Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 01:56

General

  • Target

    8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe

  • Size

    1.1MB

  • MD5

    f1424e5b9810a4a9c33506aa784fca89

  • SHA1

    4ad6287fe149832551afbcb1113db50cd133777b

  • SHA256

    8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed

  • SHA512

    e03432137a7c12c03d34302fe4e1774a3a08935d39f665e4086fd8637f4ea961a645e2a8bb3cd85dd24c54861e4f01b0500a70641e2fa3a4a09e2e89a3b77380

  • SSDEEP

    12288:JYYjzzONcuuIYsYNeaCbU6sKySaVQ4pBgncu7EKHCBbsCU/hpgmxCBbsCUXEGnF9:eg9uurUngnBU97EniCUppoiCUXfF9

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148

https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

185.252.232.158:7812

64.23.232.116:7812

Mutex

vsvf

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Security Health Service.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

146.190.29.250:7812

Mutex

VNM_MUTEX_h1gQxrpyccCFZq7JPS

Attributes
  • encryption_key

    V5fWyT4tQqXFouaUUxe2

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir34

Extracted

Family

xworm

Version

5.0

C2

146.190.29.250:7812

165.227.91.90:7812

167.99.94.206:7812

Mutex

4chIqEbR5Rq6U6EI

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Defender Service Host.exe

  • telegram

    https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 4 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 3 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 10 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe
    "C:\Users\Admin\AppData\Local\Temp\8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\crack.exe
      "C:\Users\Admin\AppData\Roaming\crack.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4FD.tmp.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1640
    • C:\Users\Admin\AppData\Roaming\Cracked.exe
      "C:\Users\Admin\AppData\Roaming\Cracked.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1456
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACD3.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1972
        • C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
          "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2272
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:3060
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:844
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2408
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2528
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1628
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2348
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2284
    • C:\Users\Admin\AppData\Roaming\update.exe
      "C:\Users\Admin\AppData\Roaming\update.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:1612
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2516
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:1300
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2532
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2052
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2292
    • C:\Users\Admin\AppData\Roaming\Window Security.exe
      "C:\Users\Admin\AppData\Roaming\Window Security.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2120
      • C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2340
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • System Location Discovery: System Language Discovery
        PID:856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XevkspqRwEFi.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1004
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:576
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2016
        • C:\Users\Admin\AppData\Roaming\Window Security.exe
          "C:\Users\Admin\AppData\Roaming\Window Security.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
    • C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2588
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A5B10290-ED76-48B9-838D-2AC9CF178CC1} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
      PID:964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\msgid.dat

      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    • C:\Users\Admin\AppData\Local\Temp\CabBDC5.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarBDF7.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\XevkspqRwEFi.bat

      Filesize

      209B

      MD5

      2d47e45da96782f8f7357928006fe9a6

      SHA1

      c88abf2912687b24934f305233f803ee8d223729

      SHA256

      256418fabd1e86cfe078fa4b42ffae3b1fb9529c88d575b7e1684c7d579c1017

      SHA512

      18ff2128eee25bcdc82d3fa980cafd73a053a23f2ee0e6150743ed2abe14fcf6a45e133ba48b2c83233f08c045603bae61924eb90eb0360e44319c6ef7cc1cd5

    • C:\Users\Admin\AppData\Local\Temp\places.raw

      Filesize

      5.0MB

      MD5

      c5ec8e3a3ac8a0b4def250704fadbe97

      SHA1

      0673f991bef6c568e04e37ae93567ab6369b8b46

      SHA256

      d72959f1ac7ba38109198851384bac6b086b0b4d859334719d8898b81ce4ca70

      SHA512

      2094ed53e365418bfc58ea71947280e71f712a20a28c1f49c44b3128032796a3066323a717dc74e4240fd03187c007660b285a5a300d5603d68ae61847e562d0

    • C:\Users\Admin\AppData\Local\Temp\tmpACD3.tmp.bat

      Filesize

      175B

      MD5

      316f7fe699793e3c1c14e39b6a090f6d

      SHA1

      9cb8e4f0fb3ee6f6451f8fac8922217ee446919f

      SHA256

      1a1bce2d960e535d974bc9f10a7420e30fda4e80f1271cc9d7d78a32527e3e20

      SHA512

      3a7dac5f3996cc7d7c188bc908b3fc03962ac267bbe8827a7c7c88e96d76b622cdfd0bcb28371b9edc1d00562b3d0d9c65c51d2895af531c9bece0d8f8965ea9

    • C:\Users\Admin\AppData\Local\Temp\tmpB4FD.tmp.cmd

      Filesize

      151B

      MD5

      9aade17858bcf5b0491be8840c5f3378

      SHA1

      081ca036fac3dc14544ffe22443aa4da0937a780

      SHA256

      2f305fc0415d152d94a8c3d4b76520edaffa87186dfd53ef2e2472bacbb3a3d9

      SHA512

      a7f9c77a54606ec4b7e5571b8a7f1724f63f5e7a832fd0a4c523dd9ec5c1e80d8ef15b98db94331be189e4ea6bdfc0299ca5703a97a311d660e5a626550aad67

    • C:\Users\Admin\AppData\Local\Temp\tmpBFB7.tmp.dat

      Filesize

      92KB

      MD5

      102841a614a648b375e94e751611b38f

      SHA1

      1368e0d6d73fa3cee946bdbf474f577afffe2a43

      SHA256

      c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

      SHA512

      ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

    • C:\Users\Admin\AppData\Local\Temp\tmpBFC8.tmp.dat

      Filesize

      148KB

      MD5

      90a1d4b55edf36fa8b4cc6974ed7d4c4

      SHA1

      aba1b8d0e05421e7df5982899f626211c3c4b5c1

      SHA256

      7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

      SHA512

      ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

    • C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt

      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    • C:\Users\Admin\AppData\Roaming\Cracked.exe

      Filesize

      74KB

      MD5

      0dfa83a82f6418c73406d78296de61be

      SHA1

      dd7eceef8a434c43e0751e180bf714e08771d336

      SHA256

      8d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e

      SHA512

      9a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    • C:\Users\Admin\AppData\Roaming\Window Security.exe

      Filesize

      534KB

      MD5

      81b2c5c64951b603480d40d321540ff2

      SHA1

      314199ad92baeb203f5555ff3814e9b7a4f226f8

      SHA256

      b893220d33f9b8a0f98702bb577e4459792253ae651bdc18a93145ccd008af54

      SHA512

      3a57655bf7aa18a34364659553aad26a3d5b8946b957441f5fedebab5936b6bb2c71c6337837ead486a001b6a9227437cc5c4ec4a5de627f0e2db10dc6afdea6

    • C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe

      Filesize

      43KB

      MD5

      5322a12cb24e83bfa9746fbde06d07e7

      SHA1

      5263a4f26bda073e9f82dd4fa612eb494dd771c7

      SHA256

      4957d607c2984f94a258dba088fa1ab85e508bfaabe9279bf8b6bf6f4b97a9bb

      SHA512

      67bfaef1ddf4ad44218c82c5634e7f726304845fab1d5361353fdacd8d8d767fec32c871fa304f4199dde3f6224be76c67560a64c1d72bbe20e134c50d1bf058

    • C:\Users\Admin\AppData\Roaming\crack.exe

      Filesize

      8KB

      MD5

      9215015740c937980b6b53cee5087769

      SHA1

      a0bfe95486944f1548620d4de472c3758e95d36a

      SHA256

      a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541

      SHA512

      5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      170KB

      MD5

      96014694a042d8344b910bc47d79337b

      SHA1

      9d19ab2f110ae58f30965a5a3d608cbf51986edb

      SHA256

      4950eb74909bd6e739e38e57d8c6465c76ef108d65cac9f130d3f5c6d2fe943f

      SHA512

      fe308c42b3ad2c3d73a834399aa12ea23f336103389181dface80a81da8be1ffd9a950cac802dc8a806ad318eb90a6bb6021d1acd9206a07749f83f2bb6cd03d

    • C:\Users\Admin\AppData\Roaming\update.exe

      Filesize

      225KB

      MD5

      b8df7316cc35a0fb6fe3a326b4283010

      SHA1

      d49c11f5a95f72e37d6194df41178f2b7faa01ee

      SHA256

      f243df692ee7552286d52b23e4993e07a27877aa86c63b84903a8e6cbd0d19f3

      SHA512

      3ef92be29123695820970a003fd0561a57f87c8c6adae86781729027ce40ede4b63da30d0b0cc75376bd9ae90accaf674fc7ff799a8b73ab4bb45b2ca65ff120

    • memory/1156-20-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

      Filesize

      96KB

    • memory/1820-50-0x00000000001B0000-0x000000000023C000-memory.dmp

      Filesize

      560KB

    • memory/2240-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

      Filesize

      4KB

    • memory/2240-1-0x0000000000EB0000-0x0000000000FD0000-memory.dmp

      Filesize

      1.1MB

    • memory/2272-76-0x0000000000390000-0x00000000003A8000-memory.dmp

      Filesize

      96KB

    • memory/2304-41-0x0000000001110000-0x0000000001140000-memory.dmp

      Filesize

      192KB

    • memory/2396-40-0x0000000000F60000-0x0000000000F68000-memory.dmp

      Filesize

      32KB

    • memory/2712-39-0x0000000001300000-0x000000000133E000-memory.dmp

      Filesize

      248KB

    • memory/2748-38-0x0000000001330000-0x00000000013BC000-memory.dmp

      Filesize

      560KB

    • memory/2776-37-0x0000000000B90000-0x0000000000BA2000-memory.dmp

      Filesize

      72KB