Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win10v2004-20240508-en
General
-
Target
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
-
Size
45KB
-
MD5
636e5a04688045b7bb9e766678779042
-
SHA1
ee262b0581b7504b8705ba9943b62f25fa9208fd
-
SHA256
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
-
SHA512
96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 884 xk.exe 2376 IExplorer.exe 1456 WINLOGON.EXE 2420 CSRSS.EXE 2444 SERVICES.EXE 1856 LSASS.EXE 868 SMSS.EXE -
Loads dropped DLL 12 IoCs
pid Process 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 884 xk.exe 2376 IExplorer.exe 1456 WINLOGON.EXE 2420 CSRSS.EXE 2444 SERVICES.EXE 1856 LSASS.EXE 868 SMSS.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1868 wrote to memory of 884 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 1868 wrote to memory of 884 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 1868 wrote to memory of 884 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 1868 wrote to memory of 884 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 1868 wrote to memory of 2376 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 1868 wrote to memory of 2376 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 1868 wrote to memory of 2376 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 1868 wrote to memory of 2376 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 1868 wrote to memory of 1456 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 1868 wrote to memory of 1456 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 1868 wrote to memory of 1456 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 1868 wrote to memory of 1456 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 1868 wrote to memory of 2420 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 1868 wrote to memory of 2420 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 1868 wrote to memory of 2420 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 1868 wrote to memory of 2420 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 1868 wrote to memory of 2444 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 1868 wrote to memory of 2444 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 1868 wrote to memory of 2444 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 1868 wrote to memory of 2444 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 1868 wrote to memory of 1856 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 1868 wrote to memory of 1856 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 1868 wrote to memory of 1856 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 1868 wrote to memory of 1856 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 1868 wrote to memory of 868 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 1868 wrote to memory of 868 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 1868 wrote to memory of 868 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 1868 wrote to memory of 868 1868 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1868 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:868
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD54b0e07d057e4143e2fd202e4b923e175
SHA1208a1839a3fbdac75a3198a4954e6bfb661f0d79
SHA256b6eb4ef650951055827557a90d1b40841220a3613b226218ad9e668b38c3ddc1
SHA512273b96e3a633a8e5e4dbf66eb60eff3b7e38be611a2db481144faa58115de90ea235e25e7b1a9d739812af36d2d8d3928b65c1a5eb62ba55261f0c7b8410e432
-
Filesize
45KB
MD5636e5a04688045b7bb9e766678779042
SHA1ee262b0581b7504b8705ba9943b62f25fa9208fd
SHA256639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA51296fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
Filesize
45KB
MD5d9b1d9b09875348bf2c5db908241aea9
SHA123766d7e541419e074066a5bdf313598fe5a56f8
SHA2562f049c7efddc0e0be97e0e89a3c14df9dd5c818bef05bea990e65def9e2ba75d
SHA512b2cc8acc881c8de406c4e2cb7d81b931ec2f762ae6fa39fd7f7ed7f3b3c88f1f10ab24905ebf662398bd5fc80e82557fb2cb7539bbf896d35dd526e1316f3f11
-
Filesize
45KB
MD5b15fceb5d5c61cb90cc03a7c5ecf68f7
SHA124605107c1072f74c06c11a037cec3400b64a882
SHA2568b53663f500271a1c3f74af6b59020867c14914c50183b4bdff739449c81c14d
SHA512c1f3e90a0d5afba6f351d478fc32d44b812aa34c09eb89ecd88d0ee4587dba7436f2dc578cdb341e269e923eb1c87eddbf3b3bf2a7204be3dc47dcd6ce136ff3
-
Filesize
45KB
MD5cf6a7295422aa33f21c86fb5e905a8b6
SHA1c304a8ff23cdf1593ef9b937f9e0cdee37ec71bd
SHA2568d42b8bf50f76a965431c6229a0b7a07a700bda2963645f440b4d59eede0befc
SHA512e48ffa853c0cac480ee29e452fe2a6691783d388021324700eaca9ff9ca0e38f778121c64e89678bced7bc4691bd538610201991f4179777b477b66069ce96bd
-
Filesize
45KB
MD54f80152e409be2baad4099859a09c2d9
SHA1fe8169041b9c97ce36c665a19554ae11254ac1f3
SHA25666849858deb27f7150e387c052131d2300b724bcbf6cd2b63eaeb2c0f6ec4a63
SHA512d5f7f63390a0eb046ad2be7b590df09ba5d5d6ffa0d01a427b4d2a5b95cb1ba04a3fa62d9496041c21b7c0fb84405d1eb290d7d0f7abbd9c4a984cc5ca65cd4e
-
Filesize
45KB
MD542fa8fbf9baac4b8fd038519877d8d17
SHA1d3be0702b7005ecfa31a5349adfe3406e92aa28e
SHA256e8df3372156d26330d2a44a58fa659410023188a569bc265fba41ce0013e0256
SHA512296137b263aa13fc56e66acf847f22fbc35977785397d43a93d415a2511506a4256acde2c2cabab6c9ee1ce81a51b21c651fc3a56bd5b6b2bc866d362f8ef8b8
-
Filesize
45KB
MD56fdc45576af91c4f09a55d753448cf45
SHA106db0d40643957f1151d36ec78adf918bb20534b
SHA2561f585798bd77c871e5c00a487e5955283ea887cd0fdcd432e107c063bf858a7b
SHA51244da8debf55046bd0ff5c82011532cfc4ef985ee00698b461c35148fee90fa49de340bab6a51662681139047e83d3cedd280fdeec58f56828517b0eee2084d8b