syskey.exe

  • File Path: C:\Windows\SysWOW64\syskey.exe
  • Description: SAM Lock Tool

Screenshot

syskey.exe

Hashes

Type Hash
MD5 EFDF337667EB0516CC325BA74A7F9411
SHA1 AB2B69E0154B397546BB644E47484FB87E2F3ABA
SHA256 29D60AA6C35719216CABE7E2290B08DBF6D7BE0E1ECC66B88E8760EA0AD54459
SHA384 70CF220B857BF6D4117A41E8D7764AC64E84456DE6931EA7C97C1195F2A75085D449F291C8F1A99ED7E5804B470A2138
SHA512 79DB4349ED2349C9D05FC5E6BC848768C8302E6095EF2167CA7B38C18F41378FC2BB8473B72C94B6948E014A85EDB7A37159324264D8EEAE72EA25E691B8CC61
SSDEEP 384:2Tf/M5xZu0TnS07ZQnnCvhK5I37X8xuVTy+SC7uHUrSjaU1KC1Q1fWaxWVf:eX+xQ0TnSZChK5I3d5/iHUrSjaN0

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: samlock.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\syskey.exe 33
C:\windows\SysWOW64\syskey.exe 29

Possible Misuse

The following table contains possible examples of syskey.exe being misused. While syskey.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction DRL 1.0
sigma win_syskey_registry_access.yml title: SysKey Registry Keys Access DRL 1.0
sigma win_syskey_registry_access.yml description: Detects handle requests and access operations to specific registry keys to calculate the SysKey DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - 'reg SAVE HKLM' # save registry SAM - syskey extraction DRL 1.0
signature-base yara_mixed_ext_vars.yar description = “LSA dump programe (bootkey/syskey) - pwdump and others” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.