Analysis
-
max time kernel
69s -
max time network
47s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-02-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
KeePass-2.56-Setup.exe
Resource
win11-20231215-en
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
KeePass-2.56-Setup.tmpShInstUtil.exeShInstUtil.exeShInstUtil.exeKeePass.exepid process 1532 KeePass-2.56-Setup.tmp 3208 ShInstUtil.exe 4448 ShInstUtil.exe 4028 ShInstUtil.exe 2292 KeePass.exe -
Loads dropped DLL 10 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeKeePass.exepid process 2020 mscorsvw.exe 4240 mscorsvw.exe 4240 mscorsvw.exe 4324 mscorsvw.exe 3764 mscorsvw.exe 3764 mscorsvw.exe 3328 mscorsvw.exe 4748 mscorsvw.exe 2292 KeePass.exe 2292 KeePass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ShInstUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeePass 2 PreLoad = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" --preload" ShInstUtil.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
Processes:
KeePass-2.56-Setup.tmpdescription ioc process File created C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-DCAMU.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC32.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-VOVAP.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-8H4NU.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-AKCG8.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-E4K37.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-MKND5.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.chm KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-S92VJ.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-G4FQ4.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-FIRNC.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-MP64Q.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-RMFIM.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-450OO.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-S1PAN.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.exe KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC64.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-73BU9.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-732MV.tmp KeePass-2.56-Setup.tmp -
Drops file in Windows directory 12 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d00-0\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\eb4-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10e4-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\128c-0\KeePass.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7e4-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1090-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
Processes:
KeePass-2.56-Setup.tmpKeePass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\ = "&Open with KeePass Password Safe" KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell KeePass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\",0" KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\ = "KeePass Database" KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\AlwaysShowExt KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx\ = "kdbxfile" KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags KeePass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" KeePass.exe Key created \Registry\User\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\NotificationData KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" \"%1\"" KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command KeePass-2.56-Setup.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KeePass-2.56-Setup.tmppid process 1532 KeePass-2.56-Setup.tmp 1532 KeePass-2.56-Setup.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
KeePass.exepid process 2292 KeePass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KeePass.exedescription pid process Token: SeDebugPrivilege 2292 KeePass.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
KeePass-2.56-Setup.tmpKeePass.exepid process 1532 KeePass-2.56-Setup.tmp 2292 KeePass.exe 2292 KeePass.exe 2292 KeePass.exe 2292 KeePass.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
KeePass.exepid process 2292 KeePass.exe 2292 KeePass.exe 2292 KeePass.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KeePass.exepid process 2292 KeePass.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
KeePass-2.56-Setup.exeKeePass-2.56-Setup.tmpShInstUtil.exedescription pid process target process PID 2016 wrote to memory of 1532 2016 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 2016 wrote to memory of 1532 2016 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 2016 wrote to memory of 1532 2016 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 1532 wrote to memory of 3208 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 3208 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 3208 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4448 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4448 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4448 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4028 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4028 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 1532 wrote to memory of 4028 1532 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4028 wrote to memory of 2108 4028 ShInstUtil.exe ngen.exe PID 4028 wrote to memory of 2108 4028 ShInstUtil.exe ngen.exe PID 4028 wrote to memory of 4688 4028 ShInstUtil.exe ngen.exe PID 4028 wrote to memory of 4688 4028 ShInstUtil.exe ngen.exe PID 1532 wrote to memory of 2292 1532 KeePass-2.56-Setup.tmp KeePass.exe PID 1532 wrote to memory of 2292 1532 KeePass-2.56-Setup.tmp KeePass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-UAM98.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-UAM98.tmp\KeePass-2.56-Setup.tmp" /SL5="$40234,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1d0 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 28c -Pipe 1e8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 298 -Pipe 2c0 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Users\Admin\AppData\Local\Temp\is-UAM98.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exeFilesize
11.4MB
MD52f856e06222f7e26999e53396e4ce7d7
SHA14eb190fa96382b7cf30e0ea41c0ad65db5c0ba4f
SHA25644d49be085f891f4f881c5e1865575e34cd49d12602196915ae2a1fc702ea3f9
SHA5127e24e2e02c7362889a6eeaa81b67e4e4ec4777a8f013c2ebc2414f4164b94bbbd56d124eb33945d20b11258270e3eee48608636f350404e0594cb5bec673d49d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exe.auxFilesize
1KB
MD5f2986f1ced2942290c4e14cd1e9084c8
SHA1693cf3496def9f4c2766a33b7bdde063eef8d2c8
SHA2566d10119b7ecd681408e10c025bb6ffff2e0c8a7f21862ade12eea0538e399935
SHA5121c1ce774a5e1bb9c2cce28d7d7d22275dc71076a82a5b3c45436bd236b48d55ba32d22b4e1ed004dcb95b5fe1452c0f04a6733bdb12a033df934c44a444a26c9
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dllFilesize
2.4MB
MD59adf864cd8dbf2ebf7234fe98f5dd17e
SHA18b529014a13db77d2021979ad972135a3c71a6ad
SHA2565e798d3568fa153ed8b299285a21cf7652841bcdd9c1d467ae41bc9e28a4eefa
SHA5125dc274ff0ef245d4ef925e10996bc47578e90a124c54426a9ddd39dbfb149bcaa20059ce5c2470ee3c267e8eb33ecda60147977925dc51fe3f0a21fd7698326f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dllFilesize
2.1MB
MD5c50eca5c42350de47254d181119bc5e2
SHA10f5fdcf7783ea62e9c3210dbd24cae8b95067ed9
SHA256cfb9d4deb7e73b49dcbafe88f1197581765ff4f6640c69c2c103d87b7e582e08
SHA512d2d2396eac0df79fe3cd70a9cd5521073491017c7190d2812fb1ef24c0e4851239e4a03bce620a04279291671927bdfde2e8500fdf9c3784cab96e9fbd096213
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dllFilesize
1.6MB
MD5382cb3e01b814176406b2d887258727c
SHA1b53d1747a0890e04f13a92124938bb1357ad5c63
SHA2566dcb61788accb6ab196a69b48254e9574a9eee70f5f6847c2e87dfdf80f3d151
SHA512f496c0f36ac361891adf6301d33fe838612916bd8182f68f29d214ae8e362c6bea2f769b0537a1ff15a9e4aa5ec16cad050b71e72b827be1c88c5c7422b84f56
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5babee7fd2083dd07600dd5c55c7ccb19
SHA1d60268525947cb482d08dc82bf8dbedc4153ecc7
SHA256211f95dde18026099e727ea7dd3c59b2f44e4b8d6bc37a400b4e77dd35407fb8
SHA512fb07b7940e0caa80c779f80a79c855f360a6032f4cfbc55d1d244070d638e2edc7969ebdbb1bc695b7a6e2a4ea8b9197287ee27acaf6e0ec3e7a2114c892034c
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dllFilesize
3.0MB
MD55ce272c443c76c6a0268b17307086373
SHA19da215c4f1fa2367b0abb062ae23c49c27e0cf6e
SHA2561bda44e93fabab317c5d2768199ae87d47868e2ba1bd5c4eafbbc78fa3ae7414
SHA512a6a66cc3a2b2080973edea313fc2f486c26c43280ffb1790c39f7e4983671abeb7c4b7e42c247823e2f30c284467e0848259d9d8bbbe50e3858bb5dc23a29d94
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dllFilesize
314KB
MD50ec738c1551385a6ab8287162ead2385
SHA1576f4ac07fa966785607109902714f104c2b6fdb
SHA2562be57b6de3fa61e65fab74f2911edeee2d0c4d3f0e2e0371bfca72498a4ac60e
SHA512abfa6e2d47c55b65bf81a240c32bc7dbbdf739b23d4ddeb6b95d4c39eec7c0f59d3b788239b7ef4419d31176cd2a5338bda535c9241ba24ddecaaae36b57303a
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD59ca5ccbe1085d777dc220ad37e26d6d3
SHA17f63e7d7764a4dc13a8b9cbec50749229cb93bca
SHA256f362820cf09248efe993990b005ae1cbc856a048f08d7e1b494d980bff8a2342
SHA512bc5142e7741071dcbff36c8320d7b217ddfc95c43b3c2a422ff2439e0eb46669c23d1ceda2956735c9a5cf66f489de21eba9a85d3b8d50959d898a213be3c3ea
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dllFilesize
960KB
MD59a8cd50e705e339d8b5ed44c0e26f752
SHA1c68faee740f9bae54153496e484669430b51c06c
SHA256113bfc11164d935c655bc0711f976a564541fd29c3d1e64af1c9ba9f59ebe066
SHA51201165344ed6564219fec79436e25f5d40f039aef493d5388c60d783b130784f3e3d331e4b6d126e605cd8cd5d4a6969afb9a6c61668963a8ab901a1c2607426f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dllFilesize
704KB
MD5d6cd25d5756ac54fd5d739889f529789
SHA101a31ea2407f2ea891cca492fdd3b7672819fd71
SHA256448457ce4c554515d71f9db1153649215667acab4e80839ad6c9367fd8dbe076
SHA51209559369e963f43be6121df3a10c167f7b39e75d897a4faac739f32f92c81a678401dac81cb3725adb1e0e4fd35f76ebb91bbc7dd86b42cb1a108c8be17bbd18
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dllFilesize
986KB
MD5f7c61b3ccddcebf97d4f2fcd7d2fc298
SHA13d4149310ceafb8b989afda01ac47abd4b9eae32
SHA2568effa08244a2d3dc6573065c372c8fc06e515f584d6f7760ffafc6fcd91b7957
SHA5120fd5437a6f77375b930ae913f955ef5b25c1374ae0ac491e4873ba4e303a0e4542a312d82096cbd6c171b4ed81859f2ab8ef2e2dcb20d534e5a923eb5314fa4f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.auxFilesize
912B
MD5c7f1888df8d5f0cee44055889d7145a0
SHA12b38514613fdcf0bd151d72e1754f82c8600238f
SHA25686a58da68258f409d91c6178502763d92d53d5a81a0c65ea0da5826aa95dced2
SHA512a96ac1b47a8ddb9efcf4b1483c47ef8141b05e47c68e9357ffb239033434b9450ef562f5a1ebb0a741c401c384da95780482a647270fd39558a1d73990101670
-
memory/1532-6-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/1532-12-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/1532-170-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/1532-183-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/1532-98-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/2016-11-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2016-184-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2016-1-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2020-62-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB
-
memory/2020-77-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/2020-60-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/2292-194-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-180-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-193-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-197-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-190-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-189-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-196-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-173-0x0000000000810000-0x0000000000B38000-memory.dmpFilesize
3.2MB
-
memory/2292-179-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-177-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-195-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-188-0x00007FFAF2580000-0x00007FFAF3042000-memory.dmpFilesize
10.8MB
-
memory/2292-187-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-192-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/2292-172-0x00007FFAF2580000-0x00007FFAF3042000-memory.dmpFilesize
10.8MB
-
memory/2292-186-0x0000000020AB0000-0x0000000020B1E000-memory.dmpFilesize
440KB
-
memory/3328-158-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/3328-136-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/3328-137-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/3764-120-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/3764-135-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/3764-119-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4240-82-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/4240-97-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4240-78-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4324-115-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4324-99-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/4324-100-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4584-54-0x0000021399A20000-0x0000021399A70000-memory.dmpFilesize
320KB
-
memory/4584-52-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4584-55-0x00000213B1C40000-0x00000213B1DC8000-memory.dmpFilesize
1.5MB
-
memory/4584-56-0x0000021399A70000-0x0000021399A92000-memory.dmpFilesize
136KB
-
memory/4584-57-0x00000213B1B70000-0x00000213B1C22000-memory.dmpFilesize
712KB
-
memory/4584-51-0x00000213B1DE0000-0x00000213B2108000-memory.dmpFilesize
3.2MB
-
memory/4584-58-0x00000213B1AB0000-0x00000213B1AD2000-memory.dmpFilesize
136KB
-
memory/4584-59-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4748-143-0x0000064488000000-0x0000064488B64000-memory.dmpFilesize
11.4MB
-
memory/4748-168-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB
-
memory/4748-61-0x00007FFAF31F0000-0x00007FFAF3CB2000-memory.dmpFilesize
10.8MB