                                  SHA256

                                                  2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

                                                  SHA512

                                                  9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

                                                • F:\yvmdoo.exe

                                                  Filesize

                                                  97KB

                                                  MD5

                                                  2ffeacc80f90d43f8c988861c37497ab

                                                  SHA1

                                                  fa761e410cba24525a5dec343403bf1dc3a084f7

                                                  SHA256

                                                  ff85eab3a2b31664cf1eae95d8adaff1ad4b83567557b5b31fca310f704633b1

                                                  SHA512

                                                  9ea111f0751cf7a84c752bbb13babde9106fea457cde990682566d94fd2971b3ce59678be5b94fd45eb5bb947929c494533ab6e4577df235c31665099a7ee7fa

                                                • memory/2032-728-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1858-0x0000000000400000-0x000000000044A000-memory.dmp

                                                  Filesize

                                                  296KB

                                                • memory/2032-1842-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1834-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1213-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1210-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1209-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-724-0x0000000000400000-0x000000000044A000-memory.dmp

                                                  Filesize

                                                  296KB

                                                • memory/2032-723-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1204-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-726-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-727-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1203-0x0000000000590000-0x0000000000592000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2032-729-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1198-0x00000000005A0000-0x00000000005A1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2032-1201-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1199-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1200-0x0000000002210000-0x00000000032CA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2032-1202-0x0000000000590000-0x0000000000592000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2596-522-0x0000000002530000-0x0000000002532000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2596-1953-0x0000000004D40000-0x0000000005DFA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2596-1912-0x0000000073080000-0x000000007358E000-memory.dmp

                                                  Filesize

                                                  5.1MB

                                                • memory/2596-1907-0x0000000002530000-0x0000000002532000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2596-1891-0x0000000004D40000-0x0000000005DFA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/2596-1889-0x0000000000400000-0x00000000006F7000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2596-27-0x0000000000400000-0x00000000006F7000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2596-520-0x00000000025A0000-0x00000000025A1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2596-715-0x00000000006F0000-0x00000000006F1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2596-519-0x0000000002530000-0x0000000002532000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2596-521-0x0000000000850000-0x0000000000851000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2596-528-0x0000000073080000-0x000000007358E000-memory.dmp

                                                  Filesize

                                                  5.1MB

                                                • memory/3112-717-0x0000000000400000-0x000000000044A000-memory.dmp

                                                  Filesize

                                                  296KB

                                                • memory/3112-516-0x00000000006D0000-0x00000000006D2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3112-28-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-530-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-22-0x0000000000400000-0x000000000044A000-memory.dmp

                                                  Filesize

                                                  296KB

                                                • memory/3112-517-0x00000000006F0000-0x00000000006F1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3112-531-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-21-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-532-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-694-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-690-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-527-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-29-0x0000000010000000-0x0000000010015000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/3112-683-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-533-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-608-0x00000000006D0000-0x00000000006D2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3112-26-0x0000000002200000-0x00000000032BA000-memory.dmp

                                                  Filesize

                                                  16.7MB

                                                • memory/3112-682-0x00000000006D0000-0x00000000006D2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3700-1207-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3700-1208-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3700-1196-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/6064-1839-0x0000000010000000-0x0000000010015000-memory.dmp

                                                  Filesize

                                                  84KB