Analysis
-
max time kernel
133s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Resource
win10v2004-20240508-en
General
-
Target
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
-
Size
45KB
-
MD5
4eae1eef38400d1e90011f887c700932
-
SHA1
172988046bc829608da1865c5d1c942aa22493d6
-
SHA256
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
-
SHA512
3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEqP:8AwEmBj3EXHn4x+9aqP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral2/memory/4388-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023415-8.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023419-106.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1724-107-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002341d-114.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1724-113-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2268-119-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002341f-121.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023420-128.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4668-127-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3536-133-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023421-135.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/608-140-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023422-142.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1496-148-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023423-149.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4240-154-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4388-156-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 1724 xk.exe 2268 IExplorer.exe 4668 WINLOGON.EXE 3536 CSRSS.EXE 608 SERVICES.EXE 1496 LSASS.EXE 4240 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\SysWOW64\shell.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\SysWOW64\Mig2.scr 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\xk.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 1724 xk.exe 2268 IExplorer.exe 4668 WINLOGON.EXE 3536 CSRSS.EXE 608 SERVICES.EXE 1496 LSASS.EXE 4240 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1724 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 83 PID 4388 wrote to memory of 1724 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 83 PID 4388 wrote to memory of 1724 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 83 PID 4388 wrote to memory of 2268 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 84 PID 4388 wrote to memory of 2268 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 84 PID 4388 wrote to memory of 2268 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 84 PID 4388 wrote to memory of 4668 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 85 PID 4388 wrote to memory of 4668 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 85 PID 4388 wrote to memory of 4668 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 85 PID 4388 wrote to memory of 3536 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 86 PID 4388 wrote to memory of 3536 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 86 PID 4388 wrote to memory of 3536 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 86 PID 4388 wrote to memory of 608 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 87 PID 4388 wrote to memory of 608 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 87 PID 4388 wrote to memory of 608 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 87 PID 4388 wrote to memory of 1496 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 88 PID 4388 wrote to memory of 1496 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 88 PID 4388 wrote to memory of 1496 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 88 PID 4388 wrote to memory of 4240 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 89 PID 4388 wrote to memory of 4240 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 89 PID 4388 wrote to memory of 4240 4388 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4388 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:608
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD56ca525e3e833ca6bc0e11488e22863d9
SHA161bf9528de29638e048f59fe2fde9ec76ed68b78
SHA2565ec1f841e3179c36a12786f0c12107426d58a39d1292b1ef524084a102b48f13
SHA512b5eb7d10321d80da5c355f04ce094c0de45a2be292804076963c5b01d1aa24dad8be1caaa4d954775e88c420df5da474efccb98a989016d08e7b24beda20698e
-
Filesize
45KB
MD54e2c2bc2e086de273f574deaf3bc394d
SHA1fbf6ecc1b1a790a8e3c793c1610c2de39ec56a4e
SHA256c640c05ce95da18c9f35174fdc0fdd25ddbe99a5c43ed380978086888c27fd2f
SHA512feeb012f518888c51aee47dd139dc0c256117515048824a1f685083118924049f84f3010cdfc32713850cb65a68af31d2e7476101f9cb35e2c9f919a7371214c
-
Filesize
45KB
MD5495c7c969724a5e4265b49eb4dc6adb1
SHA1bf8bf19ace31a35373eae0e3317eafed0289c0f7
SHA25667a136377f523e6c3b0536c578e9c5328285e08725bd1a419be6e7f4398f8421
SHA512d1cb7e0fdc14019e301b63aea7d40d190f9e4b580b890f0728dd29793268f6d47baca980354b8c2ce5cdbc8db6c0b8cfe3efc61f5aab5f1320335e950e242834
-
Filesize
45KB
MD5fccb4bd5998eb636d14aa784b5ca4d43
SHA121ac50f2d23d2e12f2749c7879167d26c8c1881b
SHA2569155a1d579eede6d3003e091a42f68b8433ff9ca4aea466a8b997ab2a3742173
SHA512d928dd6683ef9ed805ccd9099006c61b4493e60d6bab7bb8dab99bf56fcbfb48fb478f353568dde14c74eb7cd060121975e20985e843201eff489ec50d7e8c4c
-
Filesize
45KB
MD5c87e6ba06cfd691f716d75d6ff8e7f48
SHA11c4c3a318e5a5aa1394fdcc05ac7fdf804190662
SHA256d959b5fbeced78bdae9710f7b0e5d79593bc9a3ea002acbe4a30565e34001ad1
SHA5125ad906ea775cc457fba9b090c539ff3f9f7854f23ce3c7e9d8090de190c85276b952be91e82abef433f25b01a1d98b30ffd1571bbd808d8150f635d8dd6de49d
-
Filesize
45KB
MD54eae1eef38400d1e90011f887c700932
SHA1172988046bc829608da1865c5d1c942aa22493d6
SHA2565e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
SHA5123b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df
-
Filesize
45KB
MD5e9c5413f77e1af8dd6f89b0a5c6a13d2
SHA1f2666b1b9a375c4d752a719b6fbd7eeca23b0480
SHA2569e4f333d8235e0171d801cf3116234e6884e942d01a0faac5b97135b5274322f
SHA5120e383c4cc8a39c1dc436179ac84eec069f3e422863fa1d47605bcb7f6b8af62f6d207409de32f3c9be949c8f98b1760a4a935a25e4fff52685367db780fc0db7
-
Filesize
45KB
MD5b3d569fd8d3fe816bce3bec44de87f0c
SHA10387bcf13d2d562d9f326ea277833f151a213647
SHA256dd66aeac3e21a3fbafec51876dc181edff98a6170f3c13aa352913723e69854e
SHA512eb7c25980f073ae81a10c760dc59a81c982f95032c565243242b5acfdf718f41b6bd9ef1a8a7cbd66686e525d1ffffffab0e4a58bf2e1beae9ddd38fbfb13ff5