Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 05:29
Behavioral task
behavioral1
Sample
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Resource
win10v2004-20240802-en
General
-
Target
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
-
Size
91KB
-
MD5
b0fa0a9b8123ddaebdfbccaa15c812f0
-
SHA1
4ecd5296b548cc2c03893bb59651ef39c9d5cae4
-
SHA256
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26
-
SHA512
53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e
-
SSDEEP
1536:XJRtlEnBHHIgabuYotV/JbJCX5SBinJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQInvtYxOuYotvYQIE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 208 xk.exe 5012 IExplorer.exe 3656 WINLOGON.EXE 3208 CSRSS.EXE 1652 SERVICES.EXE 948 LSASS.EXE 3972 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\shell.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\Mig2.scr afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\IExplorer.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
resource yara_rule behavioral2/memory/5088-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234b4-8.dat upx behavioral2/files/0x00070000000234b8-106.dat upx behavioral2/memory/208-111-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234bc-112.dat upx behavioral2/memory/5012-118-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234be-119.dat upx behavioral2/memory/3656-124-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234bf-126.dat upx behavioral2/memory/3208-130-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234c0-132.dat upx behavioral2/memory/1652-137-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x00070000000234c1-139.dat upx behavioral2/files/0x00070000000234c2-146.dat upx behavioral2/memory/948-145-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3972-151-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/5088-153-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\xk.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 208 xk.exe 5012 IExplorer.exe 3656 WINLOGON.EXE 3208 CSRSS.EXE 1652 SERVICES.EXE 948 LSASS.EXE 3972 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5088 wrote to memory of 208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 83 PID 5088 wrote to memory of 208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 83 PID 5088 wrote to memory of 208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 83 PID 5088 wrote to memory of 5012 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 84 PID 5088 wrote to memory of 5012 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 84 PID 5088 wrote to memory of 5012 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 84 PID 5088 wrote to memory of 3656 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 85 PID 5088 wrote to memory of 3656 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 85 PID 5088 wrote to memory of 3656 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 85 PID 5088 wrote to memory of 3208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 86 PID 5088 wrote to memory of 3208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 86 PID 5088 wrote to memory of 3208 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 86 PID 5088 wrote to memory of 1652 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 87 PID 5088 wrote to memory of 1652 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 87 PID 5088 wrote to memory of 1652 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 87 PID 5088 wrote to memory of 948 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 88 PID 5088 wrote to memory of 948 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 88 PID 5088 wrote to memory of 948 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 88 PID 5088 wrote to memory of 3972 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 89 PID 5088 wrote to memory of 3972 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 89 PID 5088 wrote to memory of 3972 5088 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5088 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:208
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3208
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:948
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3972
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5cc0fe2c4be06f1d50835f886ac701887
SHA1464c6147f05a0e256de5294e514e46c509b61d9b
SHA2563fc119f813ff4445a29e3e126205ff1178930ca299aa099bdc69156f065bafeb
SHA512ef40a8657d68e4beeab24f834b63ffa40e085fbd1ad98b8eafd93192c30ad1196cc756232cc5259d54ab8c20d5cb7a1d786f4e997f334302420e679cfc8c780b
-
Filesize
91KB
MD57e605b89aecfb053118f143d80f3a3ac
SHA135c365c0e5411970a2cbdb91b8d6b707c9543373
SHA256fbb8cf88a4bc45c73be4910f3305118ddfadb03bae0eaae87b4a48d6393af54f
SHA5125051c74534e6b204911350971461becc5383074a68e1e8fd5d80f6e8ddc39019d70716e3888990987552abdc668f225d26a13fb488e1a74103147d6b18e10120
-
Filesize
91KB
MD59d48527e59ce5cd9dfd8c0e89a5b8b37
SHA1f9a13772eedc8a8c54d5d592fe2e6e000e3cc089
SHA256f659e19d5838855def7240a237cc5de5967dc932132c3f2e47a7b6ea08dcb6f9
SHA512ee97850399117207ae5e5e8f101da606fc702d0cbe68685f8bfeb75cc760ab4f4331fcc32f59661fc04faf5702891a56c53af43ed894481e078eff1f4ce9b1f3
-
Filesize
91KB
MD514ba81b1a50b44634711d02a799b18bd
SHA114133046740a03da68f717398da7b04935199900
SHA2569497ca22fb40555b44565267945b4ad4fccd9a7a49aaac9b29bb78e3ac7fad08
SHA51298e0f3d5b8d9e844b911fd56f6ebf952682945078a2d04901b45a2d8f10e81c13ec980db176fec298ac60796e2cd84416303515d83dc76ea4884b9ee3f94b8d3
-
Filesize
91KB
MD56eea1f1a8c70f9b1e2f3b3482cd7f3cb
SHA10bb00724575c18c91375eaa6d279cae2195441d9
SHA256a031362909d510f3af38cf8fb67eba52e9c13b30830bf6d19c677cdde6a3f708
SHA512ffe0949aeee711a796a655f6fc5ee9f340a9ebbef920cb67af2442a0d5e84418231b1d5ac40a61db40546a854b73ce7ca3f72aff8fa6f18326cbe9c7158efab6
-
Filesize
91KB
MD5b0fa0a9b8123ddaebdfbccaa15c812f0
SHA14ecd5296b548cc2c03893bb59651ef39c9d5cae4
SHA256afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26
SHA51253f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e
-
Filesize
91KB
MD526e6409e6ad0ea77414daee19a59281f
SHA13f185ac2e3d8291d4435fc9302952c1e3a2f63b4
SHA256f9efab8071c16548874d061741272fcb8a50f4d70b55fcaaa7e43361c5f58546
SHA512e68f99bebea35dd8b813a9732db12e46d51b0f782b48fb12e9681addb5348521146d68c92d442b22b1e66ae7f7877fa613d29f27113e604006ca9c72215a56e8
-
Filesize
91KB
MD5932a6b27697795103e9bba753acfd46a
SHA1a2a26dc46b816f67247fdb9d0e70ac0aef5ef6ca
SHA256f11f63585439b3d1cae83115643f85aeb6ea0ea7d25b9aa1bf90c932aa066ef4
SHA5126b59096a3ebcdeae0f139ca6b50dab4a11317b68df934545731e58b3926ba89a6f03a397352d2acd3b6c0549652a8e972b5daccb1e632e6f303c903f6d3a843b