Analysis
-
max time kernel
134s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
Resource
win10v2004-20240508-en
General
-
Target
dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
-
Size
91KB
-
MD5
2835b0b18d506ee17195779b74fd5efb
-
SHA1
22fee58891fccfb3acfa278d376e28be5f8726d7
-
SHA256
dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
-
SHA512
df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c
-
SSDEEP
1536:FAwEmBGz1lNNqDaG0PoxhlzmDAwEmBGz1lNNqDaG0Poxhlzm+:FGmUXNQDaG0A8DGmUXNQDaG0A8+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral2/memory/2340-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233fc-8.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023400-106.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023404-112.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1600-111-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023406-118.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3016-122-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4208-121-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3016-126-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023407-127.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2480-131-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023408-133.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4724-138-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023409-140.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3652-144-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002340a-146.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2340-153-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2492-151-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 1600 xk.exe 4208 IExplorer.exe 3016 WINLOGON.EXE 2480 CSRSS.EXE 4724 SERVICES.EXE 3652 LSASS.EXE 2492 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File created C:\Windows\SysWOW64\shell.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File created C:\Windows\SysWOW64\Mig2.scr dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File created C:\Windows\SysWOW64\IExplorer.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe File created C:\Windows\xk.exe dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 1600 xk.exe 4208 IExplorer.exe 3016 WINLOGON.EXE 2480 CSRSS.EXE 4724 SERVICES.EXE 3652 LSASS.EXE 2492 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1600 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 83 PID 2340 wrote to memory of 1600 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 83 PID 2340 wrote to memory of 1600 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 83 PID 2340 wrote to memory of 4208 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 84 PID 2340 wrote to memory of 4208 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 84 PID 2340 wrote to memory of 4208 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 84 PID 2340 wrote to memory of 3016 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 85 PID 2340 wrote to memory of 3016 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 85 PID 2340 wrote to memory of 3016 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 85 PID 2340 wrote to memory of 2480 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 86 PID 2340 wrote to memory of 2480 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 86 PID 2340 wrote to memory of 2480 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 86 PID 2340 wrote to memory of 4724 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 87 PID 2340 wrote to memory of 4724 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 87 PID 2340 wrote to memory of 4724 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 87 PID 2340 wrote to memory of 3652 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 88 PID 2340 wrote to memory of 3652 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 88 PID 2340 wrote to memory of 3652 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 88 PID 2340 wrote to memory of 2492 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 89 PID 2340 wrote to memory of 2492 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 89 PID 2340 wrote to memory of 2492 2340 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4208
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4724
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5a5c3a51c086f63c9dd44c35e3dc9228c
SHA1da79eda929540760e40f83f28fcd8c3958228cdc
SHA256af91cd9e3aa86a5c37468a6d66e0b6dbd25692902053639968604902a85045a1
SHA5126f66de9033667541f77b1d89527c16eff6159b838971913b42133d181f2cdfc28291112e166bc951a7c1ce3c8b680063bff488d7cbaae96d786d7e9e5a99ac5e
-
Filesize
91KB
MD5dde2b831ac85a7ffc2dda2fb7b156785
SHA1696b79dc74918737c0eeb62aebb90191834f388f
SHA256fb8cd369c7d908e3443c96ccc82c645b1928ee7a0aea064d37463c44d600e254
SHA5125b8d2b9943330ab321193486a556ce34b798174148df1e5fbb249279cef113cf71d6765ce6dd7a36e3cbc66812f5627efd3683edb3b452ff4a9edb37df669095
-
Filesize
91KB
MD59438b88fbf174389c124d6301269cbcb
SHA1dd22bd0f6b3d07ce9d2a8a328b9d561d66b35101
SHA256b4cc04309abd18cdd6dc29c5705b50595ce5ae687d0b44bc64a35d92e64742ae
SHA5120686164ac898f2214e045a9732680422d23fdaa48a872ebe68b62515ebeeb2b1de792d95cd0007c7feca6217e5c05fc803b6d9e0fe9ec7634977ed931ac0129a
-
Filesize
91KB
MD547d20245560a6992ac6765f47a499709
SHA1597753a105feeb4a7e8095b11c065c2cc1af42bb
SHA256a94d3174c1f89913f952603829caa2d7b64622c4713437dcd0960f6b02b277b1
SHA512d30a035a971e3cc46c450ef63f515f196ec72594a28b3dc5f9252b14d0f20379db256ea96fd3f82d22d521abab51db31883342e07c6c3e898bb1ee54e034e06d
-
Filesize
91KB
MD52835b0b18d506ee17195779b74fd5efb
SHA122fee58891fccfb3acfa278d376e28be5f8726d7
SHA256dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
SHA512df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c
-
Filesize
91KB
MD5c436b301f9588ff17d835b76e98731ca
SHA1d9bb7696ef72698defaa42b63fcec42dd9a0798c
SHA256ab0d36a5911cbb89f89e3356fc8815364db9b7efa182c23ccabbeff2d8bc4e0e
SHA5129a9a8299f67447acebb5ea7c2476faeb4fb917b052490778519bb4370842995924c6305944df2e27c139571b68c7b1b47f95bb98e2713784e10e3ce7afb7d93e
-
Filesize
91KB
MD581c3e4d144481943e744a51f7d5704d7
SHA16c1da16e8c9d441795a8a063029c516af6e32a9c
SHA256d7e82662fb681e17b1294f65c3284e371d2d7c6acc3b4858708085bc19484f51
SHA512d18ed055bcefb5ae4f7acf20499ba6fdbaccc95a473eefcec7d163f16312507a3bb7c697c755fb636845f525c225fb677a811585958c3fd8cdee49b5683217a8
-
Filesize
91KB
MD56aae7800264cd455514e6dc707abb33d
SHA10340e043c29bfe242a19bd2e7b4f848c17822497
SHA25687f13175c6c7c8a98ccf7a63c336a9775a9ffe8031af8f6e081f511245e9e0ad
SHA5123f13549491d0f7e566c00bdc35081b01cf513085354489bd30c497951388ec66508adc321653e68969d7bc6d7b3a27353d8f0d6e49f3e3a048b5385dcb58be27