Analysis
-
max time kernel
97s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 13:17
Static task
static1
Behavioral task
behavioral1
Sample
KeePass-2.56-Setup.exe
Resource
win11-20240419-en
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
KeePass-2.56-Setup.tmpShInstUtil.exeShInstUtil.exeShInstUtil.exeKeePass.exeKeePass.exepid process 4816 KeePass-2.56-Setup.tmp 4584 ShInstUtil.exe 4512 ShInstUtil.exe 3980 ShInstUtil.exe 1292 KeePass.exe 4604 KeePass.exe -
Loads dropped DLL 11 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeKeePass.exeKeePass.exepid process 5064 mscorsvw.exe 3008 mscorsvw.exe 3008 mscorsvw.exe 2264 mscorsvw.exe 1660 mscorsvw.exe 1660 mscorsvw.exe 4336 mscorsvw.exe 3172 mscorsvw.exe 1292 KeePass.exe 4604 KeePass.exe 4604 KeePass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ShInstUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeePass 2 PreLoad = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" --preload" ShInstUtil.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
Processes:
KeePass-2.56-Setup.tmpdescription ioc process File created C:\Program Files\KeePass Password Safe 2\XSL\is-916Q6.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-9560U.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\unins000.dat KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-KLMMK.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.exe KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-F23SB.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-SJM2T.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-S2IHU.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-2IIUC.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-3M9NO.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-GEBUS.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-GIGBO.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC64.dll KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePassLibC32.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-JD66A.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-PB3AU.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-8H51Q.tmp KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\XSL\is-G9B9G.tmp KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.chm KeePass-2.56-Setup.tmp File opened for modification C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll KeePass-2.56-Setup.tmp File created C:\Program Files\KeePass Password Safe 2\is-9JCQD.tmp KeePass-2.56-Setup.tmp -
Drops file in Windows directory 12 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8d8-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\67c-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10f0-0\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c64-0\KeePass.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13c8-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bc0-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
Processes:
KeePass-2.56-Setup.tmpKeePass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff KeePass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\ = "&Open with KeePass Password Safe" KeePass-2.56-Setup.tmp Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\ = "KeePass Database" KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx\ = "kdbxfile" KeePass-2.56-Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\AlwaysShowExt KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open KeePass-2.56-Setup.tmp Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx KeePass-2.56-Setup.tmp Key created \Registry\User\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\NotificationData KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" KeePass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" \"%1\"" KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" KeePass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon KeePass-2.56-Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\",0" KeePass-2.56-Setup.tmp Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff KeePass.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 KeePass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} KeePass.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg KeePass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" KeePass.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
KeePass-2.56-Setup.tmpKeePass.exepid process 4816 KeePass-2.56-Setup.tmp 4816 KeePass-2.56-Setup.tmp 4604 KeePass.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
KeePass.exeKeePass.exepid process 1292 KeePass.exe 4604 KeePass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KeePass.exeKeePass.exedescription pid process Token: SeDebugPrivilege 1292 KeePass.exe Token: SeDebugPrivilege 4604 KeePass.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
KeePass-2.56-Setup.tmpKeePass.exeKeePass.exepid process 4816 KeePass-2.56-Setup.tmp 1292 KeePass.exe 1292 KeePass.exe 1292 KeePass.exe 1292 KeePass.exe 4604 KeePass.exe 4604 KeePass.exe 4604 KeePass.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
KeePass.exeKeePass.exepid process 1292 KeePass.exe 1292 KeePass.exe 1292 KeePass.exe 4604 KeePass.exe 4604 KeePass.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KeePass.exepid process 4604 KeePass.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
KeePass-2.56-Setup.exeKeePass-2.56-Setup.tmpShInstUtil.exedescription pid process target process PID 1812 wrote to memory of 4816 1812 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 1812 wrote to memory of 4816 1812 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 1812 wrote to memory of 4816 1812 KeePass-2.56-Setup.exe KeePass-2.56-Setup.tmp PID 4816 wrote to memory of 4584 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 4584 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 4584 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 4512 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 4512 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 4512 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 3980 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 3980 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 4816 wrote to memory of 3980 4816 KeePass-2.56-Setup.tmp ShInstUtil.exe PID 3980 wrote to memory of 5076 3980 ShInstUtil.exe ngen.exe PID 3980 wrote to memory of 5076 3980 ShInstUtil.exe ngen.exe PID 3980 wrote to memory of 428 3980 ShInstUtil.exe ngen.exe PID 3980 wrote to memory of 428 3980 ShInstUtil.exe ngen.exe PID 4816 wrote to memory of 1292 4816 KeePass-2.56-Setup.tmp KeePass.exe PID 4816 wrote to memory of 1292 4816 KeePass-2.56-Setup.tmp KeePass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmp" /SL5="$4023E,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 28c -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 288 -Pipe 1c8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2ac -Pipe 1e8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 284 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KeePass.exe.logFilesize
1KB
MD5fb4ee9ee60e5d08b931d9e9ac0d03199
SHA1f4d95d1307979ded7cd15f9798d077c5186c832b
SHA25653bcdf089df966f97986fc0696fbc720b2031bc925f712b404989aaedf0d4aac
SHA512cb672e5f20031ac8ee1aafec88b674dc0464dd2cd287482a3633746d8184006a6cc31703bf4011a3fbd4f88a1f11e4e21fe84fc8d7970ff2aee93dc6c15f2e2b
-
C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
C:\Users\Admin\AppData\Roaming\KeePass\KeePass.config.xmlFilesize
3KB
MD5a504197f62d2636d05d0d7388b752484
SHA1538a7f216557c7f53dbd2e70f26b226f7104a2e7
SHA2568a045ba53f096aecd741e38488d72473378593dcd3cbe4fd97d4b0e133dd4c91
SHA5124d1347f6aa54b8e239f23f86096662f90aa493bf444ca2f59ab1e0836cd350b8c1370b74ce0c2cfa9a8f8bac193e3073536b08a7bf1f110a79de8f401ceba304
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exeFilesize
11.4MB
MD52f856e06222f7e26999e53396e4ce7d7
SHA14eb190fa96382b7cf30e0ea41c0ad65db5c0ba4f
SHA25644d49be085f891f4f881c5e1865575e34cd49d12602196915ae2a1fc702ea3f9
SHA5127e24e2e02c7362889a6eeaa81b67e4e4ec4777a8f013c2ebc2414f4164b94bbbd56d124eb33945d20b11258270e3eee48608636f350404e0594cb5bec673d49d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exe.auxFilesize
1KB
MD5f2986f1ced2942290c4e14cd1e9084c8
SHA1693cf3496def9f4c2766a33b7bdde063eef8d2c8
SHA2566d10119b7ecd681408e10c025bb6ffff2e0c8a7f21862ade12eea0538e399935
SHA5121c1ce774a5e1bb9c2cce28d7d7d22275dc71076a82a5b3c45436bd236b48d55ba32d22b4e1ed004dcb95b5fe1452c0f04a6733bdb12a033df934c44a444a26c9
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD55968702720c09d48fc7a0aae9f458a3e
SHA164ec4c0ee94a26fdd26f7f02892a313793ca3333
SHA2561db11e73cdfebf485614216e227af712214049b909490e500bd0189a580a7eea
SHA512107b18bb1f4d5441c015a657aab87581d4e37d72321ceac4208ff00f93e82d98f340dce8e6493e8f89a0104c3f71443455ab7f88433a173b5dc75e1274b21164
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5babee7fd2083dd07600dd5c55c7ccb19
SHA1d60268525947cb482d08dc82bf8dbedc4153ecc7
SHA256211f95dde18026099e727ea7dd3c59b2f44e4b8d6bc37a400b4e77dd35407fb8
SHA512fb07b7940e0caa80c779f80a79c855f360a6032f4cfbc55d1d244070d638e2edc7969ebdbb1bc695b7a6e2a4ea8b9197287ee27acaf6e0ec3e7a2114c892034c
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dllFilesize
3.0MB
MD55ce272c443c76c6a0268b17307086373
SHA19da215c4f1fa2367b0abb062ae23c49c27e0cf6e
SHA2561bda44e93fabab317c5d2768199ae87d47868e2ba1bd5c4eafbbc78fa3ae7414
SHA512a6a66cc3a2b2080973edea313fc2f486c26c43280ffb1790c39f7e4983671abeb7c4b7e42c247823e2f30c284467e0848259d9d8bbbe50e3858bb5dc23a29d94
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dllFilesize
314KB
MD50ec738c1551385a6ab8287162ead2385
SHA1576f4ac07fa966785607109902714f104c2b6fdb
SHA2562be57b6de3fa61e65fab74f2911edeee2d0c4d3f0e2e0371bfca72498a4ac60e
SHA512abfa6e2d47c55b65bf81a240c32bc7dbbdf739b23d4ddeb6b95d4c39eec7c0f59d3b788239b7ef4419d31176cd2a5338bda535c9241ba24ddecaaae36b57303a
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD59ca5ccbe1085d777dc220ad37e26d6d3
SHA17f63e7d7764a4dc13a8b9cbec50749229cb93bca
SHA256f362820cf09248efe993990b005ae1cbc856a048f08d7e1b494d980bff8a2342
SHA512bc5142e7741071dcbff36c8320d7b217ddfc95c43b3c2a422ff2439e0eb46669c23d1ceda2956735c9a5cf66f489de21eba9a85d3b8d50959d898a213be3c3ea
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dllFilesize
986KB
MD5f7c61b3ccddcebf97d4f2fcd7d2fc298
SHA13d4149310ceafb8b989afda01ac47abd4b9eae32
SHA2568effa08244a2d3dc6573065c372c8fc06e515f584d6f7760ffafc6fcd91b7957
SHA5120fd5437a6f77375b930ae913f955ef5b25c1374ae0ac491e4873ba4e303a0e4542a312d82096cbd6c171b4ed81859f2ab8ef2e2dcb20d534e5a923eb5314fa4f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.auxFilesize
912B
MD5c7f1888df8d5f0cee44055889d7145a0
SHA12b38514613fdcf0bd151d72e1754f82c8600238f
SHA25686a58da68258f409d91c6178502763d92d53d5a81a0c65ea0da5826aa95dced2
SHA512a96ac1b47a8ddb9efcf4b1483c47ef8141b05e47c68e9357ffb239033434b9450ef562f5a1ebb0a741c401c384da95780482a647270fd39558a1d73990101670
-
memory/1292-173-0x0000000020790000-0x00000000207FE000-memory.dmpFilesize
440KB
-
memory/1292-162-0x00000000003F0000-0x0000000000718000-memory.dmpFilesize
3.2MB
-
memory/1660-114-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/1812-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1812-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1812-7-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1812-170-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2020-56-0x0000016776E90000-0x00000167771B8000-memory.dmpFilesize
3.2MB
-
memory/2020-59-0x00000167771C0000-0x0000016777348000-memory.dmpFilesize
1.5MB
-
memory/2020-58-0x0000016776950000-0x00000167769A0000-memory.dmpFilesize
320KB
-
memory/2020-62-0x0000016776B00000-0x0000016776B22000-memory.dmpFilesize
136KB
-
memory/2020-61-0x0000016776D20000-0x0000016776DD2000-memory.dmpFilesize
712KB
-
memory/2020-60-0x0000016776AD0000-0x0000016776AF2000-memory.dmpFilesize
136KB
-
memory/2264-96-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/3008-81-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/3172-144-0x0000064488000000-0x0000064488B64000-memory.dmpFilesize
11.4MB
-
memory/4336-129-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/4816-160-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-8-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-169-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-11-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-6-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5064-64-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB