Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 01:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
490af43a1ba402f98445a6dfe8668770.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
490af43a1ba402f98445a6dfe8668770.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
490af43a1ba402f98445a6dfe8668770.exe
-
Size
512KB
-
MD5
490af43a1ba402f98445a6dfe8668770
-
SHA1
997e4dc71109e9f6091eb286b6ba86e27f398893
-
SHA256
32499086592efa3a49548ee607808a74185ac96c003982cb94cb3c95ae0df74d
-
SHA512
c6f9515c60bc21e964f4ea15b14e54d2b9500e538d11ec99bc8f08106c21c4656f2d0b6c9484130a937f71910436057d6bbd32176951c16f9433eaad11f19da3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yfpwtybjhs.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yfpwtybjhs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yfpwtybjhs.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfpwtybjhs.exe -
Executes dropped EXE 5 IoCs
pid Process 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 3616 fdcpkess.exe 1668 oqgrnyrnnkwjq.exe 2564 fdcpkess.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yfpwtybjhs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rohpndny = "yfpwtybjhs.exe" mlktfmpxihwtgpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skrvyjaz = "mlktfmpxihwtgpt.exe" mlktfmpxihwtgpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oqgrnyrnnkwjq.exe" mlktfmpxihwtgpt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: fdcpkess.exe File opened (read-only) \??\h: fdcpkess.exe File opened (read-only) \??\q: fdcpkess.exe File opened (read-only) \??\g: fdcpkess.exe File opened (read-only) \??\k: fdcpkess.exe File opened (read-only) \??\u: fdcpkess.exe File opened (read-only) \??\w: fdcpkess.exe File opened (read-only) \??\s: fdcpkess.exe File opened (read-only) \??\b: yfpwtybjhs.exe File opened (read-only) \??\q: yfpwtybjhs.exe File opened (read-only) \??\p: fdcpkess.exe File opened (read-only) \??\g: yfpwtybjhs.exe File opened (read-only) \??\w: yfpwtybjhs.exe File opened (read-only) \??\s: fdcpkess.exe File opened (read-only) \??\m: fdcpkess.exe File opened (read-only) \??\t: fdcpkess.exe File opened (read-only) \??\y: fdcpkess.exe File opened (read-only) \??\e: yfpwtybjhs.exe File opened (read-only) \??\g: fdcpkess.exe File opened (read-only) \??\p: fdcpkess.exe File opened (read-only) \??\a: fdcpkess.exe File opened (read-only) \??\r: fdcpkess.exe File opened (read-only) \??\v: yfpwtybjhs.exe File opened (read-only) \??\b: fdcpkess.exe File opened (read-only) \??\j: fdcpkess.exe File opened (read-only) \??\l: fdcpkess.exe File opened (read-only) \??\j: yfpwtybjhs.exe File opened (read-only) \??\y: fdcpkess.exe File opened (read-only) \??\z: fdcpkess.exe File opened (read-only) \??\a: yfpwtybjhs.exe File opened (read-only) \??\z: yfpwtybjhs.exe File opened (read-only) \??\e: fdcpkess.exe File opened (read-only) \??\n: fdcpkess.exe File opened (read-only) \??\s: yfpwtybjhs.exe File opened (read-only) \??\j: fdcpkess.exe File opened (read-only) \??\k: yfpwtybjhs.exe File opened (read-only) \??\n: yfpwtybjhs.exe File opened (read-only) \??\y: yfpwtybjhs.exe File opened (read-only) \??\n: fdcpkess.exe File opened (read-only) \??\e: fdcpkess.exe File opened (read-only) \??\i: fdcpkess.exe File opened (read-only) \??\v: fdcpkess.exe File opened (read-only) \??\x: fdcpkess.exe File opened (read-only) \??\t: fdcpkess.exe File opened (read-only) \??\v: fdcpkess.exe File opened (read-only) \??\u: yfpwtybjhs.exe File opened (read-only) \??\x: yfpwtybjhs.exe File opened (read-only) \??\o: fdcpkess.exe File opened (read-only) \??\z: fdcpkess.exe File opened (read-only) \??\o: fdcpkess.exe File opened (read-only) \??\m: fdcpkess.exe File opened (read-only) \??\q: fdcpkess.exe File opened (read-only) \??\k: fdcpkess.exe File opened (read-only) \??\r: yfpwtybjhs.exe File opened (read-only) \??\t: yfpwtybjhs.exe File opened (read-only) \??\b: fdcpkess.exe File opened (read-only) \??\m: yfpwtybjhs.exe File opened (read-only) \??\x: fdcpkess.exe File opened (read-only) \??\a: fdcpkess.exe File opened (read-only) \??\u: fdcpkess.exe File opened (read-only) \??\l: yfpwtybjhs.exe File opened (read-only) \??\i: fdcpkess.exe File opened (read-only) \??\o: yfpwtybjhs.exe File opened (read-only) \??\p: yfpwtybjhs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yfpwtybjhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yfpwtybjhs.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/456-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023208-5.dat autoit_exe behavioral2/files/0x0007000000023205-18.dat autoit_exe behavioral2/files/0x000600000002320c-27.dat autoit_exe behavioral2/files/0x000600000002320d-30.dat autoit_exe behavioral2/files/0x0006000000023214-68.dat autoit_exe behavioral2/files/0x0006000000023213-62.dat autoit_exe behavioral2/files/0x0006000000023224-103.dat autoit_exe behavioral2/files/0x0008000000023223-113.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yfpwtybjhs.exe 490af43a1ba402f98445a6dfe8668770.exe File created C:\Windows\SysWOW64\mlktfmpxihwtgpt.exe 490af43a1ba402f98445a6dfe8668770.exe File opened for modification C:\Windows\SysWOW64\mlktfmpxihwtgpt.exe 490af43a1ba402f98445a6dfe8668770.exe File created C:\Windows\SysWOW64\fdcpkess.exe 490af43a1ba402f98445a6dfe8668770.exe File opened for modification C:\Windows\SysWOW64\fdcpkess.exe 490af43a1ba402f98445a6dfe8668770.exe File opened for modification C:\Windows\SysWOW64\oqgrnyrnnkwjq.exe 490af43a1ba402f98445a6dfe8668770.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yfpwtybjhs.exe File created C:\Windows\SysWOW64\yfpwtybjhs.exe 490af43a1ba402f98445a6dfe8668770.exe File created C:\Windows\SysWOW64\oqgrnyrnnkwjq.exe 490af43a1ba402f98445a6dfe8668770.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fdcpkess.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fdcpkess.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fdcpkess.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fdcpkess.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fdcpkess.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fdcpkess.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fdcpkess.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf Process not Found File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yfpwtybjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B12E479438E253C5BAD733EFD4C5" 490af43a1ba402f98445a6dfe8668770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCF9482782139136D62E7E97BDE3E13C593566406334D6EC" 490af43a1ba402f98445a6dfe8668770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yfpwtybjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yfpwtybjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yfpwtybjhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yfpwtybjhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yfpwtybjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7E9D5082586D4177A070242CAD7D8665DA" 490af43a1ba402f98445a6dfe8668770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FAB8F966F2E2830F3B35819B3E99B0FD02FC4216023DE1C9459909D5" 490af43a1ba402f98445a6dfe8668770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC1FE6C22D8D27ED0D18A0C9063" 490af43a1ba402f98445a6dfe8668770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yfpwtybjhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yfpwtybjhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yfpwtybjhs.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67A14E0DBC4B9CD7C97ED9F37BC" 490af43a1ba402f98445a6dfe8668770.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 490af43a1ba402f98445a6dfe8668770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yfpwtybjhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yfpwtybjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yfpwtybjhs.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2840 WINWORD.EXE 2840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 Process not Found 456 Process not Found 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 2504 yfpwtybjhs.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 4836 mlktfmpxihwtgpt.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 2504 yfpwtybjhs.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 4836 mlktfmpxihwtgpt.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 456 490af43a1ba402f98445a6dfe8668770.exe 2504 yfpwtybjhs.exe 2504 yfpwtybjhs.exe 2504 yfpwtybjhs.exe 4836 mlktfmpxihwtgpt.exe 4836 mlktfmpxihwtgpt.exe 4836 mlktfmpxihwtgpt.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 3616 fdcpkess.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 1668 oqgrnyrnnkwjq.exe 2564 fdcpkess.exe 2564 fdcpkess.exe 2564 fdcpkess.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 456 wrote to memory of 2504 456 490af43a1ba402f98445a6dfe8668770.exe 90 PID 456 wrote to memory of 2504 456 490af43a1ba402f98445a6dfe8668770.exe 90 PID 456 wrote to memory of 2504 456 490af43a1ba402f98445a6dfe8668770.exe 90 PID 456 wrote to memory of 4836 456 490af43a1ba402f98445a6dfe8668770.exe 91 PID 456 wrote to memory of 4836 456 490af43a1ba402f98445a6dfe8668770.exe 91 PID 456 wrote to memory of 4836 456 490af43a1ba402f98445a6dfe8668770.exe 91 PID 456 wrote to memory of 3616 456 Process not Found 92 PID 456 wrote to memory of 3616 456 Process not Found 92 PID 456 wrote to memory of 3616 456 Process not Found 92 PID 456 wrote to memory of 1668 456 Process not Found 93 PID 456 wrote to memory of 1668 456 Process not Found 93 PID 456 wrote to memory of 1668 456 Process not Found 93 PID 2504 wrote to memory of 2564 2504 yfpwtybjhs.exe 95 PID 2504 wrote to memory of 2564 2504 yfpwtybjhs.exe 95 PID 2504 wrote to memory of 2564 2504 yfpwtybjhs.exe 95 PID 456 wrote to memory of 2840 456 Process not Found 96 PID 456 wrote to memory of 2840 456 Process not Found 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\490af43a1ba402f98445a6dfe8668770.exe"C:\Users\Admin\AppData\Local\Temp\490af43a1ba402f98445a6dfe8668770.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\yfpwtybjhs.exeyfpwtybjhs.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\fdcpkess.exeC:\Windows\system32\fdcpkess.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564
-
-
-
C:\Windows\SysWOW64\mlktfmpxihwtgpt.exemlktfmpxihwtgpt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4836
-
-
C:\Windows\SysWOW64\fdcpkess.exefdcpkess.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
-
-
C:\Windows\SysWOW64\oqgrnyrnnkwjq.exeoqgrnyrnnkwjq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
198KB
MD5454a3cdeef88969fa5cb31e54fc21e63
SHA14a710fc40a6c8ba5d1450939f329c4882a4c068a
SHA256871bd8814d5b251fa5f6f6501288b3c3aa5c2a26ba692aba78c572b1882d82c6
SHA5125ec73df8f6849a5545bfa695344dda62dc5db9073fc27ceaf8dd43b60b29ff39c79de7f79fad4f1cb224327713de40a926437b630f9dbbf3529d198b07c0a860
-
Filesize
239B
MD542033c511bcc7e1970e3c45cb786f794
SHA185fd47e439588b9c25090a0b4e80708c70652403
SHA25662d541335dd2c855f8cf2c10b799aa5b4462fb9d799282a6a6acf5a747bdbfc6
SHA512c121ce2191dd3d934458ca89f7c2a9b533081e0675d1deaa703539b61424a3c47b8c2138bda3b31ecfcd05c520a5a23010e4c6d6b0e2d4c629ac76b22b163b26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54005d43714dad00dafd62c26d642d363
SHA183f388df32bedd6adc5d2037292c325cb698e456
SHA256845ea31a0b47c5847b44333171cbd1e234a6f69e20c528119c960f8f33e07d7e
SHA5123ded47ec307fc07c71de0a31ffeb5d01ad9e7ace8ed384490fa5deb88b5c5581e9f5d66f3f5127b67660fe978613618e9ff7171f3412ac27b6bf016d1c5945d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c1401ff3e4d6ecfffd467f613fbd40a2
SHA1da4c8a1698390936fde468d541d58047e885fe43
SHA25679d39f6b4b7050b287446f5a12ff43a98545394f5f16d244f3903498227e88dd
SHA5128a46e117a11d0659e86866250690fc501736128f147644c9ab83881567ac2abb7edbb50ef4b9b1bb4299e299ab0bcf6698e4af7a2f6c9a7653d5cf7ab4a87224
-
Filesize
512KB
MD54cd8a8c153323e0f0e747d6a45be530d
SHA130c6cb94855a95784da574f37020af04e588aaea
SHA256781e8c82fab53c27f542052b2e3b93b63a9cb89cba1f50deb729dd22a4f8c957
SHA5120fc8d27da81ecc2553c7ba47339758a67dca34a20c4720f0f3b9d4f2fca29a737b075fef37ca1fab8dec88848276b1a95e126c51ad8ea4ba91d8a57d47718659
-
Filesize
512KB
MD583ab82e940e94336ed9b88ab986a6331
SHA1712c11f12d15e29cb850f2a7cd70b640e82e8aad
SHA2566632598633746c4056910c7c96e93419c908c99b080c4aba63cf9aa80428552d
SHA512539ed0506a72670473148dc0eb7cc155fbb2eeb159b9134f721975ddaa3fc14275ab51e665ffc9b5f0325aac7fc83a31d9db054a5ad7e2c82410454449e0b6bf
-
Filesize
512KB
MD523b101ae77a13c0184da3bfc0d8a95d9
SHA1c36d39d5408b051579b88b2a3474570de98af5ac
SHA256a2e1dfa332b06546558d866f80ad8517616927cbf3344043a4843f61ac40726f
SHA512133a435ed39d2fa0ba2e0ecf659d59b9938321a65ce59a6e8f7ad8aa8bae8514021166e91608c8b76a4c668106b993c8462bb53cd98aa19d5cbceebef3fc8172
-
Filesize
512KB
MD5b8fc9de78e632e2b31ba9f7e920ed0c2
SHA194953d27b14be0bdaa1eabf2a02ecab5c74fc39e
SHA256d974152bacebda6d57a5e56ced83ade6a36b2e9e207a4f6d31054c96d2c5a4ff
SHA512e566c08816ab314cebbc8a7c50372f00a4972aa461ab7216245fc56e12c36971983f77a5b12f1e53989d2177b191151341874816618c1e312fdc6232c60e5b41
-
Filesize
512KB
MD5dbb011840d38a2c6f549073299c6f5d0
SHA1a5b2134f983d17b978f9cba949ec7121dab6964e
SHA2569b5480a5b12ae700252ac28d22c01a1d3a2d6095bb7fe5ff019e5f6b426f1360
SHA51293e5ca2eb009673d589ce9447634c7581a0b8f6f9408d8a79ca08d3fa4103f0c8815b09a046726d7d30bda30743c9aa421a056d54507b4fe1b969e61eac22402
-
Filesize
512KB
MD577310b66f8487497d5b779bb2cc99354
SHA1052a0c5f46ad13949be12a657ce3caedcd12e50b
SHA25684bd7a3c0b6f2b27ac60a628c576aa7058db668de58e1314cb11054dbfdbdd48
SHA512e7644cfbb829f403ab9585e2cc7fc062e57fd0233e84dd6fee9bb43e51ae1d03f617fcea4a33c14916541b5b90184379d7bce87204b28a2b6e13f77faebbee66
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7