Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
05906c39cad698da162ccf37f3964228.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
05906c39cad698da162ccf37f3964228.exe
Resource
win10v2004-20231215-en
General
-
Target
05906c39cad698da162ccf37f3964228.exe
-
Size
512KB
-
MD5
05906c39cad698da162ccf37f3964228
-
SHA1
0cf0214a3cb6a32e5bc139d6dcff6b7cbb2bcd88
-
SHA256
e1d59c5b329a280bc03ddc31f57e993eb14fb4afa7d80c4feb7b99c787699065
-
SHA512
3654a9d697e49d2c245d6dd82c49e5e5db9eedb347e7349d443e9a2247115a15fc27294f3def10a83a71a241fc4266e50d84b4d6633eb5304e139c3b9869c26b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pjtvmadgvw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pjtvmadgvw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pjtvmadgvw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pjtvmadgvw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 05906c39cad698da162ccf37f3964228.exe -
Executes dropped EXE 5 IoCs
pid Process 4972 pjtvmadgvw.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 1040 skccszkiupnev.exe 1856 gjxtygvf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pjtvmadgvw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\abhwyadn = "pjtvmadgvw.exe" ucybtwtikcylseg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ofqgdpfo = "ucybtwtikcylseg.exe" ucybtwtikcylseg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "skccszkiupnev.exe" ucybtwtikcylseg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: gjxtygvf.exe File opened (read-only) \??\v: gjxtygvf.exe File opened (read-only) \??\w: gjxtygvf.exe File opened (read-only) \??\t: gjxtygvf.exe File opened (read-only) \??\x: gjxtygvf.exe File opened (read-only) \??\e: pjtvmadgvw.exe File opened (read-only) \??\q: gjxtygvf.exe File opened (read-only) \??\s: gjxtygvf.exe File opened (read-only) \??\z: gjxtygvf.exe File opened (read-only) \??\b: gjxtygvf.exe File opened (read-only) \??\e: gjxtygvf.exe File opened (read-only) \??\p: gjxtygvf.exe File opened (read-only) \??\a: gjxtygvf.exe File opened (read-only) \??\a: pjtvmadgvw.exe File opened (read-only) \??\n: gjxtygvf.exe File opened (read-only) \??\j: gjxtygvf.exe File opened (read-only) \??\p: gjxtygvf.exe File opened (read-only) \??\z: pjtvmadgvw.exe File opened (read-only) \??\h: gjxtygvf.exe File opened (read-only) \??\m: gjxtygvf.exe File opened (read-only) \??\y: gjxtygvf.exe File opened (read-only) \??\b: pjtvmadgvw.exe File opened (read-only) \??\p: pjtvmadgvw.exe File opened (read-only) \??\r: pjtvmadgvw.exe File opened (read-only) \??\n: gjxtygvf.exe File opened (read-only) \??\x: gjxtygvf.exe File opened (read-only) \??\h: pjtvmadgvw.exe File opened (read-only) \??\i: pjtvmadgvw.exe File opened (read-only) \??\s: pjtvmadgvw.exe File opened (read-only) \??\g: gjxtygvf.exe File opened (read-only) \??\j: gjxtygvf.exe File opened (read-only) \??\m: gjxtygvf.exe File opened (read-only) \??\t: gjxtygvf.exe File opened (read-only) \??\j: pjtvmadgvw.exe File opened (read-only) \??\y: pjtvmadgvw.exe File opened (read-only) \??\k: gjxtygvf.exe File opened (read-only) \??\r: gjxtygvf.exe File opened (read-only) \??\m: pjtvmadgvw.exe File opened (read-only) \??\l: gjxtygvf.exe File opened (read-only) \??\s: gjxtygvf.exe File opened (read-only) \??\k: gjxtygvf.exe File opened (read-only) \??\u: gjxtygvf.exe File opened (read-only) \??\l: pjtvmadgvw.exe File opened (read-only) \??\n: pjtvmadgvw.exe File opened (read-only) \??\q: pjtvmadgvw.exe File opened (read-only) \??\u: pjtvmadgvw.exe File opened (read-only) \??\x: pjtvmadgvw.exe File opened (read-only) \??\v: gjxtygvf.exe File opened (read-only) \??\h: gjxtygvf.exe File opened (read-only) \??\i: gjxtygvf.exe File opened (read-only) \??\g: pjtvmadgvw.exe File opened (read-only) \??\k: pjtvmadgvw.exe File opened (read-only) \??\t: pjtvmadgvw.exe File opened (read-only) \??\w: gjxtygvf.exe File opened (read-only) \??\g: gjxtygvf.exe File opened (read-only) \??\r: gjxtygvf.exe File opened (read-only) \??\v: pjtvmadgvw.exe File opened (read-only) \??\i: gjxtygvf.exe File opened (read-only) \??\z: gjxtygvf.exe File opened (read-only) \??\b: gjxtygvf.exe File opened (read-only) \??\o: gjxtygvf.exe File opened (read-only) \??\w: pjtvmadgvw.exe File opened (read-only) \??\a: gjxtygvf.exe File opened (read-only) \??\o: gjxtygvf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pjtvmadgvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pjtvmadgvw.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4788-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002310b-5.dat autoit_exe behavioral2/files/0x000600000002310a-18.dat autoit_exe behavioral2/files/0x000600000002310c-27.dat autoit_exe behavioral2/files/0x000600000002310d-30.dat autoit_exe behavioral2/files/0x000200000001e7f0-67.dat autoit_exe behavioral2/files/0x0005000000022f35-110.dat autoit_exe behavioral2/files/0x0005000000022f35-136.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pjtvmadgvw.exe 05906c39cad698da162ccf37f3964228.exe File opened for modification C:\Windows\SysWOW64\ucybtwtikcylseg.exe 05906c39cad698da162ccf37f3964228.exe File created C:\Windows\SysWOW64\gjxtygvf.exe 05906c39cad698da162ccf37f3964228.exe File opened for modification C:\Windows\SysWOW64\gjxtygvf.exe 05906c39cad698da162ccf37f3964228.exe File created C:\Windows\SysWOW64\skccszkiupnev.exe 05906c39cad698da162ccf37f3964228.exe File created C:\Windows\SysWOW64\pjtvmadgvw.exe 05906c39cad698da162ccf37f3964228.exe File created C:\Windows\SysWOW64\ucybtwtikcylseg.exe 05906c39cad698da162ccf37f3964228.exe File opened for modification C:\Windows\SysWOW64\skccszkiupnev.exe 05906c39cad698da162ccf37f3964228.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pjtvmadgvw.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gjxtygvf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gjxtygvf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gjxtygvf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gjxtygvf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gjxtygvf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gjxtygvf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gjxtygvf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gjxtygvf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gjxtygvf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gjxtygvf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 05906c39cad698da162ccf37f3964228.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pjtvmadgvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pjtvmadgvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12044E6389F52BEBAD53393D7B9" 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pjtvmadgvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pjtvmadgvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pjtvmadgvw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pjtvmadgvw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pjtvmadgvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pjtvmadgvw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pjtvmadgvw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFACEFE64F1E084743A46819F3998B0FB028C4261034CE2CD429E08D4" 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BB7FE6C22DFD179D0D68A7D9164" 05906c39cad698da162ccf37f3964228.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pjtvmadgvw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pjtvmadgvw.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0D9D2D82596A3176D170222CD97CF165DE" 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8C485A85129042D62D7DE5BDE4E637584767326344D6E9" 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC60C14E3DAC7B8C07FE4EDE334C6" 05906c39cad698da162ccf37f3964228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pjtvmadgvw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1856 gjxtygvf.exe 1856 gjxtygvf.exe 1856 gjxtygvf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4788 05906c39cad698da162ccf37f3964228.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 4972 pjtvmadgvw.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2340 ucybtwtikcylseg.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 2756 gjxtygvf.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1040 skccszkiupnev.exe 1856 gjxtygvf.exe 1856 gjxtygvf.exe 1856 gjxtygvf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4788 wrote to memory of 4972 4788 05906c39cad698da162ccf37f3964228.exe 92 PID 4788 wrote to memory of 4972 4788 05906c39cad698da162ccf37f3964228.exe 92 PID 4788 wrote to memory of 4972 4788 05906c39cad698da162ccf37f3964228.exe 92 PID 4788 wrote to memory of 2340 4788 05906c39cad698da162ccf37f3964228.exe 93 PID 4788 wrote to memory of 2340 4788 05906c39cad698da162ccf37f3964228.exe 93 PID 4788 wrote to memory of 2340 4788 05906c39cad698da162ccf37f3964228.exe 93 PID 4788 wrote to memory of 2756 4788 05906c39cad698da162ccf37f3964228.exe 94 PID 4788 wrote to memory of 2756 4788 05906c39cad698da162ccf37f3964228.exe 94 PID 4788 wrote to memory of 2756 4788 05906c39cad698da162ccf37f3964228.exe 94 PID 4788 wrote to memory of 1040 4788 05906c39cad698da162ccf37f3964228.exe 95 PID 4788 wrote to memory of 1040 4788 05906c39cad698da162ccf37f3964228.exe 95 PID 4788 wrote to memory of 1040 4788 05906c39cad698da162ccf37f3964228.exe 95 PID 4972 wrote to memory of 1856 4972 pjtvmadgvw.exe 96 PID 4972 wrote to memory of 1856 4972 pjtvmadgvw.exe 96 PID 4972 wrote to memory of 1856 4972 pjtvmadgvw.exe 96 PID 4788 wrote to memory of 632 4788 05906c39cad698da162ccf37f3964228.exe 97 PID 4788 wrote to memory of 632 4788 05906c39cad698da162ccf37f3964228.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228.exe"C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\pjtvmadgvw.exepjtvmadgvw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\gjxtygvf.exeC:\Windows\system32\gjxtygvf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856
-
-
-
C:\Windows\SysWOW64\ucybtwtikcylseg.exeucybtwtikcylseg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340
-
-
C:\Windows\SysWOW64\gjxtygvf.exegjxtygvf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
-
C:\Windows\SysWOW64\skccszkiupnev.exeskccszkiupnev.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1040
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:632
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD513dd77cd52235b3323c9ed73e365683d
SHA15c53cb5c8292c210453ea95029512ddeb4662d70
SHA256c288566b306558605b61710fe16b7bccecdb0a320a461746a3906520dabeb43e
SHA51262b377ac76b63575a52143c14b73e45e4dbee7889d3feb617a658856836a6131d3006f91764d27146be61dd63949ba5ffb7ca5fe25623bbacef392d09b49bb38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59d2d45186aec469739dccfd9142bf581
SHA1210796ef1261037e8174bdb59c3f0ce5a5c1b2a0
SHA256bba36215398b951d2f54ea9759bdbdb85a33700afb257f9587f4c0474ec02aa6
SHA512986c10e2dcdae8bf4efa1c4c7de530a0625d6413ffb7f16412ac50f812894d490ded5e67a436802783ac7b1723198b5962e3990640bf34f859abdc4e4928c81c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5afdedf96e787677f71dffb4226ca4ba3
SHA14b10a3f3a6c80c965094f6fc70d9cf05b9a97b66
SHA2567dcb2cfc0fb6cf92860eb0b7a0c12aae441dc56b9a33a8e8398885d33797c896
SHA512c175e7dac486ed80b4ab126d2815ea2d5d7713b72699ecfdaed2a32267a37a80cb7c16e58055e33431a8a563b689a4527d3b484174d134ca73297f29c6739991
-
Filesize
512KB
MD580d4bbea15f9a4d057a5c82c9668c9d7
SHA11ea88ea5bde914d7a60b9fd9755c791ac7c91d22
SHA25641c9853d9c9d4b65ef4edd56824ce2f728bf70a14feb9592537d3664595082ce
SHA51218ff53b0f37336ca14939967aec6293d97d7d181585e366a0ec61152cdfa8b7784187673b72f1d26c71383a8c9cedaa3b1ecacb6c8522dc7bc2a15c4eba0b1b7
-
Filesize
512KB
MD5ac914cb54a986f0b5fae0a01019d22f7
SHA1d6d28ba431e2920d28619656985ecada7b2ac6d6
SHA2561bf5485238da45d6174e22a716d7c7fc8561e7a302fad21716aec57e6f5a0411
SHA512e95f09994cd2959b9f8cada8786df67f423b7c4a7022ad3bcd4fcca72c50dc73c37f3ef00a7a1994d878e4fbbd6955663f8958678697e0183119dc24e4635a27
-
Filesize
512KB
MD52db8979338b4d022c5b6a2437edf9db5
SHA1ea9a535dc2b54c556edf169f3f490c974f8a4c28
SHA256d149528ae49bff51a413de7632a466a17c516b2de3f1cbbc89fd316f39074e98
SHA512ac5d25609885e2b0d7e94fc3b3df65b20fd1d2c7cf826dcd7f667ac3f3160a4dfe08a401c526de723525f3e6a1c0de89e32ceccac3f069c590ddf7a9e300cc39
-
Filesize
512KB
MD562f0d5f755e062409058b4c1190dcf7f
SHA1509e1450a5880149ce688982b53956fac25c7f37
SHA2569a053d2c99f94a1c8cbd4bd70e89706a93e7e83054477b0e9a2e9d0a8fc87ca1
SHA512ad7571182acca941db6476deab94380c3417966be40011c8afadc6d43dc64af4f7bf21eab25639b19b1f5338d20b6713dd4a6882884caeb7865ddf13f9bbae17
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD529137cc6a837119283509aab66ec2e80
SHA1bd3a44a42798aba1b9b62ef96d78c5cebb311aaa
SHA2564fb8375754e54841f0ab3a92b7963d9c8adb159d77cb32f6acd0f8fa781dac01
SHA512f3534b3cc40a30edff29c2cb252b42a3899d2e5895c2f061ef0df2fcde7e134cf72c09befe0350cd4e606eb65b8bcf09e8e2b5fdb4c2880dfec5e6ba710cfc69
-
Filesize
512KB
MD5f1eb7dc52a312a864a7bf18bd7095ff3
SHA15990aa3bf059b46e7217d3dd0940238e06fcbae1
SHA2566deb73728963035fff975cd176947c39b9fddae751c4018a4fdc23038ea460f1
SHA5124225331db444bcd14f014558f827e660dac30129efcb635210197d26975bbce8098ec540e8cd1061797b3dc33b0e729e744188f7bed1a9bf3ace574fdce14253