Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 22:00

General

  • Target

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe

  • Size

    91KB

  • MD5

    b1d40ed23f434400f1332a468bdd75d0

  • SHA1

    1b02aafa08536bceea27f8fe633beffbe6f3c478

  • SHA256

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c

  • SHA512

    bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

  • SSDEEP

    1536:9a8jroAbRB+XWCQLZeIdSwkRa8jroAbRB+XWCQLZeIdSwky:LFRBLJSpFRBLJS8

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Detects executables packed with ASPack 64 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 17 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 45 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
    "C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2280
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1504
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:536
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:300
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1176
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2852
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2740
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:824
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2508
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2820
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1464
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1456
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1284
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:896
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3012
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:988
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:880
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2956
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2920
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1352
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1660
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2480
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    b1d40ed23f434400f1332a468bdd75d0

    SHA1

    1b02aafa08536bceea27f8fe633beffbe6f3c478

    SHA256

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c

    SHA512

    bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    be4edf18ba6e1925dc6aec78669c193b

    SHA1

    008cc0f18e05294bb89f15a7c284071f8d7aa23c

    SHA256

    8bf9e32284de09c930de70fe760bbe7d7f8e55558f92f10f7cb9f7a00800cf86

    SHA512

    5da7dab78d3225fa433a65130edba41eb618a46d5e71a04586366e2caacbb9955aa19adde5740fd6a2726fa7c906af742a904580a87d79cc58158923eb9f2c80

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    bb495374fcd212b84e2215d218b35f8d

    SHA1

    bba2e1e4dfdae51dcb924dbaabffe78508ebd218

    SHA256

    64f4d187d74afe04f40efe85823f9ab290c91a4cce0aa70241efa4eda812c0e2

    SHA512

    2bf2575f81939f8ccce5d569f2787d9f4092480db45cc06657abffc374ffbb8bb81d3e0d09e4e448c671b30ed74b745db3d57d40b9d4e3b3d0e7cb373f9d5481

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    f943aff0f8f42f8aaa8046700c72a791

    SHA1

    75008314f650c5f6c577b530d3e42cdd45969edf

    SHA256

    77a30173ccfb5056e68d89fe6736b624ca531682c116c57a4b28068bbb282148

    SHA512

    1ea61354e8e1be2a41b9254688987cb605e07a6678201a3ca3c622b6f4e6e1f0fcde14457c1bfd51cc1f17c58308b45290de74c7bc697e8bdc1309c0562126ef

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    ea3020dd40790c7b7d7255a3422ac3f5

    SHA1

    8cb10d3b5fdbacd8581d8c563bf81dbc9a107243

    SHA256

    db987d55e361766227e401046963adbf07a272c24a0df59db5f0f7ebed53e9f1

    SHA512

    9dbce95bc2084985bfe94afc5ab8315e76cc0cd9bc7fb1cb34b5ee95e3f0c1e39ff8a5291ee4602f70204395fe6a81498f1c95e8dc5b1765f7acef5cd633249a

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    9db73b51ebe314816e0dc7ad7fda2393

    SHA1

    42a19801e826bf4c8e30c7ec82ad5417a5e729a4

    SHA256

    25f9bf8d56e78897478943507e25c8140f4037ab8005de4327fc8b690c56033e

    SHA512

    930034e135c9ae9e84ff05cfd4cd90efd3a4b9c13b0db1a57b280f5c75fecf88af781a84e76d525745955111c1d9944f1ef61e35c678498d4215bf19f5470439

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    d73e21e8c4f04a021749fdc10dfac0d9

    SHA1

    f714159a570d18c1d8c5d9eb247d33a5e8a0a5f9

    SHA256

    9965ac697c8672240a409e4c56ca04cd26028dfc989b8209358d4ce33e47aa12

    SHA512

    e142635d4fe79d10d013b2a5c6877d0e62e1ea5f7ba6bc39f80c495c598c0abc43adfeb560f12e70fa6fee2980c11921ae024f6679329e36f6cb516a71802ee6

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    157de3b6fdb9b87374fda5edc67872b4

    SHA1

    8d05ee540a3009e65e892f8921a2176d0785a8f7

    SHA256

    59fe596fc0b807b410493001e1304a062b4d5bd7237a5953e59150ebdeae3ff1

    SHA512

    d8c040c44fa27b8505871dbf86c259918340e2b2eb0e2829d44759bd19250b78e1a51060fc79321d91ac10b37e26fe9bff07b55f5c393ae8fc180aad180db868

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    8dcf6cbc58fb587985efd36af6e1cdd2

    SHA1

    4cb1ece01ab761f714f3e984e8d9941acc5e4e35

    SHA256

    1c53af601b77fcaafc85717ba2441c0b5534f13ebcd12e09eed65877e56fbb02

    SHA512

    7320d27151e19c4df826233d14c7814dccf8d2246709cd0cbe097abebd186bc53734e75065a3da43b894f03a9acbc3e282ebc028195773f295c93555c11844ee

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    f50c9eb98c5e50c75e533f39c7f62917

    SHA1

    311bd875eafcf308303999adef1fe694edbf08ef

    SHA256

    2afb3f45b525242db6a58f2d2a95720cbd4be92aff1096ea2fb4cabb569d00fa

    SHA512

    fa27f4bd9efc82a314406489057d0eb55b5f14ddd9d6e5d4b69c3f04b8cfbcdc7cdb897a13b491a99e24642f51cb4b306b29d70741a5040f11a2c56f756abc15

  • C:\Windows\babon.exe

    Filesize

    91KB

    MD5

    ea62df7d718eb7a68ac477dcb2dcec2b

    SHA1

    df12b3889b8924fe24e1360bb98804b3ac11802c

    SHA256

    8a3745125a76f06acd09d9b1ab3d1c280fc830f6ef32c4d88f7b72ff74f463a4

    SHA512

    5cb39da3a6760e89063e208e193b97a140e4ba1fd2df81653269db18c1b6aea1eb171c9545e330c39df591480fd84f97da3ae285d3020856080d3c7a0a21a5bb

  • C:\Windows\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\babon.exe

    Filesize

    91KB

    MD5

    7f6982ec92c236866188de882ea998e6

    SHA1

    589548be21378f06e163e8f20b92c6a304e10edc

    SHA256

    6c71053f7fcf17085ddf55a4211a9547521a0d1915a9d4655f08b16353a56be0

    SHA512

    94877160db836e7ad70eb4643f9166eccc3003e3bc586529ce4de76f4917a92206ac03165118a31078aaf56d68f13cfd214804aaec6d76e973b0577e74298852

  • C:\babon.exe

    Filesize

    91KB

    MD5

    76b4bb0515cca80dd6b0dbf812c7c880

    SHA1

    3d18bb2d1e91ddbb407fbe5af8b00907ac0f3f93

    SHA256

    5f2777f146969ac2d6a0523fc15a3859e852836f209e164c5120d3bf0c41444e

    SHA512

    5349378c732b2a877428f31913b12ca7b695e2dfdc4c644626c68fa24380be81ab52657b44942b88fc05f37a42bec4969e84d5fdced9707dec63507f08a7f9b0

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • \Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    91KB

    MD5

    62ebac52f4e0e132a905dc854605a892

    SHA1

    c62bcf2236fe2e9edd3f2c2b27b93f6b2cfb68bb

    SHA256

    2edfba3bc8ae4b72c5638190006daedf290d4e59f2587c9fcbab28d59bbfb196

    SHA512

    342b9263a98bc719efe06d367409458ab939d89fb31175f89f6b84937864f4d7921dc505e49ee5a15cb5c8f238d795dd466a60917841d22884b0f5f5a351bfa4

  • \Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    91KB

    MD5

    c556c2398297e80ca3fd3862569694a2

    SHA1

    a91b986ce905e0c2647b0cf3fddfda1cc5426f35

    SHA256

    b5bf1f58724159a56011c48e9ce496782a84fdf93a0e0613054a1ee66c85a33a

    SHA512

    4fb93f7b503f23539e357f7c208cf7cbbde236a76d9f20420702774c556ac2a05659d2619f25bd4a3123fe79ebcb891ba2bb385356284522de6e601d66042e76

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    91KB

    MD5

    677bf37d5d18fb32d81567a411c8075b

    SHA1

    727c967c652e43ae479460c99f7c6b28923efe90

    SHA256

    a9f64353454d5d4a6686a57f8b06dbab4fdb17da2b40dcb103c99a347258721e

    SHA512

    d73631ee50591efd709cf4d12aef67154f63cb63948db2cb98cc8887733cdc0ce94550e46d5ccbf656571ce96f25b58ca26f6e440a3aa83f4924503be39875e7

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    36fac6cd982640eb7e21e09264d047d7

    SHA1

    dc987cb5115efd988d3e4fad26b7a3c617fd3340

    SHA256

    556b7d20710add59a4fb36076a8a33e2672fb3f4b77474f3bcef7b042189f6d0

    SHA512

    2ceaac2e3e82f0f28855d42035ca1755d0382f6f12b8e11c588fa99146148ff8e389c077bc397f7cec0716d46adfea3fa5e73ca8060d6483ff8a7cda1087b3b0

  • memory/300-238-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/536-209-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/536-231-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/824-408-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/824-407-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/880-353-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/880-352-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/880-332-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/896-292-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/896-296-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/988-468-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/988-538-0x0000000001DE0000-0x0000000001E03000-memory.dmp

    Filesize

    140KB

  • memory/988-400-0x0000000001DE0000-0x0000000001E03000-memory.dmp

    Filesize

    140KB

  • memory/988-399-0x0000000001DE0000-0x0000000001E03000-memory.dmp

    Filesize

    140KB

  • memory/1176-280-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1176-294-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1284-286-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1352-435-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1456-276-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1456-275-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1464-467-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1464-354-0x00000000007A0000-0x00000000007C3000-memory.dmp

    Filesize

    140KB

  • memory/1464-291-0x00000000007A0000-0x00000000007C3000-memory.dmp

    Filesize

    140KB

  • memory/1464-131-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1464-539-0x00000000007A0000-0x00000000007C3000-memory.dmp

    Filesize

    140KB

  • memory/1464-532-0x00000000007A0000-0x00000000007C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-208-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-106-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1504-237-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-531-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-520-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-465-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1504-302-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1504-256-0x00000000023A0000-0x00000000023C3000-memory.dmp

    Filesize

    140KB

  • memory/1600-443-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1604-459-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1604-455-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1660-410-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

    Filesize

    140KB

  • memory/1660-150-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1660-469-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1660-411-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

    Filesize

    140KB

  • memory/1660-454-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

    Filesize

    140KB

  • memory/1660-394-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

    Filesize

    140KB

  • memory/1712-362-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1712-361-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1712-365-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1712-369-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1772-464-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1772-461-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-105-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2280-110-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2280-134-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2280-100-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2280-124-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2280-154-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-148-0x0000000002560000-0x0000000002583000-memory.dmp

    Filesize

    140KB

  • memory/2300-413-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2300-414-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2480-451-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2508-417-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2508-426-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2524-438-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2672-396-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2672-370-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2740-424-0x00000000005C0000-0x00000000005E3000-memory.dmp

    Filesize

    140KB

  • memory/2740-423-0x00000000005C0000-0x00000000005E3000-memory.dmp

    Filesize

    140KB

  • memory/2740-466-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2740-409-0x00000000005C0000-0x00000000005E3000-memory.dmp

    Filesize

    140KB

  • memory/2740-439-0x00000000005C0000-0x00000000005E3000-memory.dmp

    Filesize

    140KB

  • memory/2804-207-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2804-206-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2804-189-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2820-445-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2852-338-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-428-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-420-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2936-453-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2956-416-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2956-403-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3012-348-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3012-303-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB