Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 20:32

General

  • Target

    3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe

  • Size

    45KB

  • MD5

    6eb19ae66d972318036d3db18d5d472a

  • SHA1

    be8a4422b0e24543c2dcf77d573b68ff411e10cf

  • SHA256

    3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2

  • SHA512

    ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f

  • SSDEEP

    768:CcMJOcV8OrUpdJ8WbqpD3TORaEXowekfKnl:yOcjUpkWb2TTgKwul

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
  • Disables RegEdit via registry modification 16 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 56 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 40 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 50 IoCs
  • Drops file in Windows directory 32 IoCs
  • Modifies Control Panel 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 7 IoCs
  • Suspicious use of SetWindowsHookEx 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1496
    • C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4752
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4824
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5076
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2328
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:448
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3792
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4272
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5064
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2464
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3572
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4088
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:896
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1080
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3860
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3268
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5068
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2928
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1748
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1512
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4476
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1096
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1140
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3596
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1496
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4784
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3592
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4916
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4488
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3224
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5044
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3104
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4400
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4512
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4192
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3564
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4516
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3752
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2892
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2392
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:960
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2760
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4812
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:8
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4552
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2816
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3336
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1876
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\4k51k4.exe

    Filesize

    45KB

    MD5

    7b0a241fd3c0ab64ea082ba092e72fcc

    SHA1

    f4463f48e80d4fa2ec6462975ae44773e244160a

    SHA256

    582ff4a3ac5719c51648b74af335358527a566c1ead2b68efce3e924bf43cf60

    SHA512

    e8fae0b089f7ec436391ef13c6954d51f3adfe8c427a6a624728fe6d662310dc6455737362d940b3b470c18e2f9592f219e06f942a2e1463b7031d53d04514f9

  • C:\4k51k4.exe

    Filesize

    45KB

    MD5

    1773ff8f61a0c13e6606b3f74bcffa99

    SHA1

    91860e9140d5b48378297c2aa0c07ff64f716156

    SHA256

    91d08b3374d704c5957608f89687a4142c7decad18285f086f2965a03f256a18

    SHA512

    50b1e08b9a6aa9da0e2f80f68275f93cbb7322e80f883dd9c9f4015d99f801e023776c471322b459dfc5806b1101c69d72b6b6d1b506d5f7459d67f2615cadd7

  • C:\Puisi.txt

    Filesize

    442B

    MD5

    001424d7974b9a3995af292f6fcfe171

    SHA1

    f8201d49d594d712c8450679c856c2e8307d2337

    SHA256

    660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

    SHA512

    66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    e1b24eb0587f150811db2c9cbdf1a0cc

    SHA1

    295daaa0bdc88956d83aa7d2ef31e8a1d6016af5

    SHA256

    74bf43d4ca1f1d613db1a616ccea421f533298e2722aef8f634049e003437c80

    SHA512

    20816f2fff941e3fdb61cdddac70a5ef91f361ad35720d289977677ff2b54effedde65b5bbc4012426559e147e154367a028e8525ff34b890b11a84ceb788811

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    adfd95fb727d46605e79dd784ab22e22

    SHA1

    fd54eb4f4ec2ee61572f2f9d1641d5f1d65ddb51

    SHA256

    a60bf3167a0f90db6b83effefad244e6e2cac39b342bea4021fb355fdabe3dad

    SHA512

    a5b77eb43bab5039314b6c1221bf4bb448ea513840668a2963b012f1d5150e21822f1e6eebe01059c6b86e5cf55df48964920f2a1d546baea3be286481cbc87e

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    d4ef9b46a0b7d8069b4e194b2e33e384

    SHA1

    4829ba106f50dee23c79912637ee68cb3b5a51b7

    SHA256

    52bcf0c75691c789b2c9e46344e7ae482c16ed6347797ea09540dacd1c3bff6c

    SHA512

    e0f7ade14073ec304c28cf4e9f53d314c946a1b306553d0f6e85980e415db8c9bd72b4a56bfbda72efc6e51ae108b7c9b0bcc07fd7b2fd040202db636c3c3b30

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    5a84061c5423af7d0f02106204b964fd

    SHA1

    1d6a1b4a4dd4667dd38a7dbac9fe98677d82d7fb

    SHA256

    ec7cf79040fe907d536cbe21b1cf40b6267b38927d6550c3d04ce23408ce4668

    SHA512

    aceec7d201171a5d109e36c47080d290e3cc462d55564758be3ca95e7b55ddaded5ccd65b79cb9030807362835346b1342e6393a3278901b5a9c203de591a062

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    74d1414a96441104069cb32dfbffcfef

    SHA1

    dc75f19f59b39635a24195e8c3610d74278b1d0b

    SHA256

    84253e3464b3fb7387ada610ad9413ad2cfebc6253967812a3d51c3dac9595d8

    SHA512

    1965f7005ebc80fd758fa14e1f5fc8f17a697b4f3ea4134b778aab952864bbe463976c2182e4214e81b3da120ed90e2706ab114259e356fb0265d91eb0694f3a

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    6eb19ae66d972318036d3db18d5d472a

    SHA1

    be8a4422b0e24543c2dcf77d573b68ff411e10cf

    SHA256

    3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2

    SHA512

    ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    3708021fea995623ce0efa0754c0c85e

    SHA1

    0cd27871def42e4f06756a344c8783efca1ad8ef

    SHA256

    8d3cad1350980af802bc4ac7bc6e8ba1f2328da1b73e990e5751ec3e7b2dbea9

    SHA512

    9a0ee2658a666b1b31eac21aa628db73f69f0b62b2c81f47bf370161a20148c3e53c5ec2cdc205bdb83c8f77ec86cb1ebb034bfc38a94ed3820ddddce13332db

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    ac208ecc73d2061277dd1d6ca5f8b6de

    SHA1

    29f61a08123b88ac5b4b98f2433529e2c275baf4

    SHA256

    3fb380f1034aeb2cf7eae0ae4eee1b12fae7c3539247a2673ea7906a202e9fbf

    SHA512

    05ec052aab749548a47b23c6114e51c9a955ab59fcbd5dcf681770370bd8fe2284b39e3f4e07da912ea0cfa80e692e14e492254d0ba1f451b1e216430b0c39be

  • C:\Windows\4k51k4.exe

    Filesize

    45KB

    MD5

    f4c3326df270412d62666cefa047ba89

    SHA1

    d3dbfd03806b9c4fb704e51d581caa0fb11e59dd

    SHA256

    08af9dd4732473d4e40786902beb7f251b0d5bde2838b983be3f4fab8f7db814

    SHA512

    71d85911d632939dec8878ff099e0677c8422a339614dd287eafe5cd8f537fb3edff741bc6b7b1a923b73682a0920cfb30a73c4faf33fb9967ca5372b8461834

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    102394253ba7c90b1e17b098b0655a1a

    SHA1

    2ca28a05df234ba6c867d1849060e8439795f38e

    SHA256

    6a1c95905366cc70bf9b65d9c677e966a7b9f5930103bf5aea6a01cfd8d38440

    SHA512

    12cc4748587eb5d21040feb5455bd814ce7869a5f549d103c70b757fe608369af721e5d4372140f3b221b1fbe440f3ed281a3c3b310695463dd90caeb59cde38

  • C:\Windows\SysWOW64\MrHelloween.scr

    Filesize

    45KB

    MD5

    8e30ef6970c2370756aa73a0a695ed82

    SHA1

    8d016e2df638b8f9afa7285ae47f8a0448e951ca

    SHA256

    6e8411d3bae3aeaf692d8583e2c8fca951d1087f3e30950b8565d2b05bbceb81

    SHA512

    d3375c9429dc8a9a24334f0c014b8851a8fe87325bf009a8ac4bffe150c23377169cf549831b9648acce1116b38f2e81437438b8b60515322912a8ef67b88aa2

  • C:\Windows\SysWOW64\MrHelloween.scr

    Filesize

    45KB

    MD5

    d2bf1dac64f0f51ae6169c732e9330f2

    SHA1

    35617a33410fd174c59c650f334650af8f704490

    SHA256

    fd371d37a75e9636b9f666e402d43eae0f84eceef239fbee0044a107077e740f

    SHA512

    9b9e29dca368edddcecce763f98899a301d0c4c6a0c40b9342b2d5b7c98517e05903660d9ec7de18f20332ff487d34d780055f06ff24d07f20b52b052b9fa57a

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    7a207f22604049c22e6f2be4600f3cf4

    SHA1

    b54597ff544e41620cc68d7dfde1af42149cf23d

    SHA256

    68481e3eb544c440e41f54b6bceaef399d7e507d4c6c7723b9ef46e7e7fa3edd

    SHA512

    0b3831d71a161b5c8931d5d5757c7a4983e1905c0f1f98eaf4f541b25ebc3914f98e2cdcd5efc6a0218dab8757ec75d351d2223f4b0d2a0a356c000e0a805d70

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    491f9c7600b5f4a19231199fbc474d83

    SHA1

    98c093ca643ab09ed3f313443ffa7ff12e6c1d99

    SHA256

    67335e24e79793244c8517cee326ff108965217d7558a86bc52526c88fc894da

    SHA512

    de35b3801a9fcf8254cec9cd04728a59daf3d24dad520c7d7ea421edc258e8b5096853b801ed075d6e1e6c62ea95fab779c994af0b75aa2e86638f8d24e4f288

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    1c2155cb0b34348fca7d207078831432

    SHA1

    047c1f1874445e6713d1edbc7da19a95a553ae92

    SHA256

    1c80afd0ccabb197daa3d797adde6eeb48f5906033e7160f008308c2025f56c3

    SHA512

    589eb1c53d7a51c1f7f2481cd2ae92798a4971d73567b9d5b4c4df170396298cf0487089e6af50aedfbecc6215efef6b6c393f8f2782217206550d1a55d063ee

  • memory/8-421-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/448-249-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/448-300-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/896-429-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/960-492-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1096-340-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1140-361-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1496-431-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1496-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1496-148-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1512-288-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1512-499-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1876-489-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2040-217-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2328-247-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2392-472-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2464-222-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2464-205-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2760-502-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2760-331-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2816-467-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-453-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2928-352-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2928-362-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3224-403-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3268-303-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3336-476-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3564-392-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3572-305-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3792-335-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3860-286-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3860-498-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4088-407-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4192-354-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4272-356-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4316-341-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4408-481-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4408-478-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4476-309-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4488-358-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4512-310-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4512-501-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4516-410-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4552-443-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4752-220-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4752-112-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4752-496-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4812-412-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4824-185-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4916-301-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4916-500-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5044-428-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5064-497-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5064-250-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5068-338-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5076-242-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB