Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:58
Behavioral task
behavioral1
Sample
b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe
Resource
win7-20220901-en
General
-
Target
b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe
-
Size
255KB
-
MD5
18da44bdf8cb5baa2357058f4aa12eb1
-
SHA1
44b6e901b7c44991dc6d42a9166d699e1a8f6946
-
SHA256
b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31
-
SHA512
f64dc0f618d71b80b2298f880f0b40fa95bd691b3de29ef933d1262d3dbcfbae629a20ee2a77a999709d46417bcd800f66477086bf49bd7429d8e91ca028467c
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6Z:Plf5j6zCNa0xeE3mg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" atgdcffrpr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" atgdcffrpr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" atgdcffrpr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" atgdcffrpr.exe -
Executes dropped EXE 5 IoCs
pid Process 2212 atgdcffrpr.exe 3972 zpkoeuozwlvjvxs.exe 4432 hslpouqh.exe 3540 fznonocqtaxdq.exe 4648 hslpouqh.exe -
resource yara_rule behavioral2/memory/3936-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3936-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022f64-135.dat upx behavioral2/files/0x0009000000022f64-136.dat upx behavioral2/files/0x0009000000022f6d-138.dat upx behavioral2/files/0x0009000000022f6d-139.dat upx behavioral2/memory/2212-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3972-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f72-143.dat upx behavioral2/files/0x0006000000022f72-144.dat upx behavioral2/files/0x0006000000022f73-147.dat upx behavioral2/files/0x0006000000022f73-148.dat upx behavioral2/memory/4432-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3540-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f72-152.dat upx behavioral2/memory/4648-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3936-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2212-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3972-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3540-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000009df0-160.dat upx behavioral2/files/0x0007000000022f78-161.dat upx behavioral2/files/0x0007000000022f78-162.dat upx behavioral2/memory/4648-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" atgdcffrpr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run zpkoeuozwlvjvxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rzfheelm = "atgdcffrpr.exe" zpkoeuozwlvjvxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haiogeef = "zpkoeuozwlvjvxs.exe" zpkoeuozwlvjvxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fznonocqtaxdq.exe" zpkoeuozwlvjvxs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: atgdcffrpr.exe File opened (read-only) \??\o: hslpouqh.exe File opened (read-only) \??\b: hslpouqh.exe File opened (read-only) \??\v: hslpouqh.exe File opened (read-only) \??\l: atgdcffrpr.exe File opened (read-only) \??\m: hslpouqh.exe File opened (read-only) \??\n: hslpouqh.exe File opened (read-only) \??\s: hslpouqh.exe File opened (read-only) \??\u: hslpouqh.exe File opened (read-only) \??\x: hslpouqh.exe File opened (read-only) \??\r: hslpouqh.exe File opened (read-only) \??\y: hslpouqh.exe File opened (read-only) \??\k: atgdcffrpr.exe File opened (read-only) \??\x: atgdcffrpr.exe File opened (read-only) \??\i: hslpouqh.exe File opened (read-only) \??\l: hslpouqh.exe File opened (read-only) \??\g: atgdcffrpr.exe File opened (read-only) \??\j: atgdcffrpr.exe File opened (read-only) \??\h: hslpouqh.exe File opened (read-only) \??\k: hslpouqh.exe File opened (read-only) \??\p: hslpouqh.exe File opened (read-only) \??\e: hslpouqh.exe File opened (read-only) \??\o: hslpouqh.exe File opened (read-only) \??\a: atgdcffrpr.exe File opened (read-only) \??\u: atgdcffrpr.exe File opened (read-only) \??\y: atgdcffrpr.exe File opened (read-only) \??\q: hslpouqh.exe File opened (read-only) \??\f: hslpouqh.exe File opened (read-only) \??\k: hslpouqh.exe File opened (read-only) \??\o: atgdcffrpr.exe File opened (read-only) \??\z: atgdcffrpr.exe File opened (read-only) \??\z: hslpouqh.exe File opened (read-only) \??\u: hslpouqh.exe File opened (read-only) \??\h: atgdcffrpr.exe File opened (read-only) \??\f: hslpouqh.exe File opened (read-only) \??\j: hslpouqh.exe File opened (read-only) \??\r: hslpouqh.exe File opened (read-only) \??\a: hslpouqh.exe File opened (read-only) \??\z: hslpouqh.exe File opened (read-only) \??\n: atgdcffrpr.exe File opened (read-only) \??\e: hslpouqh.exe File opened (read-only) \??\w: hslpouqh.exe File opened (read-only) \??\p: hslpouqh.exe File opened (read-only) \??\e: atgdcffrpr.exe File opened (read-only) \??\m: atgdcffrpr.exe File opened (read-only) \??\v: atgdcffrpr.exe File opened (read-only) \??\b: hslpouqh.exe File opened (read-only) \??\g: hslpouqh.exe File opened (read-only) \??\g: hslpouqh.exe File opened (read-only) \??\n: hslpouqh.exe File opened (read-only) \??\q: hslpouqh.exe File opened (read-only) \??\s: hslpouqh.exe File opened (read-only) \??\t: hslpouqh.exe File opened (read-only) \??\x: hslpouqh.exe File opened (read-only) \??\j: hslpouqh.exe File opened (read-only) \??\a: hslpouqh.exe File opened (read-only) \??\t: hslpouqh.exe File opened (read-only) \??\l: hslpouqh.exe File opened (read-only) \??\q: atgdcffrpr.exe File opened (read-only) \??\s: atgdcffrpr.exe File opened (read-only) \??\t: atgdcffrpr.exe File opened (read-only) \??\w: atgdcffrpr.exe File opened (read-only) \??\h: hslpouqh.exe File opened (read-only) \??\i: atgdcffrpr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" atgdcffrpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" atgdcffrpr.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2212-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3972-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3540-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4648-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3936-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2212-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3972-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3540-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4648-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll atgdcffrpr.exe File created C:\Windows\SysWOW64\atgdcffrpr.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File created C:\Windows\SysWOW64\fznonocqtaxdq.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File opened for modification C:\Windows\SysWOW64\zpkoeuozwlvjvxs.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File created C:\Windows\SysWOW64\hslpouqh.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File opened for modification C:\Windows\SysWOW64\hslpouqh.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File opened for modification C:\Windows\SysWOW64\fznonocqtaxdq.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File opened for modification C:\Windows\SysWOW64\atgdcffrpr.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File created C:\Windows\SysWOW64\zpkoeuozwlvjvxs.exe b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hslpouqh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hslpouqh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hslpouqh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hslpouqh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hslpouqh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hslpouqh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hslpouqh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C6FE1D21D0D20CD0D28A759167" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh atgdcffrpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFC8D482E851E9136D7287D96BC97E6365946664F6343D6EC" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B02947E238E253B8B9D733EDD7CE" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C6091590DAB4B8BA7CE1EDE234CF" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" atgdcffrpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs atgdcffrpr.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CBF966F19683753A4486ED3EE2B38802F842150333E2C845E809A9" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" atgdcffrpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" atgdcffrpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D7C9C5583206A3F76D670202DDC7C8E65DB" b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" atgdcffrpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" atgdcffrpr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 324 WINWORD.EXE 324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 4648 hslpouqh.exe 4648 hslpouqh.exe 4648 hslpouqh.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 2212 atgdcffrpr.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 3972 zpkoeuozwlvjvxs.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 4432 hslpouqh.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 3540 fznonocqtaxdq.exe 4648 hslpouqh.exe 4648 hslpouqh.exe 4648 hslpouqh.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 324 WINWORD.EXE 324 WINWORD.EXE 324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2212 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 81 PID 3936 wrote to memory of 2212 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 81 PID 3936 wrote to memory of 2212 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 81 PID 3936 wrote to memory of 3972 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 82 PID 3936 wrote to memory of 3972 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 82 PID 3936 wrote to memory of 3972 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 82 PID 3936 wrote to memory of 4432 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 83 PID 3936 wrote to memory of 4432 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 83 PID 3936 wrote to memory of 4432 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 83 PID 3972 wrote to memory of 3688 3972 zpkoeuozwlvjvxs.exe 85 PID 3972 wrote to memory of 3688 3972 zpkoeuozwlvjvxs.exe 85 PID 3972 wrote to memory of 3688 3972 zpkoeuozwlvjvxs.exe 85 PID 3936 wrote to memory of 3540 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 84 PID 3936 wrote to memory of 3540 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 84 PID 3936 wrote to memory of 3540 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 84 PID 2212 wrote to memory of 4648 2212 atgdcffrpr.exe 87 PID 2212 wrote to memory of 4648 2212 atgdcffrpr.exe 87 PID 2212 wrote to memory of 4648 2212 atgdcffrpr.exe 87 PID 3936 wrote to memory of 324 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 88 PID 3936 wrote to memory of 324 3936 b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe"C:\Users\Admin\AppData\Local\Temp\b064c1a44605cc6f6b006e60d4a2cca30751692858283c10aa2c13a8192fcb31.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\atgdcffrpr.exeatgdcffrpr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\hslpouqh.exeC:\Windows\system32\hslpouqh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4648
-
-
-
C:\Windows\SysWOW64\zpkoeuozwlvjvxs.exezpkoeuozwlvjvxs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.execmd.exe /c fznonocqtaxdq.exe3⤵PID:3688
-
-
-
C:\Windows\SysWOW64\hslpouqh.exehslpouqh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432
-
-
C:\Windows\SysWOW64\fznonocqtaxdq.exefznonocqtaxdq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:324
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD504e8baba26610f4334056f8d4d4a567c
SHA1ac42d68456dede1cfca636a68c8a569f86503e3f
SHA256ac2b80d103e2cf54c105d052e1325a33eea76d0bbd93e5c393d30076c9f9f91b
SHA51224c14fc46f09ef8a39a04a0806fc0a185f2eecb856a7e79f0038f4dc207022204986a31e24b5679dbe9dd10c53cd2f5f0a2a9ab49b9b4c9c8dd346d448575ff5
-
Filesize
255KB
MD50849d0b48462f3c5f15e59f0506d87d5
SHA1c0ca565ab39342cb38fe44c331805e9ad7cb0f05
SHA25638f6f97a9169962e8debe38441c1460b23bfef7a5b75dd1fbece75c0760747fd
SHA5128c81fbe5219d34bf67594ac4cf435f85b3ba0de54926aa84fd31cf510a3e82f790d507cd523fd91d90b8d4e9c891b23a59ef53e13d2f0d63dc94cc58bae66193
-
Filesize
255KB
MD5618d236da3a42e233e4981550e50d28d
SHA1a39dac0f6da7d07b9648d19d318b4a418d961f98
SHA25611975049f504b65a3eb06a91d20853e1a1628fdc87c0e1af8cfa0023fad49971
SHA51241139074bad7a056314b76c60a0325f63d1b3c59333d24780040286b04e7af22652370c39b68287a8b0e62603767ae3c32212f5397cb7c2a5f70b05bb1a6e0f7
-
Filesize
255KB
MD5618d236da3a42e233e4981550e50d28d
SHA1a39dac0f6da7d07b9648d19d318b4a418d961f98
SHA25611975049f504b65a3eb06a91d20853e1a1628fdc87c0e1af8cfa0023fad49971
SHA51241139074bad7a056314b76c60a0325f63d1b3c59333d24780040286b04e7af22652370c39b68287a8b0e62603767ae3c32212f5397cb7c2a5f70b05bb1a6e0f7
-
Filesize
255KB
MD547600466ea8e8eb864ac7ef4d439d969
SHA1d279657091964233ddbcd150721b09e17c5091f5
SHA256c00388507c56a9df17e20b7ba50aee38a98a1d0d078b71240f727447c81be1b9
SHA512e97de8c75df9aa68eeabdc6763a46b551c2b87031756befdb93785c2e254b3abd72e809c92103ca4a3da2fc10536622797bb34b8a74596864a0994a9b9108c40
-
Filesize
255KB
MD547600466ea8e8eb864ac7ef4d439d969
SHA1d279657091964233ddbcd150721b09e17c5091f5
SHA256c00388507c56a9df17e20b7ba50aee38a98a1d0d078b71240f727447c81be1b9
SHA512e97de8c75df9aa68eeabdc6763a46b551c2b87031756befdb93785c2e254b3abd72e809c92103ca4a3da2fc10536622797bb34b8a74596864a0994a9b9108c40
-
Filesize
255KB
MD54d48207459775e54985dc796a6d5e385
SHA19eadb580cd521426b56198fd90e1c036a28c5ab3
SHA2561f3fd05970b1269dfdb920b1c3d72d39e5ee880955af29e19edad6dea59870f7
SHA5127b2674b5b2099a2a004f075974f6646a7722a13e4a07b95e6374588c5c963ac538ecb2401e8fdc16a205b5db8d1f9984b8889dff9bc8f4b7889edeb1ab62e14d
-
Filesize
255KB
MD54d48207459775e54985dc796a6d5e385
SHA19eadb580cd521426b56198fd90e1c036a28c5ab3
SHA2561f3fd05970b1269dfdb920b1c3d72d39e5ee880955af29e19edad6dea59870f7
SHA5127b2674b5b2099a2a004f075974f6646a7722a13e4a07b95e6374588c5c963ac538ecb2401e8fdc16a205b5db8d1f9984b8889dff9bc8f4b7889edeb1ab62e14d
-
Filesize
255KB
MD54d48207459775e54985dc796a6d5e385
SHA19eadb580cd521426b56198fd90e1c036a28c5ab3
SHA2561f3fd05970b1269dfdb920b1c3d72d39e5ee880955af29e19edad6dea59870f7
SHA5127b2674b5b2099a2a004f075974f6646a7722a13e4a07b95e6374588c5c963ac538ecb2401e8fdc16a205b5db8d1f9984b8889dff9bc8f4b7889edeb1ab62e14d
-
Filesize
255KB
MD5b8ef7d76e27e45e6654f4cba55a90dce
SHA18db546adc08042b1a9c6f69e6b29da4445bd32e2
SHA2561000c5c6f9aab29307a21f2600b0bf74c771fff91166702fb000ce14d7afb8b5
SHA51239a73a2df088a177e1ddf007228ba3485cf6cf881a37e960ff7f420bdf80b4e9e42a2581a910461baf01ac0eef9ee0683c8801fa34a89d1f6749e8856c80faf0
-
Filesize
255KB
MD5b8ef7d76e27e45e6654f4cba55a90dce
SHA18db546adc08042b1a9c6f69e6b29da4445bd32e2
SHA2561000c5c6f9aab29307a21f2600b0bf74c771fff91166702fb000ce14d7afb8b5
SHA51239a73a2df088a177e1ddf007228ba3485cf6cf881a37e960ff7f420bdf80b4e9e42a2581a910461baf01ac0eef9ee0683c8801fa34a89d1f6749e8856c80faf0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD50849d0b48462f3c5f15e59f0506d87d5
SHA1c0ca565ab39342cb38fe44c331805e9ad7cb0f05
SHA25638f6f97a9169962e8debe38441c1460b23bfef7a5b75dd1fbece75c0760747fd
SHA5128c81fbe5219d34bf67594ac4cf435f85b3ba0de54926aa84fd31cf510a3e82f790d507cd523fd91d90b8d4e9c891b23a59ef53e13d2f0d63dc94cc58bae66193