Overview
overview
7Static
static
1★Full Mo...5].rar
windows7-x64
3★Full Mo...5].rar
windows10-2004-x64
3★ Full M...47.mdl
windows7-x64
3★ Full M...47.mdl
windows10-2004-x64
3★ Full M...ug.mdl
windows7-x64
3★ Full M...ug.mdl
windows10-2004-x64
3★ Full M...c4.mdl
windows7-x64
3★ Full M...c4.mdl
windows10-2004-x64
3★ Full M...le.mdl
windows7-x64
3★ Full M...le.mdl
windows10-2004-x64
3★ Full M...te.mdl
windows7-x64
3★ Full M...te.mdl
windows10-2004-x64
3★ Full M...as.mdl
windows7-x64
★ Full M...as.mdl
windows10-2004-x64
7★ Full M...en.mdl
windows7-x64
3★ Full M...en.mdl
windows10-2004-x64
3★ Full M...g1.mdl
windows7-x64
3★ Full M...g1.mdl
windows10-2004-x64
3★ Full M...il.mdl
windows7-x64
3★ Full M...il.mdl
windows10-2004-x64
3★ Full M...18.mdl
windows7-x64
3★ Full M...18.mdl
windows10-2004-x64
3★ Full M...49.mdl
windows7-x64
3★ Full M...49.mdl
windows10-2004-x64
3★ Full M...m3.mdl
windows7-x64
3★ Full M...m3.mdl
windows10-2004-x64
3★ Full M...a1.mdl
windows7-x64
3★ Full M...a1.mdl
windows10-2004-x64
3★ Full M...10.mdl
windows7-x64
3★ Full M...10.mdl
windows10-2004-x64
3★ Full M...p5.mdl
windows7-x64
3★ Full M...p5.mdl
windows10-2004-x64
3Analysis
-
max time kernel
1105s -
max time network
847s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
★Full Models★ No Recoil [UCP 8.5].rar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
★Full Models★ No Recoil [UCP 8.5].rar
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_ak47.mdl
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_ak47.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_aug.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_aug.mdl
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_c4.mdl
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral8
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_c4.mdl
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_deagle.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_deagle.mdl
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_elite.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_elite.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_famas.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_famas.mdl
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_fiveseven.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_fiveseven.mdl
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_g3sg1.mdl
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_g3sg1.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_galil.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_galil.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_glock18.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_glock18.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m249.mdl
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral24
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m249.mdl
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m3.mdl
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral26
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m3.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m4a1.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_m4a1.mdl
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_mac10.mdl
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral30
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_mac10.mdl
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_mp5.mdl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_mp5.mdl
Resource
win10v2004-20240419-en
windows10-2004-x64
Errors
General
-
Target
★ Full Models No-Recoil★ [2018] by Sami khalil/models/v_famas.mdl
-
Size
229KB
-
MD5
5f8f5d01b1ce72308b30b38b210078ad
-
SHA1
7a2ea961f246d54629d747a98760fc15dc364214
-
SHA256
9a054ce1ab569bd43160f001c567036278d4d17cadec75e15a7f96a3223cb93f
-
SHA512
8ee7c71ff7f3244b7639d5f99e0ec75a218f2086c70d2bd77db242a39eccafcddb9aef7465d139873b39b378ef1d9edc9f6173af58ebbc34801f0a6893afa4b5
-
SSDEEP
6144:kHCfO2FAPHhWtUNhRORJsqEZDDMym6kLcB:9O2FA5GEsi7DMym9LE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.mdl rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.mdl\ = "mdl_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\mdl_auto_file rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2680 AcroRd32.exe 1288 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1288 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2580 1704 cmd.exe 29 PID 1704 wrote to memory of 2580 1704 cmd.exe 29 PID 1704 wrote to memory of 2580 1704 cmd.exe 29 PID 2580 wrote to memory of 2680 2580 rundll32.exe 30 PID 2580 wrote to memory of 2680 2580 rundll32.exe 30 PID 2580 wrote to memory of 2680 2580 rundll32.exe 30 PID 2580 wrote to memory of 2680 2580 rundll32.exe 30 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2208 wrote to memory of 608 2208 winlogon.exe 40 PID 2208 wrote to memory of 608 2208 winlogon.exe 40 PID 2208 wrote to memory of 608 2208 winlogon.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40 PID 2240 wrote to memory of 608 2240 csrss.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\★ Full Models No-Recoil★ [2018] by Sami khalil\models\v_famas.mdl"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\★ Full Models No-Recoil★ [2018] by Sami khalil\models\v_famas.mdl2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\★ Full Models No-Recoil★ [2018] by Sami khalil\models\v_famas.mdl"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2908
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2240
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵PID:608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50481a4ffc01777e95dea3ff151dd9804
SHA1c4e5649a34661059bd03578bcf8b983047a6f101
SHA2568a66e6195ebb5f05318b31f2bfcb00334c4ce6b20453ea9cc5291e533fa381ae
SHA512ae586de1c40e107663dd6b7cd01e5de68d61930cf0380a9ebd9a78e052120f108020aa1d9a15945141abb3a061e04bb0cb177e0c9520027f3bd5dca29d070021