Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 18:18
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
33f6ad45101924695ada416233770cfb.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
33f6ad45101924695ada416233770cfb.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
33f6ad45101924695ada416233770cfb.exe
-
Size
512KB
-
MD5
33f6ad45101924695ada416233770cfb
-
SHA1
0ff77081cfa9f9a5b3593a2462548d59516054d1
-
SHA256
6d8dc1060bb48b1689e1ff4f705551476255d58fbfecf67e3a92d9cd3be8c582
-
SHA512
2ea14184a82e16a39c099d7b476816f54f058de22e546ac29778db8fabff702eb6e144aed06a1ad03c423fc61f17ea54ce324f4bb39da8a637a7825335f4711c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5U
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jfqsuqimfr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jfqsuqimfr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jfqsuqimfr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jfqsuqimfr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 33f6ad45101924695ada416233770cfb.exe -
Executes dropped EXE 5 IoCs
pid Process 3140 jfqsuqimfr.exe 2056 dqzusnaorutyfzd.exe 2408 ajybovdj.exe 4844 gxdpvweqmipaj.exe 1796 ajybovdj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jfqsuqimfr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kkmuiovt = "jfqsuqimfr.exe" dqzusnaorutyfzd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sclkaxep = "dqzusnaorutyfzd.exe" dqzusnaorutyfzd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gxdpvweqmipaj.exe" dqzusnaorutyfzd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: ajybovdj.exe File opened (read-only) \??\g: ajybovdj.exe File opened (read-only) \??\r: ajybovdj.exe File opened (read-only) \??\g: ajybovdj.exe File opened (read-only) \??\s: ajybovdj.exe File opened (read-only) \??\w: ajybovdj.exe File opened (read-only) \??\b: jfqsuqimfr.exe File opened (read-only) \??\o: jfqsuqimfr.exe File opened (read-only) \??\r: jfqsuqimfr.exe File opened (read-only) \??\u: jfqsuqimfr.exe File opened (read-only) \??\k: ajybovdj.exe File opened (read-only) \??\r: ajybovdj.exe File opened (read-only) \??\n: ajybovdj.exe File opened (read-only) \??\p: ajybovdj.exe File opened (read-only) \??\m: ajybovdj.exe File opened (read-only) \??\s: ajybovdj.exe File opened (read-only) \??\t: ajybovdj.exe File opened (read-only) \??\j: jfqsuqimfr.exe File opened (read-only) \??\t: jfqsuqimfr.exe File opened (read-only) \??\x: jfqsuqimfr.exe File opened (read-only) \??\o: ajybovdj.exe File opened (read-only) \??\u: ajybovdj.exe File opened (read-only) \??\z: ajybovdj.exe File opened (read-only) \??\v: jfqsuqimfr.exe File opened (read-only) \??\y: jfqsuqimfr.exe File opened (read-only) \??\o: ajybovdj.exe File opened (read-only) \??\v: ajybovdj.exe File opened (read-only) \??\x: ajybovdj.exe File opened (read-only) \??\y: ajybovdj.exe File opened (read-only) \??\b: ajybovdj.exe File opened (read-only) \??\g: jfqsuqimfr.exe File opened (read-only) \??\i: jfqsuqimfr.exe File opened (read-only) \??\b: ajybovdj.exe File opened (read-only) \??\e: jfqsuqimfr.exe File opened (read-only) \??\n: ajybovdj.exe File opened (read-only) \??\u: ajybovdj.exe File opened (read-only) \??\j: ajybovdj.exe File opened (read-only) \??\w: ajybovdj.exe File opened (read-only) \??\q: jfqsuqimfr.exe File opened (read-only) \??\h: ajybovdj.exe File opened (read-only) \??\h: jfqsuqimfr.exe File opened (read-only) \??\n: jfqsuqimfr.exe File opened (read-only) \??\w: jfqsuqimfr.exe File opened (read-only) \??\i: ajybovdj.exe File opened (read-only) \??\z: jfqsuqimfr.exe File opened (read-only) \??\e: ajybovdj.exe File opened (read-only) \??\z: ajybovdj.exe File opened (read-only) \??\v: ajybovdj.exe File opened (read-only) \??\a: jfqsuqimfr.exe File opened (read-only) \??\k: jfqsuqimfr.exe File opened (read-only) \??\a: ajybovdj.exe File opened (read-only) \??\l: ajybovdj.exe File opened (read-only) \??\t: ajybovdj.exe File opened (read-only) \??\k: ajybovdj.exe File opened (read-only) \??\m: jfqsuqimfr.exe File opened (read-only) \??\x: ajybovdj.exe File opened (read-only) \??\i: ajybovdj.exe File opened (read-only) \??\p: jfqsuqimfr.exe File opened (read-only) \??\s: jfqsuqimfr.exe File opened (read-only) \??\h: ajybovdj.exe File opened (read-only) \??\j: ajybovdj.exe File opened (read-only) \??\m: ajybovdj.exe File opened (read-only) \??\l: ajybovdj.exe File opened (read-only) \??\q: ajybovdj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jfqsuqimfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jfqsuqimfr.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2576-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023208-32.dat autoit_exe behavioral2/files/0x0007000000023207-29.dat autoit_exe behavioral2/files/0x0009000000023202-23.dat autoit_exe behavioral2/files/0x0007000000023207-40.dat autoit_exe behavioral2/files/0x000e000000023168-19.dat autoit_exe behavioral2/files/0x0006000000023236-73.dat autoit_exe behavioral2/files/0x0006000000023236-77.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jfqsuqimfr.exe 33f6ad45101924695ada416233770cfb.exe File created C:\Windows\SysWOW64\dqzusnaorutyfzd.exe 33f6ad45101924695ada416233770cfb.exe File created C:\Windows\SysWOW64\ajybovdj.exe 33f6ad45101924695ada416233770cfb.exe File created C:\Windows\SysWOW64\jfqsuqimfr.exe 33f6ad45101924695ada416233770cfb.exe File opened for modification C:\Windows\SysWOW64\ajybovdj.exe 33f6ad45101924695ada416233770cfb.exe File created C:\Windows\SysWOW64\gxdpvweqmipaj.exe 33f6ad45101924695ada416233770cfb.exe File opened for modification C:\Windows\SysWOW64\gxdpvweqmipaj.exe 33f6ad45101924695ada416233770cfb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jfqsuqimfr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification C:\Windows\SysWOW64\dqzusnaorutyfzd.exe 33f6ad45101924695ada416233770cfb.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ajybovdj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ajybovdj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ajybovdj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ajybovdj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ajybovdj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ajybovdj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification C:\Windows\mydoc.rtf 33f6ad45101924695ada416233770cfb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ajybovdj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ajybovdj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ajybovdj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jfqsuqimfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jfqsuqimfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jfqsuqimfr.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 33f6ad45101924695ada416233770cfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC5FE6922DDD279D0A18B7F9011" 33f6ad45101924695ada416233770cfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jfqsuqimfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C7E9D5782256D4277D1702F2CAC7DF165DB" 33f6ad45101924695ada416233770cfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jfqsuqimfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB12044E7399953B8B9D432EAD7CC" 33f6ad45101924695ada416233770cfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFC8F485F826A9045D6207D90BC97E14459376647633FD79E" 33f6ad45101924695ada416233770cfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60B1597DAB0B8BC7F95EDE237C9" 33f6ad45101924695ada416233770cfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jfqsuqimfr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 33f6ad45101924695ada416233770cfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9CCFE67F2E584083B30869A39E5B38D03F14213024BE1C845EA08D5" 33f6ad45101924695ada416233770cfb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3180 WINWORD.EXE 3180 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 4844 gxdpvweqmipaj.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 3140 jfqsuqimfr.exe 2056 dqzusnaorutyfzd.exe 2056 dqzusnaorutyfzd.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2576 33f6ad45101924695ada416233770cfb.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 2408 ajybovdj.exe 2056 dqzusnaorutyfzd.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 3140 jfqsuqimfr.exe 4844 gxdpvweqmipaj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe 1796 ajybovdj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2576 wrote to memory of 3140 2576 33f6ad45101924695ada416233770cfb.exe 99 PID 2576 wrote to memory of 3140 2576 33f6ad45101924695ada416233770cfb.exe 99 PID 2576 wrote to memory of 3140 2576 33f6ad45101924695ada416233770cfb.exe 99 PID 2576 wrote to memory of 2056 2576 33f6ad45101924695ada416233770cfb.exe 90 PID 2576 wrote to memory of 2056 2576 33f6ad45101924695ada416233770cfb.exe 90 PID 2576 wrote to memory of 2056 2576 33f6ad45101924695ada416233770cfb.exe 90 PID 2576 wrote to memory of 2408 2576 33f6ad45101924695ada416233770cfb.exe 98 PID 2576 wrote to memory of 2408 2576 33f6ad45101924695ada416233770cfb.exe 98 PID 2576 wrote to memory of 2408 2576 33f6ad45101924695ada416233770cfb.exe 98 PID 2576 wrote to memory of 4844 2576 33f6ad45101924695ada416233770cfb.exe 91 PID 2576 wrote to memory of 4844 2576 33f6ad45101924695ada416233770cfb.exe 91 PID 2576 wrote to memory of 4844 2576 33f6ad45101924695ada416233770cfb.exe 91 PID 2576 wrote to memory of 3180 2576 33f6ad45101924695ada416233770cfb.exe 92 PID 2576 wrote to memory of 3180 2576 33f6ad45101924695ada416233770cfb.exe 92 PID 3140 wrote to memory of 1796 3140 jfqsuqimfr.exe 96 PID 3140 wrote to memory of 1796 3140 jfqsuqimfr.exe 96 PID 3140 wrote to memory of 1796 3140 jfqsuqimfr.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\33f6ad45101924695ada416233770cfb.exe"C:\Users\Admin\AppData\Local\Temp\33f6ad45101924695ada416233770cfb.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\dqzusnaorutyfzd.exedqzusnaorutyfzd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056
-
-
C:\Windows\SysWOW64\gxdpvweqmipaj.exegxdpvweqmipaj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3180
-
-
C:\Windows\SysWOW64\ajybovdj.exeajybovdj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
-
-
C:\Windows\SysWOW64\jfqsuqimfr.exejfqsuqimfr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
-
-
C:\Windows\SysWOW64\ajybovdj.exeC:\Windows\system32\ajybovdj.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e55b95b66d08b45bb7481190ddbf662e
SHA1fe22a61b43d2ebbf8a098bd4ee264aa3832b8704
SHA2561379ab071d360c52759a4c536400c512dac448fa8de00fb51d1514046ef29530
SHA512bb95f0b18cbbb464d62065c4befc5de67267f5e0de73b56a76e42b02ef6753803f8b511b9539ef9771b1d245da29e185b5d21d7614337018989bd87dedfe17a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59c97e73c85450850c23e01959029bfa2
SHA15339c340401501a9a76766942103c15275442cf1
SHA256b481766d9bed6997db1a207169a80ff0c01eaf9f5c8e99ed5ad27e20b3e422ed
SHA512bca2ae3c4b979bcbdcf122e10b33b6f2a2b76f661c6c3a7803c2129a5751c8ce6c1794a620066f24f1f444d6bf7e4c7147d327dfb59c570b6912f4941bec3fca
-
Filesize
512KB
MD5b4e7dc753ac138cb3b0e98738a8b8377
SHA10246540c2715c4909286867d1ccd32f331b3e347
SHA2568a8ed5964bf2913a6d6eba537979ceb9e46575a096f055c0b8209ec34821a4f4
SHA512c0acd109ce53a9ce3f41aca35161fdd1dcfc529df6f7c98c795b928f1baa77e5e4a562455d700b639dbcc424c4c1bb731f077db62dd81fd2f1350afcd21f68c7
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD5db5309059835457a197c275818f59e0d
SHA1da21400b1db678b4c5ef7786981fc3c75bc05baa
SHA25690920f57bb3fff972b4381f129befeddc2646669c5b0fce807f8a1b6ff8744f2
SHA5120b417c8fb1e65f775888d6417887d0438d231815fa0315e29513311a3aaa2ae8fa552bfaf3cc0fff694d65ae966c0c777a5a1c4baa9dc62ead3c113a3bf1929f
-
Filesize
512KB
MD56e92dedd481cfc80c3f0d8da63e04a8b
SHA12f50d1f95eefb14d61ada73ae0af8c79f9e93123
SHA256a4530acdd4bebbcb4245333ceae34c82cd9a53efc20f778f8a2cf70601b5083b
SHA512a1a1fba389e64bbfcec29dd2e904bb663bc0b299f19850e278b64e1ed82fa9085089e10faa30288ac53853a1c94e3f36fd0e976ab6fd7fa3c1860a2741a1b3d1
-
Filesize
512KB
MD5e40b2b03f595bc0cf2eb80a250e0d90c
SHA1025f3c2987e5bfbeaadfb6cdfdf26954f854b580
SHA2569537338860be8f34ef7bfc5161e0d73a8b3883dde6a7c85d88dd169eb5e5c62d
SHA512a30a5d97215ef6ded2c9e07b345c84bd7ced12905f8f5005736eaf3e3fc1a4510381537c8e636a9a0c76c82b1e9b774eb346b450bbbd9597a43fadf1e66897ad
-
Filesize
95KB
MD5325d35d16810bf2ca20f49e9369ceafc
SHA116a818972ea75b6656eba8b6ca090be9e0bc8f03
SHA2568798efdb1d409d30daf09e596ff0a6875f2f9b89e08c16e891206ddf0771a645
SHA512a0664efd0a950150ffa3b7f79d76038579f20835e4b99043db61586a475ca9f06f1907b7cbdc46e36feb556a8d4cbf473a7f8a5aa51872a41b997c8904284893
-
Filesize
512KB
MD546cd869ec43ea1317872e14cdb5d2369
SHA1cac1949891d223797e7779073ad4719ccc572187
SHA256a4a412030818876403a9e86b7eae92c428729a58ae8f5ac4fd9a67d85abd5635
SHA512741c878e2f0995b527c5900f096c499fd5d768bb79566ba04159a3b825ae7486424a58a260c59c58e748b7f7d02b84fa5e1ab87059266c69629256d2264a3e0c