Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cf5390295c3b5cd1e4d8fa29ec624aa.exe
Resource
win7-20231129-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
0cf5390295c3b5cd1e4d8fa29ec624aa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0cf5390295c3b5cd1e4d8fa29ec624aa.exe
-
Size
271KB
-
MD5
0cf5390295c3b5cd1e4d8fa29ec624aa
-
SHA1
569323435ee0fdff12cb927a0583636591342846
-
SHA256
3648ed90c126b451398fb10a2aaa053c21960c9a6451300f9dd9b84c973c2d58
-
SHA512
33d285497e6880bbb9b5ac0f7abd0acb9997439f4eeacf4499406a0ee4828a7f42ae1384bb6ff765264985ddd094f5be76a657f3bd7591ff228610cc4e302043
-
SSDEEP
6144:bUrqA3AheuswyPnDh4+AVx1OSu4u/mRMnxaHnb0sK5R2:bUWA3AheuswyLhDax8Snu/aMxKrl
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 1884 start.exe 2276 csrss.exe 2764 winlogon32.exe 2596 winlogon32.exe 1160 winlogon32.exe 2108 winlogon32.exe 600 winlogon32.exe -
Loads dropped DLL 11 IoCs
pid Process 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 1884 start.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 1884 start.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT Logon Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\winlogon32.exe" winlogon32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT Logon Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\winlogon32.exe" winlogon32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT Logon Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\winlogon32.exe" winlogon32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT Logon Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\winlogon32.exe" winlogon32.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSWINSCK.dep start.exe File created C:\Windows\SysWOW64\stdole2.tlb start.exe File created C:\Windows\SysWOW64\comcat.dll start.exe File created C:\Windows\SysWOW64\MSWINSCK.ocx start.exe File opened for modification C:\Windows\SysWOW64\MSWINSCK.ocx start.exe File created C:\Windows\SysWOW64\MSWINSCK.oca start.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" csrss.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\MSWINSCK.OCX" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\MSWINSCK.OCX" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib csrss.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" csrss.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\MSWINSCK.OCX, 1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\MSWINSCK.OCX" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 csrss.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1884 start.exe 1884 start.exe 1884 start.exe 2276 csrss.exe 2276 csrss.exe 2764 winlogon32.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 1160 winlogon32.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2108 winlogon32.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 600 winlogon32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 DllHost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1884 start.exe 2276 csrss.exe 2764 winlogon32.exe 2596 winlogon32.exe 1160 winlogon32.exe 2108 winlogon32.exe 600 winlogon32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1328 wrote to memory of 1884 1328 0cf5390295c3b5cd1e4d8fa29ec624aa.exe 23 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 1884 wrote to memory of 2276 1884 start.exe 22 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 2276 wrote to memory of 2764 2276 csrss.exe 21 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 1884 wrote to memory of 2596 1884 start.exe 20 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 1160 2276 csrss.exe 33 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 2108 2276 csrss.exe 36 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37 PID 2276 wrote to memory of 600 2276 csrss.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe"C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe" o6 (Small).jpg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2744
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2764
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD51c239f9c061f5c84874481d2c876bf80
SHA19d72e36fdc6569cd407af822c548c462227248cd
SHA2569fd77d86e00a5bec45f3825d4f7c8965b6b9d54ec161c10d0c0d23e36493ab88
SHA512cdc7ea38e32ffff5c5e617ec9d3306d64ca8eab44561146d9e1213d83afee80aa95f05b184374eb5356e552b40825b0f0bc260be0c1238579c6520fa1c80d5c8
-
Filesize
92KB
MD5cee3f0d67777d0f3af6afb902f076ee8
SHA1aa0a06932aebaacff28b380d236af29e4b3d818e
SHA256ff4efb994bd4492347d4014274ed8919c4cbb26fdb40563206dd97e349dde780
SHA512592d1ef6e34465ebb0b70f4bf5ce11aa6c67bd3af46bac973b09f5bf85f6b0c8d48f18e6fad3906ef112b1be5be592d1e48b63863c92036dbbaec4aaad7edebb
-
Filesize
40KB
MD59e8de391f13042eaf1e3e0535cd2a0c2
SHA15f1557e5da87529718382ce2c6daae381b0fab25
SHA25607660ac4b6a788014bb09130a53dc02fac545002b9d31ef13d811b29117d42a8
SHA512f71a8a22cc099c940dee6e7e5a0eaa36cac8c60d39f167777283b5753f9b4a1f2c74b96f5161a703e16370bb98afe9ad73404408f0ab4f81fbcb6f58b3ac4544
-
Filesize
56KB
MD518a6ce8b4b65d96cd25e5d9052f135d7
SHA1aa17693a96a928069458facf79d5f2b9bd1b21f7
SHA2564264386d61a9d6938f6ef76dd8bdd73f589b948e67b08d3334051429a3fffe1d
SHA5128b9a269ac3984ff69b2bb7d0302ec288b208b76d3c190d0a3c07b03695a15f2648f0e322c6bfb82bdd36465e89ed47f87bf4a937dcdb20f4ed137f124de950cc