6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147

General

Target

6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Size

1.2MB
MD5

58010c6fccca5b5171ac50010463f445
SHA1

36c893c29d912c48ed4d43e27f700ce567b1dc8f
SHA256

6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147
SHA512

287107fbcab362d75c8c391467e70ed8094d812673d28af3dc64e0435eb1c0048f9dba7dd1101710fed753d4fe70553c48c545c9b14edc582bc9ac2495ca92e2
SSDEEP

24576:Ue2nWypX1kJy7IqvMhxeCqvPqRk/9dC2JkXzfPlcTPEZak86X9bo7/CCWU0:ULJpXwULnPkkXRJYnOLEZak1X9kqnU

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

360 bcdedit.exe

pid	process
360	bcdedit.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe

pid	process
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe

description	pid	process
Token: SeDebugPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: SeIncBasePriorityPrivilege	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
Token: 33	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3312 LogonUI.exe

pid	process
3312	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.execmd.exe

description	pid	process	target process
PID 4344 wrote to memory of 1944	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe	cmd.exe
PID 4344 wrote to memory of 1944	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe	cmd.exe
PID 1944 wrote to memory of 360	1944	cmd.exe	bcdedit.exe
PID 1944 wrote to memory of 360	1944	cmd.exe	bcdedit.exe
PID 4344 wrote to memory of 4992	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe	shutdown.exe
PID 4344 wrote to memory of 4992	4344	6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe
"C:\Users\Admin\AppData\Local\Temp\6f6a760ef58007ea4dbe02cfca8e2c7bbbb038f2b6558eb8e1870208ce780147.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set safeboot network
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\bcdedit.exe
bcdedit /set safeboot network
3⤵
- Modifies boot configuration data using bcdedit
PID:360

C:\Windows\SYSTEM32\shutdown.exe
shutdown -r -t 00
2⤵
PID:4992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3bc 0x408
1⤵
PID:3200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3975855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-136-0x0000000000000000-mapping.dmp

Download
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/4344-132-0x0000000000550000-0x000000000067E000-memory.dmp

Filesize
1.2MB

Download
memory/4344-133-0x00007FFE7DD50000-0x00007FFE7E811000-memory.dmp

Filesize
10.8MB

Download
memory/4344-134-0x00007FFE7DD50000-0x00007FFE7E811000-memory.dmp

Filesize
10.8MB

Download
memory/4344-138-0x00007FFE7DD50000-0x00007FFE7E811000-memory.dmp

Filesize
10.8MB

Download
memory/4992-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads