syskey.exe

  • File Path: C:\Windows\system32\syskey.exe
  • Description: SAM Lock Tool

Screenshot

syskey.exe

Hashes

Type Hash
MD5 8D00177CA1D11D9A61CBF6F0D2F0420B
SHA1 92663620780C8FFB12A9C51BB2316B2A77200918
SHA256 C33F6532E98DD6FBFF3F30B80982D2B6B97D8A78AF19F50D0C8A9C114AA0C510
SHA384 E4DA7363985AC0BEB9F28F542675331D2B2CD572E3E03A3C650F219C7F7AD52708A3D79FADE918CD05C212E7C9ED22F2
SHA512 BD5F26E0BD7FBACB0E17DC7398BA170B9820CF6681C8EE20E3ADB857DEE08AC0120E2701ECEE34AEEAAC7B71D9A3A359AB6017AF289793CF7C85D801EE5860BF
SSDEEP 384:D898VYh93aAjZSD59AD3Vr2+alwOUQCigL/tPGwdAvkyUrlv6mkc1KC1Q1fWaxW:D898UKA1WS12+alNCxtPbgkyUrlAl

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: samlock.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\syskey.exe 33

Possible Misuse

The following table contains possible examples of syskey.exe being misused. While syskey.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction DRL 1.0
sigma win_syskey_registry_access.yml title: SysKey Registry Keys Access DRL 1.0
sigma win_syskey_registry_access.yml description: Detects handle requests and access operations to specific registry keys to calculate the SysKey DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - 'reg SAVE HKLM' # save registry SAM - syskey extraction DRL 1.0
signature-base yara_mixed_ext_vars.yar description = “LSA dump programe (bootkey/syskey) - pwdump and others” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.