Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 08:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
-
Size
320KB
-
MD5
f994621fb8d39133c91165a336bfa517
-
SHA1
02f1f61bd246cbb0a7cd7e1aed69e48628d15d7a
-
SHA256
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715
-
SHA512
e3bd52ae4070e6bab51802247788e91ad5edf66272fc2668bfff14c867636931c53eb19653bb081459e0f9f45bf4dcc9df03933863ff81d0a61c4d688e908b6b
-
SSDEEP
6144:0TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqRr:qXgvmzFHi0mo5aH0qMzd5807FRPJQPDH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jsahmn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsahmn.exe -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe" jsahmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "vogxmxndyrvyvnme.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "vogxmxndyrvyvnme.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vogxmxndyrvyvnme.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "lgatkxphezfkjdeyvf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "cwphxjarnhmqohhaw.exe" jsahmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qerdntepfts = "jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lwgpwzhp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe" jsahmn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
Executes dropped EXE 2 IoCs
pid Process 2312 jsahmn.exe 2856 jsahmn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jsahmn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend jsahmn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jsahmn.exe -
Loads dropped DLL 4 IoCs
pid Process 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "vogxmxndyrvyvnme.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "vogxmxndyrvyvnme.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "lgatkxphezfkjdeyvf.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "ywtpjzuppnwegdheerpmi.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vogxmxndyrvyvnme.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vogxmxndyrvyvnme.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "vogxmxndyrvyvnme.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "jgcxqfztspxefbeazlie.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vogxmxndyrvyvnme.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "wsnhzngzxtaggbdywhd.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "ywtpjzuppnwegdheerpmi.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "ywtpjzuppnwegdheerpmi.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "jgcxqfztspxefbeazlie.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "vogxmxndyrvyvnme.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "wsnhzngzxtaggbdywhd.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\neujwfthartupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "ywtpjzuppnwegdheerpmi.exe" jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "jgcxqfztspxefbeazlie.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "cwphxjarnhmqohhaw.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cozjrvenb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgatkxphezfkjdeyvf.exe" jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncqdovhtkzzy = "vogxmxndyrvyvnme.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwphxjarnhmqohhaw.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viufotdncp = "vogxmxndyrvyvnme.exe ." jsahmn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mcrfrzmzrhiic = "wsnhzngzxtaggbdywhd.exe ." jsahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qizpdncrldgievt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywtpjzuppnwegdheerpmi.exe" jsahmn.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jsahmn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 www.whatismyip.ca 8 whatismyipaddress.com 13 www.showmyipaddress.com 5 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe File opened for modification C:\Windows\SysWOW64\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe File created C:\Windows\SysWOW64\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe File opened for modification C:\Windows\SysWOW64\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe File created C:\Program Files (x86)\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe File opened for modification C:\Program Files (x86)\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe File created C:\Program Files (x86)\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe File created C:\Windows\dimpqnprydtirvgkrlquxyvx.glb jsahmn.exe File opened for modification C:\Windows\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe File created C:\Windows\mcrfrzmzrhiicrncuzpesemzmeuvvpeaphm.rfr jsahmn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsahmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsahmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe 2312 jsahmn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2312 jsahmn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2856 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2280 wrote to memory of 2856 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2280 wrote to memory of 2856 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2280 wrote to memory of 2856 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2280 wrote to memory of 2312 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 32 PID 2280 wrote to memory of 2312 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 32 PID 2280 wrote to memory of 2312 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 32 PID 2280 wrote to memory of 2312 2280 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 32 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jsahmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jsahmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jsahmn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jsahmn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe"C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\jsahmn.exe"C:\Users\Admin\AppData\Local\Temp\jsahmn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\jsahmn.exe"C:\Users\Admin\AppData\Local\Temp\jsahmn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5031b4be049d9abb3898a2dab85ba3e1e
SHA1b3280300aa896988a1a41996346b2b8a6799af5e
SHA256c9873fcc6c10ad9f8cbab5862d38a17a5350b4f3f7e755a94cfae442e58a45db
SHA51282668a06c717b401fd1bc3c32f108e0931c2a0631cd9fb2c2484a4e52f8f07fa87130e5a9cdbfc1a99b8b124b602ce1c06bdd3f7374e4eec8725ecb976395073
-
Filesize
280B
MD53fb7d1e5be6464e6bf0cf697d76cb92a
SHA16032532e2e367211b28fcd3fa9c190c6a81c493a
SHA256f9925f90e55451f5cf668ae4fd77d966cf4d9339eb87b074ada0989239672066
SHA512395aa895ee6002ac859b25d098179b18270f2638de7a4cc9518ad9acbcbdf7a6b33b93fd8c568ca8a453ab78b679bd707e257cf22f81b0b1cd07c8637cc568f6
-
Filesize
280B
MD57af5f701a79ce849da9383369ee7b735
SHA14eeca09b1a3ef37b566e9d555d3efe40537bd78f
SHA2567aacdebbcfefd2700bfb963fb8e69c254d8ddbb5edae82af4372f8e3c17634fd
SHA51271f66b870c5d438554d4b66fa94bfa668fc5f03183992069919fccca75acfa83f51e056120884bf544331aee712304258e3d237384ded417a5ab7a72ca24f7ec
-
Filesize
696KB
MD561f965175c87b03e5b55cc9cc934cf06
SHA183c3953d6a6d6f03fa4e83c83ec50993faf8762e
SHA256348c96ee1fba546c0849cd515317ad7caf2969e70c800c284d1cbe1a6fc0a1b5
SHA512acc124392df6b512237f4b3e389a5dc66cef406d214e0daa043e0cb2ee1213a40c73e72432b664bb9c37bd5757380a468ea96eb57b8c0deaadbca7f00643a354
-
Filesize
280B
MD5d094875a390d38e66923a31a10bd90b9
SHA124dced5320ebfab137f54305f22b695d7d75b1c7
SHA2563fdd0179eab0a0fa9dce2103882c2ab60dc6762a977908dfa08384248f13ca4f
SHA512efa082594881598da23a79f935f0b9d922c70610fcf12c0b790745bca1931f2d0010eed0055d00f7baf563f0891d476d2816227234fde5e22c5294c0b9d63437
-
Filesize
4KB
MD5f551e708f29534aa00ace6fcc695cf05
SHA1b1910022ac97e3ec765075ece4f85be718459116
SHA256fce7b138f224d3bc125d134de54e7e973ab99af3558968cf896cfa7b2b245031
SHA51242e90f1813811f76afa4711a25decd5858ff5326149bcd25e833ca29d4da6eb9e632c747104200b31325d0bcdd0710f52771e5720ed5dec76eff2c4ec1bfa788