Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
091f600fd48ae9602d1bb72d1f001796.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
091f600fd48ae9602d1bb72d1f001796.exe
Resource
win10v2004-20231215-en
General
-
Target
091f600fd48ae9602d1bb72d1f001796.exe
-
Size
512KB
-
MD5
091f600fd48ae9602d1bb72d1f001796
-
SHA1
2b676b583b9bacf57a6364aa38832ac8b92f1ce9
-
SHA256
27054ea6539792fda245ba1442d854124426aaddd75bd789b7be36de41078553
-
SHA512
2b9900328aa47d5182f453662afa5c091426df0f46fc4a2ac96dd37978d69d09a587c9726a06f034baa4f5d37bafecbe9e0a71ba342dc77e812729305460b053
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" crjyugkrbl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" crjyugkrbl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" crjyugkrbl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" crjyugkrbl.exe -
Executes dropped EXE 5 IoCs
pid Process 1728 crjyugkrbl.exe 2152 ixtybdxxnqruumj.exe 2592 zitcxgiu.exe 2648 tqdpraszdrvkz.exe 2608 zitcxgiu.exe -
Loads dropped DLL 5 IoCs
pid Process 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 1728 crjyugkrbl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" crjyugkrbl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgojvdkw = "crjyugkrbl.exe" ixtybdxxnqruumj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fstagags = "ixtybdxxnqruumj.exe" ixtybdxxnqruumj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tqdpraszdrvkz.exe" ixtybdxxnqruumj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: crjyugkrbl.exe File opened (read-only) \??\e: zitcxgiu.exe File opened (read-only) \??\m: zitcxgiu.exe File opened (read-only) \??\k: crjyugkrbl.exe File opened (read-only) \??\i: zitcxgiu.exe File opened (read-only) \??\h: zitcxgiu.exe File opened (read-only) \??\h: zitcxgiu.exe File opened (read-only) \??\o: zitcxgiu.exe File opened (read-only) \??\r: zitcxgiu.exe File opened (read-only) \??\e: crjyugkrbl.exe File opened (read-only) \??\i: crjyugkrbl.exe File opened (read-only) \??\e: zitcxgiu.exe File opened (read-only) \??\y: zitcxgiu.exe File opened (read-only) \??\s: zitcxgiu.exe File opened (read-only) \??\q: zitcxgiu.exe File opened (read-only) \??\x: zitcxgiu.exe File opened (read-only) \??\j: zitcxgiu.exe File opened (read-only) \??\z: zitcxgiu.exe File opened (read-only) \??\j: crjyugkrbl.exe File opened (read-only) \??\p: zitcxgiu.exe File opened (read-only) \??\a: zitcxgiu.exe File opened (read-only) \??\o: zitcxgiu.exe File opened (read-only) \??\r: zitcxgiu.exe File opened (read-only) \??\h: crjyugkrbl.exe File opened (read-only) \??\o: crjyugkrbl.exe File opened (read-only) \??\l: zitcxgiu.exe File opened (read-only) \??\z: crjyugkrbl.exe File opened (read-only) \??\g: zitcxgiu.exe File opened (read-only) \??\z: zitcxgiu.exe File opened (read-only) \??\n: zitcxgiu.exe File opened (read-only) \??\y: zitcxgiu.exe File opened (read-only) \??\m: crjyugkrbl.exe File opened (read-only) \??\n: zitcxgiu.exe File opened (read-only) \??\i: zitcxgiu.exe File opened (read-only) \??\q: zitcxgiu.exe File opened (read-only) \??\x: zitcxgiu.exe File opened (read-only) \??\q: crjyugkrbl.exe File opened (read-only) \??\b: zitcxgiu.exe File opened (read-only) \??\v: zitcxgiu.exe File opened (read-only) \??\g: zitcxgiu.exe File opened (read-only) \??\k: zitcxgiu.exe File opened (read-only) \??\l: zitcxgiu.exe File opened (read-only) \??\p: zitcxgiu.exe File opened (read-only) \??\t: zitcxgiu.exe File opened (read-only) \??\a: crjyugkrbl.exe File opened (read-only) \??\y: crjyugkrbl.exe File opened (read-only) \??\a: zitcxgiu.exe File opened (read-only) \??\m: zitcxgiu.exe File opened (read-only) \??\n: crjyugkrbl.exe File opened (read-only) \??\p: crjyugkrbl.exe File opened (read-only) \??\u: crjyugkrbl.exe File opened (read-only) \??\t: zitcxgiu.exe File opened (read-only) \??\v: zitcxgiu.exe File opened (read-only) \??\w: zitcxgiu.exe File opened (read-only) \??\b: crjyugkrbl.exe File opened (read-only) \??\r: crjyugkrbl.exe File opened (read-only) \??\w: crjyugkrbl.exe File opened (read-only) \??\l: crjyugkrbl.exe File opened (read-only) \??\s: zitcxgiu.exe File opened (read-only) \??\u: zitcxgiu.exe File opened (read-only) \??\x: crjyugkrbl.exe File opened (read-only) \??\j: zitcxgiu.exe File opened (read-only) \??\k: zitcxgiu.exe File opened (read-only) \??\w: zitcxgiu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" crjyugkrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" crjyugkrbl.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0009000000016a29-5.dat autoit_exe behavioral1/files/0x000a00000001650c-17.dat autoit_exe behavioral1/files/0x000a00000001650c-20.dat autoit_exe behavioral1/files/0x0009000000016a29-25.dat autoit_exe behavioral1/files/0x0009000000016a29-21.dat autoit_exe behavioral1/files/0x0009000000016ca5-31.dat autoit_exe behavioral1/files/0x0009000000016ca5-40.dat autoit_exe behavioral1/files/0x0009000000016a29-41.dat autoit_exe behavioral1/files/0x0007000000016d16-39.dat autoit_exe behavioral1/files/0x0007000000016d16-37.dat autoit_exe behavioral1/files/0x0009000000016ca5-43.dat autoit_exe behavioral1/files/0x0009000000016ca5-42.dat autoit_exe behavioral1/files/0x0007000000016d16-32.dat autoit_exe behavioral1/files/0x0009000000016ca5-27.dat autoit_exe behavioral1/files/0x000a00000001650c-26.dat autoit_exe behavioral1/files/0x0006000000018ba1-69.dat autoit_exe behavioral1/files/0x0005000000018717-66.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ixtybdxxnqruumj.exe 091f600fd48ae9602d1bb72d1f001796.exe File created C:\Windows\SysWOW64\zitcxgiu.exe 091f600fd48ae9602d1bb72d1f001796.exe File opened for modification C:\Windows\SysWOW64\zitcxgiu.exe 091f600fd48ae9602d1bb72d1f001796.exe File created C:\Windows\SysWOW64\tqdpraszdrvkz.exe 091f600fd48ae9602d1bb72d1f001796.exe File created C:\Windows\SysWOW64\crjyugkrbl.exe 091f600fd48ae9602d1bb72d1f001796.exe File opened for modification C:\Windows\SysWOW64\crjyugkrbl.exe 091f600fd48ae9602d1bb72d1f001796.exe File created C:\Windows\SysWOW64\ixtybdxxnqruumj.exe 091f600fd48ae9602d1bb72d1f001796.exe File opened for modification C:\Windows\SysWOW64\tqdpraszdrvkz.exe 091f600fd48ae9602d1bb72d1f001796.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll crjyugkrbl.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 091f600fd48ae9602d1bb72d1f001796.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat crjyugkrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh crjyugkrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" crjyugkrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7A9C2382566D4276D770562DDC7DF564AC" 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BCFE10F290830B3B4581EC3E99B081038A4211023CE2CB42ED08A0" 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70B14E6DAC5B8BA7CE5EDE037CA" 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" crjyugkrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" crjyugkrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf crjyugkrbl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FCF9485F826A9041D75F7E96BCE7E136584566416335D69E" 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" crjyugkrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B1584495399A52BDBAD5329CD4B8" 091f600fd48ae9602d1bb72d1f001796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB2FE6B21A9D109D0D18A0B9014" 091f600fd48ae9602d1bb72d1f001796.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 2216 091f600fd48ae9602d1bb72d1f001796.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 1728 crjyugkrbl.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2648 tqdpraszdrvkz.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2592 zitcxgiu.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2152 ixtybdxxnqruumj.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe 2608 zitcxgiu.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1728 2216 091f600fd48ae9602d1bb72d1f001796.exe 22 PID 2216 wrote to memory of 1728 2216 091f600fd48ae9602d1bb72d1f001796.exe 22 PID 2216 wrote to memory of 1728 2216 091f600fd48ae9602d1bb72d1f001796.exe 22 PID 2216 wrote to memory of 1728 2216 091f600fd48ae9602d1bb72d1f001796.exe 22 PID 2216 wrote to memory of 2152 2216 091f600fd48ae9602d1bb72d1f001796.exe 27 PID 2216 wrote to memory of 2152 2216 091f600fd48ae9602d1bb72d1f001796.exe 27 PID 2216 wrote to memory of 2152 2216 091f600fd48ae9602d1bb72d1f001796.exe 27 PID 2216 wrote to memory of 2152 2216 091f600fd48ae9602d1bb72d1f001796.exe 27 PID 2216 wrote to memory of 2592 2216 091f600fd48ae9602d1bb72d1f001796.exe 23 PID 2216 wrote to memory of 2592 2216 091f600fd48ae9602d1bb72d1f001796.exe 23 PID 2216 wrote to memory of 2592 2216 091f600fd48ae9602d1bb72d1f001796.exe 23 PID 2216 wrote to memory of 2592 2216 091f600fd48ae9602d1bb72d1f001796.exe 23 PID 2216 wrote to memory of 2648 2216 091f600fd48ae9602d1bb72d1f001796.exe 26 PID 2216 wrote to memory of 2648 2216 091f600fd48ae9602d1bb72d1f001796.exe 26 PID 2216 wrote to memory of 2648 2216 091f600fd48ae9602d1bb72d1f001796.exe 26 PID 2216 wrote to memory of 2648 2216 091f600fd48ae9602d1bb72d1f001796.exe 26 PID 1728 wrote to memory of 2608 1728 crjyugkrbl.exe 24 PID 1728 wrote to memory of 2608 1728 crjyugkrbl.exe 24 PID 1728 wrote to memory of 2608 1728 crjyugkrbl.exe 24 PID 1728 wrote to memory of 2608 1728 crjyugkrbl.exe 24 PID 2216 wrote to memory of 2484 2216 091f600fd48ae9602d1bb72d1f001796.exe 25 PID 2216 wrote to memory of 2484 2216 091f600fd48ae9602d1bb72d1f001796.exe 25 PID 2216 wrote to memory of 2484 2216 091f600fd48ae9602d1bb72d1f001796.exe 25 PID 2216 wrote to memory of 2484 2216 091f600fd48ae9602d1bb72d1f001796.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\091f600fd48ae9602d1bb72d1f001796.exe"C:\Users\Admin\AppData\Local\Temp\091f600fd48ae9602d1bb72d1f001796.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\crjyugkrbl.execrjyugkrbl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\zitcxgiu.exeC:\Windows\system32\zitcxgiu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608
-
-
-
C:\Windows\SysWOW64\zitcxgiu.exezitcxgiu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:2484
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1448
-
-
-
C:\Windows\SysWOW64\tqdpraszdrvkz.exetqdpraszdrvkz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
-
-
C:\Windows\SysWOW64\ixtybdxxnqruumj.exeixtybdxxnqruumj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5d484d365237e56d843948a4470242f94
SHA1da2785b10b756616cc28f01875d08a0607a1374b
SHA256abc8209f8970e95d9d6b1896bc4239315a048a2260b277da26ce87d86e3f7951
SHA512ff9079966f27ff3e91800c9320c130a7b8df68318d6c9ce011698b6d7806a4f58fed173a3649bee9356554b3288b16d36d6636c899a91f457262cdbdc94532ac
-
Filesize
70KB
MD5fb91407717c767a9e258d389ddd7e89d
SHA1dd95f158cbf9115f390328e22f41170348fd8a40
SHA256ecffdd67f11bc0b00d277461fc1b9e6a835b1cc67732a07a57e8a002a506c619
SHA5123fe3b282626b4c224a18e450a9cc70eeaad894ff5ef3411ef47dfa3e1f65756265bb25b9385702cb83e29142b61e515a3556402d0026b73fffc8a6c841eeefd9
-
Filesize
8KB
MD5f8ed530f6a6f45faf87c36c790ea078c
SHA1a15f4623166d388fd19962da1e658204078d54a7
SHA2561c79499310909e514f39bffe4aa948e19ccfd6f9360ad08f5a0c67b9f96857c8
SHA512951c82f98652bd2037ffa14fd36066da8a6ab1839bb0e6bf8f98f0e9862d6048ca1339c07c5cb8831421efa4c37e353b75cf79b2349ec20c1496ac1dab8cfae6
-
Filesize
68KB
MD5302220e57855732c844bbd43f2ce17d9
SHA19a07a1a92f309a80368554b7240f5a339beeca54
SHA256eb18c50812897858c1b5cbcbb9ba173849a86f03fc118fb3137f616b2286e030
SHA512d31ec957b7bf30a0c0d94b205130e9d048db3bc9e4a6b99f081fb44d5f464d765128f46727d76a5820e206ef463c51173ecfc12e0c5bb5ff2e3ed43b0b78dbeb
-
Filesize
45KB
MD5e8d0a210a7de9cb675e1378280b0b6de
SHA1c2ab939a2766a03bf6c24459cd935c2d580f220d
SHA256c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b
SHA512e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5
-
Filesize
58KB
MD555270575413995f8c811f155340e43d4
SHA15e9ac9afebe7de3de8454a7833d8da7e8e497c2e
SHA256b9a4eff3864e5ed148cc457647e92a2e1f3b33e7cdcb80fb999e80661391fda9
SHA512e0b5791ef69b5a13e1df33f32ed567b73d08f62d974dae686cb7aea1125910c0a946383a116920ef5921d103b036be7299499e6961fc751caa18f7280de1b315
-
Filesize
44KB
MD5b5872814d8ddf4f891cbdd57e5a26c8d
SHA15b8d9fbcd7b44015f066988a90ceb0e5c23b80f9
SHA256f6efc65801afa1b061deb8d03ab593804de4c02dd6d0faa13c55e98406eab799
SHA5122d27bb5e38c027664864ad5738b7cb474edc57fc35f1615868ac1e06934ba67fbee85103035b2ed921c6599fd722840b707be416086a30c1bb32fa003ab1d7a7
-
Filesize
84KB
MD535efaa547e515164909bb41f32754738
SHA11bf017170d0e8bde934846b3009c2e68cdc99245
SHA2566b7ff53ee45410899247949a42f236daf411d3da70d72b6144e2710d7011af00
SHA512657ad5a56525e6dcd459dc776e0df1009a7310fd668ca081cf32bc43dbbb94ca67235285a6236b53e06ff6dcc7970d65335694f04f85a597922882a78cdcbb62
-
Filesize
64KB
MD57eb2abaaeb4d282eb0261173bd0a25ab
SHA1e856e280e8dd10713989ebf2fdd1cd5530a97f57
SHA25637cab9675e58b94ff83f06ec6e504575d29d756ebe802292c8d9b72f13a928c2
SHA512456f43954659bd0f5a2e34b84a85123c5cec2378e8360a21f8c0ee0157355bd266bc79b599c22ed5777ac2a0d07737e6e117c74eb76c35c5ec4155e6cebf7df0
-
Filesize
92KB
MD5379ff6663aca28265ef117a97f9af33b
SHA1b740ee76768e54e5f169b68df54377d2fdee378d
SHA256a386721c29a1263bd301a958aeca633ade1c1c2dedaa6daa6e56fb8d15d53503
SHA512d52c6100cb2e81eaf2777b9cf0d4012783ecb579426c05a19cbdbb8ef22b3776c237fbc36d482f42790443a853564d19d2a7d3a9fac7bc2794982f64eba6bc8c
-
Filesize
79KB
MD50f82bc95d2b930b65a9131822c2177c3
SHA16e68c406c57faa1e5e45c9dc7141c4a7ae10ddef
SHA256811f79616714483e6b839af65eff75b4e75cc055cfdf0c508019c3f1e8e6f9b9
SHA5124cb1445f2ca945d88966e4123bdb5f6eee156dbec271bf10d5a0b85ad5294523d2c6ece9466a2e4eadea019ad0ced02372da08bce7725e482bd6f210c9469384
-
Filesize
60KB
MD5d9821902a408c524bc74aef02b2733e7
SHA1772d765f0aaa5061888491e43fb0885429c1b082
SHA256b7e9f7aca5aba1ebb54efb09e8201ede40b2580e451775eb0bb3eddcbb27a271
SHA51213324a5c5f9ab36106a3eea45e3a2adca911b500afc875ab77cdf4e6f1fad6c830ae3d234c333400072582fc385b5bad2096eedc7dd5b870f86899c6a266d33b
-
Filesize
43KB
MD5ef09f69c15bc84dc2cf8602e9f2d92af
SHA1d0052c176e9609c88f846e5a1f0bd44cba044232
SHA2567bbc3e3fa03d66ae06ca07f268d083ad7e74edee4f37f1375b14a7746d3f1b14
SHA512969e300f3baaf65441789ba8a84b970faa526586f3732a7d29926a98ffe8a6d2583a7ee23f385b21fcd1eda29c26373d60e6cc4b2e7080df4a9614b43a6779a1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
107KB
MD5be6627a26dc753ab09ca6c6500790909
SHA169f3f76641e79edd5bb3c5c6e2199ca44f53b1ce
SHA2569e7f15263cf46cd93acd4e80043720dfabc9332e4e204a817fa15a2a7271c024
SHA5127938004f3a0aea171b54d74400acdc47a66d76295902f1981844f52e93e7e7363190b7a1d9b1e11299f7115bbf3ee634eb879eee085aeaf73ebc4aa32d359466
-
Filesize
69KB
MD59caf21c47d1d65584b05acfb3f184e2d
SHA1db48f3e099885e8424196fbceaf7f1fe646711fa
SHA256093a86246d83ca00897ae2b76c49b2aa5ad48eb4654cf0ad0f0d3916da188b9c
SHA5125b506668c884ff43613be5be789575c28fa3c03233db3828ea6734fa15314485f1dfa2ece3b4ba89e39b65336120b0431386f97683b26d4f8a6061df137afa90
-
Filesize
74KB
MD5526206bb3d7d4ead109f316e7394053f
SHA1e36eb45ce89a96856ca139e9e9e8c8ee51b81551
SHA2561b1ee696c703db5e86d405d97417be188695505db111664df844063eb43432d4
SHA512527c6f5a8cb1145c78f28cc681b57103d7278e517d9afdb2a22257c51a2506d1cc84ef46b3379ce9a968cdf9059cc1c9395d0aedef6aff1eb733aa5cf097a019
-
Filesize
33KB
MD55f15d6798edf154d87f656b47a6d1921
SHA16a7f05fa25962ee5932b1da58b0987d1aa1a2811
SHA256775109b639ede779b117f0f2b9a0a3e90db52bd772d1702de17d4b9839d5db52
SHA512f9e6a0ad87c75b6d715f448a17adfa49a4cbe81f72fe99d03c11bc1b3afc849861872a6e105cc732d1944832bf55ca59840738bda742d062005ea475bc8d12ce
-
Filesize
44KB
MD5d4972fab59bd020b6c542b606c391387
SHA1ec218d5b537dbeea1eff537636dd8710b325550c
SHA2566a865a8a8f6c6015b62a59aebadf7f7a59dd5002b9812bd2bdd26f4e38b916b2
SHA512f7e497374e351b2c61a2026eb4f852e291570f129e25e0322535886856ea63e99c984fa88358ffaf1baef4a6e27af0a65a6ba3beaa136420067fa851d97cba7a