Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
287s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09/07/2024, 08:42
Behavioral task
behavioral1
Sample
noratnik.exe
Resource
win10-20240404-en
windows10-1703-x64
17 signatures
300 seconds
Behavioral task
behavioral2
Sample
noratnik.exe
Resource
win11-20240704-en
windows11-21h2-x64
13 signatures
300 seconds
General
-
Target
noratnik.exe
-
Size
208KB
-
MD5
7923c75699529f65b63ba064c9f512f6
-
SHA1
f61cece0e51c1119a30e0f05a99dd6e141853388
-
SHA256
22f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a
-
SHA512
21a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c
-
SSDEEP
3072:BmAwnYqFn98ZOua8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLn3:BmxnYsn9nUhcX7elbKTuq9bfF/H9d9n
Score
10/10
Malware Config
Extracted
Family
xworm
Version
5.0
Mutex
GOBm8p0NnvNTIR9x
Attributes
-
Install_directory
%Userprofile%
-
install_file
system.exe
-
pastebin_url
https://pastebin.com/raw/H3wFXmEi
aes.plain
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/5068-1-0x0000000000410000-0x000000000044A000-memory.dmp family_xworm behavioral1/files/0x000a00000001ac3b-195.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4020 powershell.exe 4456 powershell.exe 3828 powershell.exe 1820 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk noratnik.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk noratnik.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe" noratnik.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 1 pastebin.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d00550053000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4020 powershell.exe 4020 powershell.exe 4020 powershell.exe 4456 powershell.exe 4456 powershell.exe 4456 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 1820 powershell.exe 1820 powershell.exe 1820 powershell.exe 5068 noratnik.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5068 noratnik.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeIncreaseQuotaPrivilege 4020 powershell.exe Token: SeSecurityPrivilege 4020 powershell.exe Token: SeTakeOwnershipPrivilege 4020 powershell.exe Token: SeLoadDriverPrivilege 4020 powershell.exe Token: SeSystemProfilePrivilege 4020 powershell.exe Token: SeSystemtimePrivilege 4020 powershell.exe Token: SeProfSingleProcessPrivilege 4020 powershell.exe Token: SeIncBasePriorityPrivilege 4020 powershell.exe Token: SeCreatePagefilePrivilege 4020 powershell.exe Token: SeBackupPrivilege 4020 powershell.exe Token: SeRestorePrivilege 4020 powershell.exe Token: SeShutdownPrivilege 4020 powershell.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeSystemEnvironmentPrivilege 4020 powershell.exe Token: SeRemoteShutdownPrivilege 4020 powershell.exe Token: SeUndockPrivilege 4020 powershell.exe Token: SeManageVolumePrivilege 4020 powershell.exe Token: 33 4020 powershell.exe Token: 34 4020 powershell.exe Token: 35 4020 powershell.exe Token: 36 4020 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeIncreaseQuotaPrivilege 4456 powershell.exe Token: SeSecurityPrivilege 4456 powershell.exe Token: SeTakeOwnershipPrivilege 4456 powershell.exe Token: SeLoadDriverPrivilege 4456 powershell.exe Token: SeSystemProfilePrivilege 4456 powershell.exe Token: SeSystemtimePrivilege 4456 powershell.exe Token: SeProfSingleProcessPrivilege 4456 powershell.exe Token: SeIncBasePriorityPrivilege 4456 powershell.exe Token: SeCreatePagefilePrivilege 4456 powershell.exe Token: SeBackupPrivilege 4456 powershell.exe Token: SeRestorePrivilege 4456 powershell.exe Token: SeShutdownPrivilege 4456 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeSystemEnvironmentPrivilege 4456 powershell.exe Token: SeRemoteShutdownPrivilege 4456 powershell.exe Token: SeUndockPrivilege 4456 powershell.exe Token: SeManageVolumePrivilege 4456 powershell.exe Token: 33 4456 powershell.exe Token: 34 4456 powershell.exe Token: 35 4456 powershell.exe Token: 36 4456 powershell.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeIncreaseQuotaPrivilege 3828 powershell.exe Token: SeSecurityPrivilege 3828 powershell.exe Token: SeTakeOwnershipPrivilege 3828 powershell.exe Token: SeLoadDriverPrivilege 3828 powershell.exe Token: SeSystemProfilePrivilege 3828 powershell.exe Token: SeSystemtimePrivilege 3828 powershell.exe Token: SeProfSingleProcessPrivilege 3828 powershell.exe Token: SeIncBasePriorityPrivilege 3828 powershell.exe Token: SeCreatePagefilePrivilege 3828 powershell.exe Token: SeBackupPrivilege 3828 powershell.exe Token: SeRestorePrivilege 3828 powershell.exe Token: SeShutdownPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeSystemEnvironmentPrivilege 3828 powershell.exe Token: SeRemoteShutdownPrivilege 3828 powershell.exe Token: SeUndockPrivilege 3828 powershell.exe Token: SeManageVolumePrivilege 3828 powershell.exe Token: 33 3828 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5068 noratnik.exe 4400 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4020 5068 noratnik.exe 72 PID 5068 wrote to memory of 4020 5068 noratnik.exe 72 PID 5068 wrote to memory of 4456 5068 noratnik.exe 76 PID 5068 wrote to memory of 4456 5068 noratnik.exe 76 PID 5068 wrote to memory of 3828 5068 noratnik.exe 78 PID 5068 wrote to memory of 3828 5068 noratnik.exe 78 PID 5068 wrote to memory of 1820 5068 noratnik.exe 80 PID 5068 wrote to memory of 1820 5068 noratnik.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\noratnik.exe"C:\Users\Admin\AppData\Local\Temp\noratnik.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\noratnik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'noratnik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1820
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4640
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a9c055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4400
-
C:\Windows\System32\LockAppHost.exeC:\Windows\System32\LockAppHost.exe -Embedding1⤵PID:2404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD51f364f8aa37041c3d1e9c6f888695788
SHA123220d38fc9a0c31c6a86a6e5fbb7b78be105977
SHA256b75e48830ee5ba37bebc54e9267646968c5da5608b64d03d21a40c13d131579d
SHA51216486e36fed413e2f337ebd79de54bab90680915f8d51602f43305e5d38af4d4d08f5167dc85813b78854032b6668e0deaa720dcdfdfbeb92b55502b0d85c45c
-
Filesize
1KB
MD547de4f895df3fa196ce36b8568b5e1fa
SHA17e99ed043e776e66ae331ef8bb5f358033bd6d9a
SHA256a668c09232b1625f04b04efeee5e69eab0816785929ddb813234eb8b51d2c5fa
SHA5128ebbaadf5c5a071976e2e5cfb0d1d21e34d27e00dea047c873615e2c8ac7a952a9c7e59f2b3ec22e2ca8ec1a9202993e52e4ed2788d145ad5acaeeeab7769b91
-
Filesize
1KB
MD544ea609082c00598b851688b716ea7a0
SHA10bea7ec9c559feafcae3aca82cf46e73c79ecad3
SHA256aa5e58c101be46ff5fed11747bc6698ec5030405eabd7df429acb66cc048f5c5
SHA512b9289c8c87e746da4cf55e5015482e5c620496cf098e678a278982bf003eef931cc7286bbd59b93e50d284cd51a0c897a00c0bf434be0a872b137966041470d1
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
771B
MD53a67ac44e4ca4c249cc1cefa5d97d310
SHA1a14682244c08e587711d09729c60341be770acca
SHA256692e13ee1605d56444132773df7f972752254d3e3b0cc4bd6187d2154f94039d
SHA512133fc64d1de92fda0ebcca83cefac0655d60d35c30420c582f07da3e4ee3a4a932ee552ed098d2735971b6d6b8beb50f515bd09713c415b584f652cca4c87d21
-
Filesize
208KB
MD57923c75699529f65b63ba064c9f512f6
SHA1f61cece0e51c1119a30e0f05a99dd6e141853388
SHA25622f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a
SHA51221a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c