078a5b83715a80fcda2eaf747eb0182112ab26a7452b9269c33bcdc0eb27e4cc

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0426e127ef19d4437485770e83ad1820N.exe
Size

91KB
MD5

0426e127ef19d4437485770e83ad1820
SHA1

ee9fa33dd1990e868ef637c5f22c333a3dd79fb4
SHA256

078a5b83715a80fcda2eaf747eb0182112ab26a7452b9269c33bcdc0eb27e4cc
SHA512

534a1092995a77d52084c2472c5e51a01ebcc291d6eb272568792c649f7701a3511a2f161023dec916b2a76407d9e1f350cf755275249345e893ac72e04136b9
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu53gRYjXbUeHORIC4Z2:uT3OA3+KQsxfS48T3OA3+KQsxfS4q

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	0426e127ef19d4437485770e83ad1820N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0426e127ef19d4437485770e83ad1820N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0426e127ef19d4437485770e83ad1820N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0426e127ef19d4437485770e83ad1820N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0426e127ef19d4437485770e83ad1820N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2680	xk.exe
1540	IExplorer.exe
1680	WINLOGON.EXE
840	CSRSS.EXE
2036	SERVICES.EXE
1260	LSASS.EXE
2944	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe
2580	0426e127ef19d4437485770e83ad1820N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0426e127ef19d4437485770e83ad1820N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	0426e127ef19d4437485770e83ad1820N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	0426e127ef19d4437485770e83ad1820N.exe
File created	C:\Windows\SysWOW64\shell.exe	0426e127ef19d4437485770e83ad1820N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	0426e127ef19d4437485770e83ad1820N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	0426e127ef19d4437485770e83ad1820N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	0426e127ef19d4437485770e83ad1820N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	0426e127ef19d4437485770e83ad1820N.exe
File created	C:\Windows\xk.exe	0426e127ef19d4437485770e83ad1820N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0426e127ef19d4437485770e83ad1820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0426e127ef19d4437485770e83ad1820N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0426e127ef19d4437485770e83ad1820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0426e127ef19d4437485770e83ad1820N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2580	0426e127ef19d4437485770e83ad1820N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2580	0426e127ef19d4437485770e83ad1820N.exe
2680	xk.exe
1540	IExplorer.exe
1680	WINLOGON.EXE
840	CSRSS.EXE
2036	SERVICES.EXE
1260	LSASS.EXE
2944	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2680	2580	0426e127ef19d4437485770e83ad1820N.exe	30
PID 2580 wrote to memory of 2680	2580	0426e127ef19d4437485770e83ad1820N.exe	30
PID 2580 wrote to memory of 2680	2580	0426e127ef19d4437485770e83ad1820N.exe	30
PID 2580 wrote to memory of 2680	2580	0426e127ef19d4437485770e83ad1820N.exe	30
PID 2580 wrote to memory of 1540	2580	0426e127ef19d4437485770e83ad1820N.exe	31
PID 2580 wrote to memory of 1540	2580	0426e127ef19d4437485770e83ad1820N.exe	31
PID 2580 wrote to memory of 1540	2580	0426e127ef19d4437485770e83ad1820N.exe	31
PID 2580 wrote to memory of 1540	2580	0426e127ef19d4437485770e83ad1820N.exe	31
PID 2580 wrote to memory of 1680	2580	0426e127ef19d4437485770e83ad1820N.exe	32
PID 2580 wrote to memory of 1680	2580	0426e127ef19d4437485770e83ad1820N.exe	32
PID 2580 wrote to memory of 1680	2580	0426e127ef19d4437485770e83ad1820N.exe	32
PID 2580 wrote to memory of 1680	2580	0426e127ef19d4437485770e83ad1820N.exe	32
PID 2580 wrote to memory of 840	2580	0426e127ef19d4437485770e83ad1820N.exe	33
PID 2580 wrote to memory of 840	2580	0426e127ef19d4437485770e83ad1820N.exe	33
PID 2580 wrote to memory of 840	2580	0426e127ef19d4437485770e83ad1820N.exe	33
PID 2580 wrote to memory of 840	2580	0426e127ef19d4437485770e83ad1820N.exe	33
PID 2580 wrote to memory of 2036	2580	0426e127ef19d4437485770e83ad1820N.exe	34
PID 2580 wrote to memory of 2036	2580	0426e127ef19d4437485770e83ad1820N.exe	34
PID 2580 wrote to memory of 2036	2580	0426e127ef19d4437485770e83ad1820N.exe	34
PID 2580 wrote to memory of 2036	2580	0426e127ef19d4437485770e83ad1820N.exe	34
PID 2580 wrote to memory of 1260	2580	0426e127ef19d4437485770e83ad1820N.exe	35
PID 2580 wrote to memory of 1260	2580	0426e127ef19d4437485770e83ad1820N.exe	35
PID 2580 wrote to memory of 1260	2580	0426e127ef19d4437485770e83ad1820N.exe	35
PID 2580 wrote to memory of 1260	2580	0426e127ef19d4437485770e83ad1820N.exe	35
PID 2580 wrote to memory of 2944	2580	0426e127ef19d4437485770e83ad1820N.exe	36
PID 2580 wrote to memory of 2944	2580	0426e127ef19d4437485770e83ad1820N.exe	36
PID 2580 wrote to memory of 2944	2580	0426e127ef19d4437485770e83ad1820N.exe	36
PID 2580 wrote to memory of 2944	2580	0426e127ef19d4437485770e83ad1820N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0426e127ef19d4437485770e83ad1820N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	0426e127ef19d4437485770e83ad1820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0426e127ef19d4437485770e83ad1820N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0426e127ef19d4437485770e83ad1820N.exe

C:\Users\Admin\AppData\Local\Temp\0426e127ef19d4437485770e83ad1820N.exe
"C:\Users\Admin\AppData\Local\Temp\0426e127ef19d4437485770e83ad1820N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:840
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
0426e127ef19d4437485770e83ad1820

SHA1
ee9fa33dd1990e868ef637c5f22c333a3dd79fb4

SHA256
078a5b83715a80fcda2eaf747eb0182112ab26a7452b9269c33bcdc0eb27e4cc

SHA512
534a1092995a77d52084c2472c5e51a01ebcc291d6eb272568792c649f7701a3511a2f161023dec916b2a76407d9e1f350cf755275249345e893ac72e04136b9

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
aaa3f06873ceded316b4ec327dc9685a

SHA1
24857c7845fb2cd63068bce503f0c39fa7bf8484

SHA256
4668d9d306b8c33bdd9fe1d82851641fa5fd1ce5aea1fdfe02290d115572744f

SHA512
6a98e7aaafdf405e7a14a5600a1047e97c96fc2a559560ef8c26611169f8a2e69df043625f70fbde6e187dda6ec917672af01da807839a14252d655c7e10f60f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
4e82be6f2ca0fed0602a82f6b31f6cd8

SHA1
bd2a318c19722bcf94ef22b0e6f0cf2f18fd4fbd

SHA256
4865300544fddc62c5149ac0b828a11b2b1419abab79ace28bc8fe054d936ec2

SHA512
d4248024645d435bbc58dc31753568b060b3689488d5188b367a1a4a2f8d002f76ad81e0d0ac618b7041e582cf973e0c61e95da250a9fdf9add587a6aaeaeeb1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
b636c0aabb53ca9bccd3aa94f961681f

SHA1
f197b968d8a63bedd22af137a37154e63028cb3b

SHA256
660a8534d231ca07f48b9c3b647bb5040b2b40dfc2610a02aab692435953d383

SHA512
3e9fc028219739fc1adb4fae158818a55d068e46ab1fbcd15f5edd8103bc33bddb1be46d9231144b5eadb9cb8f231accb57fdaa12f2724e7bd2804c4e34e9248

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
2db7edeba400f296b0275d19b3b8661c

SHA1
1205e51b62974d364d8020d4dc55974711e4a0cf

SHA256
8da355971e77f7b2625ee84020a74d9699ae0e667052d62132035fa48f2108f7

SHA512
7f2b97b5039eacb85881f38aacb8ebea435f2d144fdadf4be5f632107113e01695ef466a81d41eb1632ae9500a9bb3bff6946bb4f49b55f4cb2a39bc3283305b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
b452ab58dbd4c5c4b1c59bcf6013a83e

SHA1
7f2cbee0db9b4ec162f36f7d1442adbcdcbaa91b

SHA256
1cf1e00253972d4074661e0c4a3d28ca1ca8a698d38f4bbbcaf99c3af3aeb3e3

SHA512
d7c8ce73abe8ed297ef84d5247dde2f933a34f1c0d06e3d20d55d846376b18099eca57009ea189bdb7f0be6a729b037add65b40226d6866aa6856458f74d183a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
0905129c48f267aafbae6afcd3e5b205

SHA1
4c0f5e8262cc1c0088e66945e480e17747cd66a9

SHA256
6b47e4a84623a43a1547803a7aca0c10a1cdb64ff1266de4d7b6ac6a738f79f8

SHA512
f212f6538f96b90561cb22736fc628adf1d0bc79a3661f9f5c5132909861edde3e2528adacf05b22ad205ec4998257818a66a3df9bebd46b623c08305b8c3ade

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
36ac8d17da8eae378e72358f9e4be9f1

SHA1
f46a23a457c390b778df103b0250abae8a5abc5a

SHA256
f03a058ae60fafc32a0516a3f444cc762a5cb73ac23fadc889f8b738b8e0fe40

SHA512
4965329106503b79ac5378845faaaf629d31abe96eab8a4bacccb56b91176400b771859056518d2b58b0b5e6740b9359814b931c094973c64f913211427f9dce

Download Submit
memory/840-164-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/840-160-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1260-191-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1260-187-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1540-132-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1540-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1680-147-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1680-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2036-176-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2036-177-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2036-172-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2580-113-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-198-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-136-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2580-131-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2580-129-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-207-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-112-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2580-208-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2580-141-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-181-0x0000000001EB0000-0x0000000001EDC000-memory.dmp

Filesize
176KB

Download
memory/2580-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2580-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2680-116-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2680-115-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2680-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-200-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2944-205-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download