Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
32/Activity.dll
windows7-x64
32/Activity.dll
windows10-2004-x64
32/LogViewer.exe
windows7-x64
102/LogViewer.exe
windows10-2004-x64
102/MouseHook.dll
windows7-x64
32/MouseHook.dll
windows10-2004-x64
32/RunOnce.exe
windows7-x64
32/RunOnce.exe
windows10-2004-x64
32/USBFind.dll
windows7-x64
32/USBFind.dll
windows10-2004-x64
32/iSafeProtect.dll
windows7-x64
32/iSafeProtect.dll
windows10-2004-x64
32/msadoex.dll
windows7-x64
12/msadoex.dll
windows10-2004-x64
12/pdata.exe
windows7-x64
12/pdata.exe
windows10-2004-x64
12/winsrv.exe
windows7-x64
102/winsrv.exe
windows10-2004-x64
102/zlib1d.dll
windows7-x64
32/zlib1d.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
2/Activity.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2/Activity.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
2/LogViewer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2/LogViewer.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
2/MouseHook.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
2/MouseHook.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
2/RunOnce.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
2/RunOnce.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral9
Sample
2/USBFind.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
2/USBFind.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral11
Sample
2/iSafeProtect.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
2/iSafeProtect.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral13
Sample
2/msadoex.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
2/msadoex.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral15
Sample
2/pdata.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
2/pdata.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral17
Sample
2/winsrv.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
2/winsrv.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral19
Sample
2/zlib1d.dll
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
2/zlib1d.dll
Resource
win10v2004-20241007-en
General
-
Target
2/winsrv.exe
-
Size
1.7MB
-
MD5
4c7790bc050fd4b3f60bf7c8eb1ce93e
-
SHA1
150359dad0f31102664cc78b46938609ad97d8fa
-
SHA256
b30e3949a4a572b1ea0118dede259cb75c2355f58aadfd3455f0f1aa0994d91d
-
SHA512
f2845dc849e438d3aaf723f2957ea3eef90881137782edd35c1d1d5f7c5047250c0191797c349ec0741b468c8042d3c172dce9dae0c2256c05fb3b6c19990ce5
-
SSDEEP
49152:6xejPqOKQBsEuyewoaJkRRISGiQdRcDTnqj0YvI4:XPqPR+gqj0YvI4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winsrv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winsrv.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winsrv.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsrv.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winsrv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iSafeCW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2\\winsrv.exe" winsrv.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winsrv.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: winsrv.exe File opened (read-only) \??\P: winsrv.exe File opened (read-only) \??\Z: winsrv.exe File opened (read-only) \??\J: winsrv.exe File opened (read-only) \??\N: winsrv.exe File opened (read-only) \??\Q: winsrv.exe File opened (read-only) \??\U: winsrv.exe File opened (read-only) \??\G: winsrv.exe File opened (read-only) \??\H: winsrv.exe File opened (read-only) \??\I: winsrv.exe File opened (read-only) \??\O: winsrv.exe File opened (read-only) \??\V: winsrv.exe File opened (read-only) \??\Y: winsrv.exe File opened (read-only) \??\R: winsrv.exe File opened (read-only) \??\S: winsrv.exe File opened (read-only) \??\T: winsrv.exe File opened (read-only) \??\W: winsrv.exe File opened (read-only) \??\X: winsrv.exe File opened (read-only) \??\E: winsrv.exe File opened (read-only) \??\K: winsrv.exe File opened (read-only) \??\L: winsrv.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf winsrv.exe File opened for modification F:\autorun.inf winsrv.exe -
resource yara_rule behavioral17/memory/1064-86-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-85-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-84-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-26-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-27-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-25-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-7-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-10-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-5-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-9-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-8-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-6-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-88-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-87-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-90-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-91-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-106-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-111-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-114-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-122-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-124-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-125-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-132-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-140-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-143-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-145-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-146-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-147-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-149-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral17/memory/1064-155-0x00000000025F0000-0x000000000367E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe winsrv.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe winsrv.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe winsrv.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe winsrv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe winsrv.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI winsrv.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsrv.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe Token: SeDebugPrivilege 1064 winsrv.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe 1064 winsrv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 2840 1064 winsrv.exe 30 PID 1064 wrote to memory of 2840 1064 winsrv.exe 30 PID 1064 wrote to memory of 2840 1064 winsrv.exe 30 PID 1064 wrote to memory of 2840 1064 winsrv.exe 30 PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 2300 1064 winsrv.exe 33 PID 1064 wrote to memory of 2300 1064 winsrv.exe 33 PID 1064 wrote to memory of 2300 1064 winsrv.exe 33 PID 1064 wrote to memory of 2300 1064 winsrv.exe 33 PID 1064 wrote to memory of 1332 1064 winsrv.exe 35 PID 1064 wrote to memory of 1332 1064 winsrv.exe 35 PID 1064 wrote to memory of 1332 1064 winsrv.exe 35 PID 1064 wrote to memory of 1332 1064 winsrv.exe 35 PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 1332 1064 winsrv.exe 35 PID 1064 wrote to memory of 2320 1064 winsrv.exe 36 PID 1064 wrote to memory of 772 1064 winsrv.exe 37 PID 1064 wrote to memory of 772 1064 winsrv.exe 37 PID 1064 wrote to memory of 772 1064 winsrv.exe 37 PID 1064 wrote to memory of 772 1064 winsrv.exe 37 PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 3032 1064 winsrv.exe 39 PID 1064 wrote to memory of 3032 1064 winsrv.exe 39 PID 1064 wrote to memory of 3032 1064 winsrv.exe 39 PID 1064 wrote to memory of 3032 1064 winsrv.exe 39 PID 1064 wrote to memory of 1940 1064 winsrv.exe 41 PID 1064 wrote to memory of 1940 1064 winsrv.exe 41 PID 1064 wrote to memory of 1940 1064 winsrv.exe 41 PID 1064 wrote to memory of 1940 1064 winsrv.exe 41 PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 2596 1064 winsrv.exe 43 PID 1064 wrote to memory of 2596 1064 winsrv.exe 43 PID 1064 wrote to memory of 2596 1064 winsrv.exe 43 PID 1064 wrote to memory of 2596 1064 winsrv.exe 43 PID 1064 wrote to memory of 2584 1064 winsrv.exe 45 PID 1064 wrote to memory of 2584 1064 winsrv.exe 45 PID 1064 wrote to memory of 2584 1064 winsrv.exe 45 PID 1064 wrote to memory of 2584 1064 winsrv.exe 45 PID 1064 wrote to memory of 1108 1064 winsrv.exe 19 PID 1064 wrote to memory of 1168 1064 winsrv.exe 20 PID 1064 wrote to memory of 1204 1064 winsrv.exe 21 PID 1064 wrote to memory of 376 1064 winsrv.exe 25 PID 1064 wrote to memory of 2584 1064 winsrv.exe 45 PID 1064 wrote to memory of 2608 1064 winsrv.exe 46 PID 1064 wrote to memory of 2864 1064 winsrv.exe 47 PID 1064 wrote to memory of 2864 1064 winsrv.exe 47 PID 1064 wrote to memory of 2864 1064 winsrv.exe 47 PID 1064 wrote to memory of 2864 1064 winsrv.exe 47 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winsrv.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\2\winsrv.exe"C:\Users\Admin\AppData\Local\Temp\2\winsrv.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:1332
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:536
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:952
-
-
C:\Users\Admin\AppData\Local\Temp\2\pdata.exe".\pdata.exe" "66116" "smtp.gmail.com" "" "" "587" "1" "Email Log Test" "C:\Users\Admin\AppData\Local\Temp\2\edata.txt" "C:\Users\Admin\AppData\Local\Temp\2\Skin\testok.jpg"3⤵PID:1860
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-501969827-751299871-1738820042-9024529063023164031527139802107822848-864210678"1⤵PID:2320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16548851471634866647-1496645222-6653122191463227800-1140375741-12568782521987715744"1⤵PID:2608
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD573e4b6d3b40e86cb0b37ee8831c7e346
SHA18e259a5176805f16c8bda1860aab1be4fa10813b
SHA256d5731b0e5d3161b7cc654db68da677e2b0b133b109a24a495293fe1d055ab6fa
SHA51229cb933dc58ab4eccd1bff5706934afcb05440fec7539b404da931c508925fe8f6532a1299222edbcd7d1bf2c7cce980caae305ab6f420ee56f6850f0f9cc3e4
-
Filesize
1KB
MD5374aaea6074d091c60e34aba0638759e
SHA1402faa02ef4274126ee04b98af2a9374613f11d8
SHA256db0a6fa524920793514c961bfc8d1e9d31f68ee350e463ce6f268e30884a8d2a
SHA512934553202511a9307d62695c5d04ed2f5842156203e0498861d8dc72f36254d04f1ed77bb77d43614c93849fb5cb17e2f561591176cc3ee49b93dcb4f4197d5c
-
Filesize
1KB
MD5ff1753e28a8e7a67a10e09418dad381b
SHA192d73b3ffc8d67180d5fdebc5d6b663c3ab9a439
SHA2568d8a6949d55dd53f455c3d7a27709012eb05d19318ce63e396164affa3d5b2a5
SHA51212d8d4582e31abfa098bde743d92d6c9aa9684dd189778a07182c53bf7ac0b331399c4580a92a4108720720be9f42bd87ef05865bfa3123cfe4cb78f8cdeb6b3
-
Filesize
100KB
MD51c28549b7e658e157b14c41f213be68e
SHA1c004ff94ee4a2ad06038bb64daaee649dffb3554
SHA256bd3ffb4f0752f61abcee2cf325ae313934da327398e65036a1eace0e264fd3a2
SHA51227c7b65ebc7a63e36bf9fdd9e18c55b84dde09fd92ac50e0224cff39f48ec1293c5730707799109ed857efd45605661b75b2e797eb4965cc8b59c3fbab47e12d