Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 02:15
Behavioral task
behavioral1
Sample
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Resource
win10v2004-20240802-en
General
-
Target
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
-
Size
91KB
-
MD5
b2e7729144512e4662ecdf17295b7d7e
-
SHA1
913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
-
SHA256
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
-
SHA512
50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
SSDEEP
1536:ERsjdf1aM67v32Z9x5nouy8VT9gRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutN+OaHv3YpoutN+W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 2736 xk.exe 2800 IExplorer.exe 2408 WINLOGON.EXE 2124 CSRSS.EXE 432 SERVICES.EXE 4860 LSASS.EXE 3828 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
resource yara_rule behavioral2/memory/4480-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002346a-8.dat upx behavioral2/files/0x000700000002346e-106.dat upx behavioral2/files/0x0007000000023472-111.dat upx behavioral2/memory/2736-113-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/2800-118-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023474-120.dat upx behavioral2/memory/2408-125-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023475-127.dat upx behavioral2/memory/2124-132-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023476-134.dat upx behavioral2/memory/432-136-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/432-142-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023477-141.dat upx behavioral2/memory/4860-147-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023478-149.dat upx behavioral2/memory/3828-153-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/4480-155-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\shell.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\Mig2.scr c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\IExplorer.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\xk.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 2736 xk.exe 2800 IExplorer.exe 2408 WINLOGON.EXE 2124 CSRSS.EXE 432 SERVICES.EXE 4860 LSASS.EXE 3828 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4480 wrote to memory of 2736 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 85 PID 4480 wrote to memory of 2736 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 85 PID 4480 wrote to memory of 2736 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 85 PID 4480 wrote to memory of 2800 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 86 PID 4480 wrote to memory of 2800 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 86 PID 4480 wrote to memory of 2800 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 86 PID 4480 wrote to memory of 2408 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 88 PID 4480 wrote to memory of 2408 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 88 PID 4480 wrote to memory of 2408 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 88 PID 4480 wrote to memory of 2124 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 89 PID 4480 wrote to memory of 2124 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 89 PID 4480 wrote to memory of 2124 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 89 PID 4480 wrote to memory of 432 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 90 PID 4480 wrote to memory of 432 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 90 PID 4480 wrote to memory of 432 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 90 PID 4480 wrote to memory of 4860 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 91 PID 4480 wrote to memory of 4860 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 91 PID 4480 wrote to memory of 4860 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 91 PID 4480 wrote to memory of 3828 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 92 PID 4480 wrote to memory of 3828 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 92 PID 4480 wrote to memory of 3828 4480 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 92 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4480 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:432
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3828
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD55d9bcc8e60b24b41deefdfd090f50eef
SHA1c56a5eec73c3eb812f45c500a0cc5afce2e2fd0f
SHA256ebe9ab4bb1bbe1c667ca49227dcfe6405adeba5c4faa8920ba18d0c9a2727ea8
SHA5128b8084e8c971e8217a60eb8072e8a4ca0e64589670ade9ff7b443c6001f5f38e7d2a099b2cba46b8ef27cc5663ae192cd530e6b59238b0fe4590e0d4c5d84cf7
-
Filesize
91KB
MD50d40541551f18fe9d0e5726b23487ae8
SHA18b8caed28243aa7b65c1682171e4f37c6ad32c3b
SHA256421c614b38ba694b5938c652a4450776115605aef0f6422eb5a7528b1c461f7c
SHA5120f8df740244bd474e6d7258376d286b944b33018191841fa93ae25f6a322a8ba926eb05f4c2a8142981996439f9b3351c23ebb49b7144712dff0d41ad4aae2b3
-
Filesize
91KB
MD5dd2fe9c169a58117163c5906e30fb168
SHA192d4b01b72db67c83d3329ad181a1d64b8d3e1e1
SHA2567fd52943af31ee03320f622044225ab6e2ba29b1eebe17462ad0616f91d1addf
SHA512890b4da8082c688acd6520173014f20c441c29e3ff6bafcec6918edd6ec6fdb6bc0ec23a64872fca2869cd26a65f65f181c71e9a72da1d49d92dd19eb446fdc1
-
Filesize
91KB
MD5cf99f989acdd07d63927baa632ab07bd
SHA1ee109db72ab5bdd44a6b9f6c33e76d95f498b63b
SHA2565965d9b14bdcd0c3457ab50815cc1119e8fc4b00da6f2293f7f28a7dda8b09b8
SHA512e5bdb87edca44193aff776a8b3276a4dffdaf0bc0392889bf9dcbd8851bfeed6e85aed862159c4e829fbf4183d41a3d27c9ab7e67d73b8dfc7922167a2aff1e3
-
Filesize
91KB
MD5d51ccf727a6e8d93341fd11a0349ea10
SHA13e1c947c199746991a9fb101d9984913bf754937
SHA256de490dff0895b2efa4ed540f0718a2c12dbe157fccc6f108d2794af56c95ff7b
SHA512187458c7cafc8b80366349522a5141e4caca097a9c30cc8ba37ad7e8570a44f05843b5104d616d7637c58acc245462e5dae05dc60d367b340b1796886ec89408
-
Filesize
91KB
MD5b2e7729144512e4662ecdf17295b7d7e
SHA1913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
SHA256c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
SHA51250c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
Filesize
91KB
MD5182d9655c156c25df6e4988451917b05
SHA1b1d9ec5a96f55357899dc0bd6e0a8d5b51309641
SHA256752fdf8ded30bd5eb304bd18e96f7e79675ebc87e64700ca80f68082c0ab0d32
SHA512ee53738b9e9af20ece0f72b62cab6feeeab11b201c8ddf715782c3bc8da0898ebc7dab5fe003adf00232759cb89e2c2267f3e8e6b6c6a4ea00a2339118ce4e5d
-
Filesize
91KB
MD552c93006b1e164d65d56b1975c455ecd
SHA1d13609190774954949998cc4a82cf435fbae943d
SHA2563e3497f321f89306d4d00ad1b556f962cfa5a84b76519142b8eb1dfdd3affba8
SHA512bd7bbbce3ff541b8794bc5f7b69a036ef12464ae8845675a213cc6bbe434c5959c7f08da01bead89362cb4ee874c2610bccd5c8aa91f2a5176dac1b8745eda0b