Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
Resource
win10v2004-20240426-en
General
-
Target
d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
-
Size
45KB
-
MD5
3209d84fe824dc59308dccab0c1d4b8b
-
SHA1
edd0bef48665580a2a0b191fc9698251942ffd7b
-
SHA256
d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
-
SHA512
6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEjB:8AwEmBj3EXHn4x+9ajB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Detects executables built or packed with MPress PE compressor 19 IoCs
resource yara_rule behavioral2/memory/4996-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023435-8.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023439-107.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1864-108-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1864-112-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343d-115.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1152-116-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1152-120-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343f-122.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3344-127-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023440-129.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3980-133-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023441-136.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2732-140-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023442-142.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4152-146-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023443-148.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/804-153-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4996-155-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 1864 xk.exe 1152 IExplorer.exe 3344 WINLOGON.EXE 3980 CSRSS.EXE 2732 SERVICES.EXE 4152 LSASS.EXE 804 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File created C:\Windows\SysWOW64\shell.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File created C:\Windows\SysWOW64\Mig2.scr d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File created C:\Windows\SysWOW64\IExplorer.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe File created C:\Windows\xk.exe d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 1864 xk.exe 1152 IExplorer.exe 3344 WINLOGON.EXE 3980 CSRSS.EXE 2732 SERVICES.EXE 4152 LSASS.EXE 804 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4996 wrote to memory of 1864 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 82 PID 4996 wrote to memory of 1864 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 82 PID 4996 wrote to memory of 1864 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 82 PID 4996 wrote to memory of 1152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 83 PID 4996 wrote to memory of 1152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 83 PID 4996 wrote to memory of 1152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 83 PID 4996 wrote to memory of 3344 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 85 PID 4996 wrote to memory of 3344 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 85 PID 4996 wrote to memory of 3344 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 85 PID 4996 wrote to memory of 3980 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 86 PID 4996 wrote to memory of 3980 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 86 PID 4996 wrote to memory of 3980 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 86 PID 4996 wrote to memory of 2732 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 87 PID 4996 wrote to memory of 2732 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 87 PID 4996 wrote to memory of 2732 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 87 PID 4996 wrote to memory of 4152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 88 PID 4996 wrote to memory of 4152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 88 PID 4996 wrote to memory of 4152 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 88 PID 4996 wrote to memory of 804 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 89 PID 4996 wrote to memory of 804 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 89 PID 4996 wrote to memory of 804 4996 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4996 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1152
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a99cf2380760f64395d8d50af3eb74ac
SHA1caf868cf0ea989f60ac3f9ff43e903ca1f1b573a
SHA2565068500d6f4c21a763661bb6b261724ff4b4734f317b83ae26d8a06994421d18
SHA512fa788b73c31ab1497cef34c95f89eb467061f98b332bc362682505bccaad0e11ba79741ffe1c0c6d82e862a7dd7b54b412f38cbfa9eed1de0e721203c964b3bf
-
Filesize
45KB
MD5d0266de7aa7a59ad5fac537a03fb0b2d
SHA119ace44788b1c539a35a1ca67a7e84c6e7619f0e
SHA2560846103d1871c680f6991e3ceae81722e9a8118f3e9c928c4b5c82c69e17993d
SHA512a4adead5a5f8de14d1af21811760a46693538885ffec2fd79088d32b58dad8b136c48db22fc7f84d8852c1df8c390d25fd5b0a605e5e0f3e3b1e2086394b027b
-
Filesize
45KB
MD54585aa8e1b975a3484619aa381356e55
SHA16cd68da54126a3fcaaeec9413dc0a2f6a78d9300
SHA256eff415841b1c455df8841668c394c3dc6df9c5accc6747eeedde62c805596b5d
SHA51252b20bef44c85e71d0804d87340ef40e12963f459904918ea3979b1410cf69fc2709d8540c7a88c5ac93628bc56f726dec01dfac55a820e1de411e842781ee09
-
Filesize
45KB
MD5a0765d117a1f75da8f78727e8a4fe0c3
SHA171739fcf50c6dab3ac49f13c68c6834f83a7d883
SHA2569ff6a08b5db95a888c80185ae6fcce07f195c274e9fabdba7b8724f4e0107ccf
SHA512a934e0619a5232100e30646f35dbc8aea537b7724800bd7fb172bc6891b3b5b0e085b2f43a508366a003d974634ce17ea48c92dd8f180125060e309078346160
-
Filesize
45KB
MD53209d84fe824dc59308dccab0c1d4b8b
SHA1edd0bef48665580a2a0b191fc9698251942ffd7b
SHA256d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
SHA5126d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196
-
Filesize
45KB
MD5ae2443e2601cdf19ad28b48894db6e60
SHA1a20fff013ae34596adcbca6c3f302f9465c1640a
SHA256478aa9b9afe28d67b2eafabd97a8fa5a3ade67177994223fe6b05080052bb389
SHA512ac7b75c5352301ec1eaa1aa4f3599202f6850f0e502a0206d67ecdfbbd72e9b6c9ab216e75e757493264bf1d409e1006b285ac2e0b5e05e03049ea3bf1d1b3b0
-
Filesize
45KB
MD5657ae0b046b6d26d86cd1b95c195f1b4
SHA160442987f20eac765d6d652e914405e674657052
SHA256654d0ea5e56618763ff3a1826fb0ae02197fc74ec94844f2698f4dee566ad8c2
SHA512dccc4ae101f2aeb1211dc3738a27230f35eb3df17fdb28aae4076f99536faddda27a7d388f506b5f81138b69d043edf8536b39723e3a1d95b9e81ef86e5a0093
-
Filesize
45KB
MD509d9658628c7f0738f072a53d38c886c
SHA16a0debf5c04d2d0b68c1d9297b6b4c432ebe7a59
SHA256fea1416b8aecd97c4401a17a5529d9351197e3847390efb837b74f2ce76fdf0d
SHA5123f81bec3c9787b03eb66ea8a718eb51f2d02ed55587a20d14688d4cf7a2e4cf5823da3fdfa247c60ef654d463a0146584d331cf5fc94bfeabd3f32720780a08c