Analysis
-
max time kernel
134s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win10v2004-20240426-en
General
-
Target
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
-
Size
45KB
-
MD5
636e5a04688045b7bb9e766678779042
-
SHA1
ee262b0581b7504b8705ba9943b62f25fa9208fd
-
SHA256
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
-
SHA512
96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral2/memory/4320-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023428-8.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002342c-106.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023430-113.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/820-114-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3708-117-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023432-120.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2396-123-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023433-125.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5012-130-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023434-132.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023435-137.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1668-138-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1196-142-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023436-144.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1216-146-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1216-149-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4320-151-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 820 xk.exe 3708 IExplorer.exe 2396 WINLOGON.EXE 5012 CSRSS.EXE 1668 SERVICES.EXE 1196 LSASS.EXE 1216 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 820 xk.exe 3708 IExplorer.exe 2396 WINLOGON.EXE 5012 CSRSS.EXE 1668 SERVICES.EXE 1196 LSASS.EXE 1216 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4320 wrote to memory of 820 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 83 PID 4320 wrote to memory of 820 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 83 PID 4320 wrote to memory of 820 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 83 PID 4320 wrote to memory of 3708 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 84 PID 4320 wrote to memory of 3708 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 84 PID 4320 wrote to memory of 3708 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 84 PID 4320 wrote to memory of 2396 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 85 PID 4320 wrote to memory of 2396 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 85 PID 4320 wrote to memory of 2396 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 85 PID 4320 wrote to memory of 5012 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 86 PID 4320 wrote to memory of 5012 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 86 PID 4320 wrote to memory of 5012 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 86 PID 4320 wrote to memory of 1668 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 87 PID 4320 wrote to memory of 1668 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 87 PID 4320 wrote to memory of 1668 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 87 PID 4320 wrote to memory of 1196 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 88 PID 4320 wrote to memory of 1196 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 88 PID 4320 wrote to memory of 1196 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 88 PID 4320 wrote to memory of 1216 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 89 PID 4320 wrote to memory of 1216 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 89 PID 4320 wrote to memory of 1216 4320 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:820
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5bf30651a3499b5eb3c1bf12eefefbe49
SHA18cbf18ef1199be1d32c24d0452c8a8c6569eaeef
SHA2565f1f0a2d55c24d6a34d46a45cd4d77214627a809029db4043e6c3a22f64ce25a
SHA512d18ba418bef59264f491b7a9eb26773db66ed3d44989c4248369be9e04ed9ae80f9ff455e9cf70416ecfe182f8207d24a8da338d5d979d2e24e6d18784bc6dc9
-
Filesize
45KB
MD5e08d7cf8a7a3e909dd4fe8ff680e53f5
SHA1e5eaf3ef3351a42c1d7b30e694266eba990a643e
SHA256cb09594e2b95ed6fa2463235857e237c45d11ad690d1b0690db19e0dbb921c68
SHA512bb87f10611040c4cbd31207a2691224b7fe0065d850ab140ebc8dd88251f8c63b3576c6731bdfabca643c8f3f0d9d8d06581b584da89ff99abb50cdbe9e49cf1
-
Filesize
45KB
MD5adfc1f2fcd4eb7ffb2fa1bbf75aff68b
SHA12a1c7d7e4ca924efa4fd8b67f613524b49f209e9
SHA256e5cbb7661b29459299875bee1ca9327b15825797e71198bd0286af4ec1f61784
SHA51287ea8bfbb5177ab9738c4415bfa447076a70553114d556a7b5ae58a1dab3313916f013d615dd7148d7ddc564e57698e1677f56030bd53236b0111c5fa1b94f09
-
Filesize
45KB
MD5be043a994d136e1ec8ce33888e7e6139
SHA1cfd9f2c68047b0cb8593d6142b92a6573c2f1866
SHA25612850c894f33323f62c54c1eff48fbf40a4c3cea8e38f0e9524eee653d25c4e8
SHA512b801ab41d5eaf458759d702efff7f39384a86d5963bb60bcb956a1d0b03998809ed420bf404ef8dc63f2b6fe91f4f30dfd18115599d609693b38ce3ee0e91279
-
Filesize
45KB
MD5636e5a04688045b7bb9e766678779042
SHA1ee262b0581b7504b8705ba9943b62f25fa9208fd
SHA256639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA51296fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
Filesize
45KB
MD58789daff15be061c694aeb82a0bfff23
SHA1de1e5bec03e8cfa3b0805c946eda092963d607fe
SHA25639da2ed049600ecc76770e32063e41ef69f30d01c9d7c77052a513dd96ec04fc
SHA512aecbd484dc9c80c7805808e2a8e55f5ff4401b59d52ae92ae2f8c81701ad52fe1ec57f971020b86ff0b3ca476299ee64c6440cc847a846677a5cc8260e830854
-
Filesize
45KB
MD5e6815a06181fa25472254b6487365584
SHA137d5731147f59111baf7429af2bb0af8ad53f22f
SHA2561d8cdbcfa2ddb0a69c37e4f43373e03584d88682d675d282fd1c5a6cbdc5f6fd
SHA5122bbe9f3ebb6dda986986d03c94da073afd8d4fa83da6da3243d089e1116ee21a8364748c335e9f997c7531e04e0ae7795efb5fa7b2dbf97460c9c8ae1cf1faf6
-
Filesize
45KB
MD50a11facc5fb553045b0519f18fd4ca93
SHA11fd704a01597c9ad20b079f26961570c015c3763
SHA2568193fe38ffd8b1489b91e8700e25b0bc2b423880d7582abdd145cac4d7fc2391
SHA5123999a69d8cfcd6f2c7de86fadb13874e0b76eb5a04271db8006fb89023bb7f48f85f599a506b5f2d78edcdeb93165b55b22e6d1206fee7923a1a4da7ab24a164