Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
03e0a521ccb092a61fb3723b38a58b16.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
03e0a521ccb092a61fb3723b38a58b16.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
03e0a521ccb092a61fb3723b38a58b16.exe
-
Size
512KB
-
MD5
03e0a521ccb092a61fb3723b38a58b16
-
SHA1
3997fa18edffd374885168409d98aecb23b77315
-
SHA256
3003a35975df39e6fbf9ee24aa6af6565989f80532ec61ab200b51343b409dfd
-
SHA512
c4ec42774a330a077248166ec564832474fcf68c5489bf6ce46f3892081740c85506ccbff834ac2bac6674b87c9156a7a4c11ab59c7382982f3e0277806a02dd
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pnprkklfhx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pnprkklfhx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pnprkklfhx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnprkklfhx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 03e0a521ccb092a61fb3723b38a58b16.exe -
Executes dropped EXE 5 IoCs
pid Process 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3696 rbyfrkhptxlal.exe 3044 qttlprdk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pnprkklfhx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czgbsvhj = "pnprkklfhx.exe" hquikthyhfmgque.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iwqzziin = "hquikthyhfmgque.exe" hquikthyhfmgque.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rbyfrkhptxlal.exe" hquikthyhfmgque.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: qttlprdk.exe File opened (read-only) \??\q: qttlprdk.exe File opened (read-only) \??\u: qttlprdk.exe File opened (read-only) \??\v: qttlprdk.exe File opened (read-only) \??\y: qttlprdk.exe File opened (read-only) \??\e: pnprkklfhx.exe File opened (read-only) \??\g: pnprkklfhx.exe File opened (read-only) \??\v: qttlprdk.exe File opened (read-only) \??\r: qttlprdk.exe File opened (read-only) \??\s: qttlprdk.exe File opened (read-only) \??\z: qttlprdk.exe File opened (read-only) \??\p: pnprkklfhx.exe File opened (read-only) \??\k: qttlprdk.exe File opened (read-only) \??\i: qttlprdk.exe File opened (read-only) \??\h: pnprkklfhx.exe File opened (read-only) \??\l: pnprkklfhx.exe File opened (read-only) \??\x: pnprkklfhx.exe File opened (read-only) \??\r: qttlprdk.exe File opened (read-only) \??\q: pnprkklfhx.exe File opened (read-only) \??\z: pnprkklfhx.exe File opened (read-only) \??\l: qttlprdk.exe File opened (read-only) \??\m: qttlprdk.exe File opened (read-only) \??\e: qttlprdk.exe File opened (read-only) \??\m: qttlprdk.exe File opened (read-only) \??\x: qttlprdk.exe File opened (read-only) \??\n: pnprkklfhx.exe File opened (read-only) \??\y: pnprkklfhx.exe File opened (read-only) \??\b: qttlprdk.exe File opened (read-only) \??\w: qttlprdk.exe File opened (read-only) \??\m: pnprkklfhx.exe File opened (read-only) \??\o: qttlprdk.exe File opened (read-only) \??\a: pnprkklfhx.exe File opened (read-only) \??\j: pnprkklfhx.exe File opened (read-only) \??\z: qttlprdk.exe File opened (read-only) \??\n: qttlprdk.exe File opened (read-only) \??\b: pnprkklfhx.exe File opened (read-only) \??\s: qttlprdk.exe File opened (read-only) \??\t: qttlprdk.exe File opened (read-only) \??\p: qttlprdk.exe File opened (read-only) \??\o: pnprkklfhx.exe File opened (read-only) \??\r: pnprkklfhx.exe File opened (read-only) \??\v: pnprkklfhx.exe File opened (read-only) \??\w: pnprkklfhx.exe File opened (read-only) \??\b: qttlprdk.exe File opened (read-only) \??\g: qttlprdk.exe File opened (read-only) \??\k: pnprkklfhx.exe File opened (read-only) \??\t: pnprkklfhx.exe File opened (read-only) \??\a: qttlprdk.exe File opened (read-only) \??\n: qttlprdk.exe File opened (read-only) \??\x: qttlprdk.exe File opened (read-only) \??\s: pnprkklfhx.exe File opened (read-only) \??\u: pnprkklfhx.exe File opened (read-only) \??\h: qttlprdk.exe File opened (read-only) \??\i: qttlprdk.exe File opened (read-only) \??\o: qttlprdk.exe File opened (read-only) \??\a: qttlprdk.exe File opened (read-only) \??\j: qttlprdk.exe File opened (read-only) \??\k: qttlprdk.exe File opened (read-only) \??\j: qttlprdk.exe File opened (read-only) \??\u: qttlprdk.exe File opened (read-only) \??\h: qttlprdk.exe File opened (read-only) \??\l: qttlprdk.exe File opened (read-only) \??\w: qttlprdk.exe File opened (read-only) \??\e: qttlprdk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pnprkklfhx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pnprkklfhx.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1152-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000231f3-22.dat autoit_exe behavioral2/files/0x0007000000023207-25.dat autoit_exe behavioral2/files/0x0006000000023208-31.dat autoit_exe behavioral2/files/0x0007000000023207-29.dat autoit_exe behavioral2/files/0x0006000000023208-32.dat autoit_exe behavioral2/files/0x00080000000231f3-24.dat autoit_exe behavioral2/files/0x00080000000231f0-19.dat autoit_exe behavioral2/files/0x00080000000231f0-18.dat autoit_exe behavioral2/files/0x0007000000023207-40.dat autoit_exe behavioral2/files/0x0006000000023214-81.dat autoit_exe behavioral2/files/0x00080000000231f3-5.dat autoit_exe behavioral2/files/0x0009000000023217-105.dat autoit_exe behavioral2/files/0x0009000000023217-109.dat autoit_exe behavioral2/files/0x0009000000023217-107.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pnprkklfhx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qttlprdk.exe File created C:\Windows\SysWOW64\hquikthyhfmgque.exe 03e0a521ccb092a61fb3723b38a58b16.exe File opened for modification C:\Windows\SysWOW64\hquikthyhfmgque.exe 03e0a521ccb092a61fb3723b38a58b16.exe File created C:\Windows\SysWOW64\qttlprdk.exe 03e0a521ccb092a61fb3723b38a58b16.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification C:\Windows\SysWOW64\qttlprdk.exe 03e0a521ccb092a61fb3723b38a58b16.exe File created C:\Windows\SysWOW64\rbyfrkhptxlal.exe 03e0a521ccb092a61fb3723b38a58b16.exe File opened for modification C:\Windows\SysWOW64\rbyfrkhptxlal.exe 03e0a521ccb092a61fb3723b38a58b16.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qttlprdk.exe File created C:\Windows\SysWOW64\pnprkklfhx.exe 03e0a521ccb092a61fb3723b38a58b16.exe File opened for modification C:\Windows\SysWOW64\pnprkklfhx.exe 03e0a521ccb092a61fb3723b38a58b16.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qttlprdk.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qttlprdk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qttlprdk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qttlprdk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qttlprdk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qttlprdk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qttlprdk.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qttlprdk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification C:\Windows\mydoc.rtf 03e0a521ccb092a61fb3723b38a58b16.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qttlprdk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qttlprdk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qttlprdk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qttlprdk.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qttlprdk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qttlprdk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qttlprdk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pnprkklfhx.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 03e0a521ccb092a61fb3723b38a58b16.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 03e0a521ccb092a61fb3723b38a58b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C70F14E3DBB1B9CE7C92ED9734C7" 03e0a521ccb092a61fb3723b38a58b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9CCFE13F190837B3A4586EC3E98B0FE028B4365033EE2CF459E08D6" 03e0a521ccb092a61fb3723b38a58b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFFC4F2985689041D72C7D9DBC94E63658306734633FD798" 03e0a521ccb092a61fb3723b38a58b16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pnprkklfhx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268C6FE1A21DAD173D1A88A0E9160" 03e0a521ccb092a61fb3723b38a58b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pnprkklfhx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pnprkklfhx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pnprkklfhx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pnprkklfhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C769D5082226A3776A270532CD87D8665A8" 03e0a521ccb092a61fb3723b38a58b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02E449539EE52CEB9D032EAD7CD" 03e0a521ccb092a61fb3723b38a58b16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pnprkklfhx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2080 WINWORD.EXE 2080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 2740 qttlprdk.exe 2740 qttlprdk.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 2740 qttlprdk.exe 2740 qttlprdk.exe 2740 qttlprdk.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 2740 qttlprdk.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 1620 hquikthyhfmgque.exe 1620 hquikthyhfmgque.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3844 pnprkklfhx.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1152 03e0a521ccb092a61fb3723b38a58b16.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3844 pnprkklfhx.exe 1620 hquikthyhfmgque.exe 2740 qttlprdk.exe 3844 pnprkklfhx.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3696 rbyfrkhptxlal.exe 3044 qttlprdk.exe 3044 qttlprdk.exe 3044 qttlprdk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2080 WINWORD.EXE 2080 WINWORD.EXE 2080 WINWORD.EXE 2080 WINWORD.EXE 2080 WINWORD.EXE 2080 WINWORD.EXE 2080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1152 wrote to memory of 3844 1152 03e0a521ccb092a61fb3723b38a58b16.exe 78 PID 1152 wrote to memory of 3844 1152 03e0a521ccb092a61fb3723b38a58b16.exe 78 PID 1152 wrote to memory of 3844 1152 03e0a521ccb092a61fb3723b38a58b16.exe 78 PID 1152 wrote to memory of 1620 1152 03e0a521ccb092a61fb3723b38a58b16.exe 81 PID 1152 wrote to memory of 1620 1152 03e0a521ccb092a61fb3723b38a58b16.exe 81 PID 1152 wrote to memory of 1620 1152 03e0a521ccb092a61fb3723b38a58b16.exe 81 PID 1152 wrote to memory of 2740 1152 03e0a521ccb092a61fb3723b38a58b16.exe 79 PID 1152 wrote to memory of 2740 1152 03e0a521ccb092a61fb3723b38a58b16.exe 79 PID 1152 wrote to memory of 2740 1152 03e0a521ccb092a61fb3723b38a58b16.exe 79 PID 1152 wrote to memory of 3696 1152 03e0a521ccb092a61fb3723b38a58b16.exe 80 PID 1152 wrote to memory of 3696 1152 03e0a521ccb092a61fb3723b38a58b16.exe 80 PID 1152 wrote to memory of 3696 1152 03e0a521ccb092a61fb3723b38a58b16.exe 80 PID 1152 wrote to memory of 2080 1152 03e0a521ccb092a61fb3723b38a58b16.exe 82 PID 1152 wrote to memory of 2080 1152 03e0a521ccb092a61fb3723b38a58b16.exe 82 PID 3844 wrote to memory of 3044 3844 pnprkklfhx.exe 84 PID 3844 wrote to memory of 3044 3844 pnprkklfhx.exe 84 PID 3844 wrote to memory of 3044 3844 pnprkklfhx.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e0a521ccb092a61fb3723b38a58b16.exe"C:\Users\Admin\AppData\Local\Temp\03e0a521ccb092a61fb3723b38a58b16.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\pnprkklfhx.exepnprkklfhx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\qttlprdk.exeC:\Windows\system32\qttlprdk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
-
-
-
C:\Windows\SysWOW64\qttlprdk.exeqttlprdk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740
-
-
C:\Windows\SysWOW64\rbyfrkhptxlal.exerbyfrkhptxlal.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3696
-
-
C:\Windows\SysWOW64\hquikthyhfmgque.exehquikthyhfmgque.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5c40f93a2c9e198d1e932b767ca3d4ec0
SHA128f30461678e5162893689d0960855f93a115f98
SHA2568fd8caa15e7f7c1e5d0538e37bf9eb68fc818254b56924cb47b355988f5f24bb
SHA5121d990d4e93d2e11de25e8ab4b6c3da304c11a0f9f0c54c4b0665fed88a4c9f4615a038df0d494ba08754cd9b9ee2472089da04a65af41254114d71cdd2f4ccc8
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52b7e6fa953176855a7e949cf870091d5
SHA1aff3cd2d3557d91c9ecee0b4be00f1654a31ec14
SHA2567598f9640acaf43dc5c0cd6f82ec6e2c31d708b7255352b9c5c35b275905d771
SHA51216d330aa4fe617975364a8cd2587425e3b3663bca85e3501857b4a2c114d1e89662fcdc8478412914362f59b797d3c1d29db2f3721930603705f75489467f0ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b8fcf4d66adda866da475ef786b24bc6
SHA13c59217a1cf92f43ff01537e41b6db53ca8ef155
SHA2560d913ce15253af1204e1567ba7fbbc0ff4fd7918ccb9838a34d3b26e4727a1df
SHA512257c433d6ea0db9bf79a2d0e3997fa0ea3dc8cdb70662c3343032ffa9e58855c4e4b8b11c760f2f85ca0c34926fd0f248354f4afcd3f53d160ae2c97af178411
-
Filesize
53KB
MD5eab1c164ac2fb516403c1fba0eb6c588
SHA13c63eccee7b790f023ae23f0eb91436d7eb59b87
SHA25680e5c3d5bd76070e3b9a6a499ac34c10134852c373b7a91cc132419389b0230d
SHA51238ad21e2f97f3c6bf87f5d40d8d330981696711e76dd15845f01ad22e6435a06ad4dbb3f1a4d9625597185c0c461f4a2d60af943b6bea6e844e165f65afb1218
-
Filesize
136KB
MD5ad1a5b5dceff307d8c25dd5a77de78c9
SHA166d468ec46c35f52d9543c4616f5293413396823
SHA2562026faa351abc7662dc37822636638866c8a0c753fe71dfaa88a2ece00edf47f
SHA5127f7956399db2cf1ede45ab4f73808f6332d4dbdef67d5190b9305bcda1947a8334f0b1f0fec492dbe138e8d2a77d74db5aa4c83aa0453201b26ef45520d27e7f
-
Filesize
257KB
MD53b1bc8f1832f2958a1caaaacbbd972d2
SHA13b78c7a3bd108d39ef1c54f479cc1d2d22041cab
SHA256c14ca5ef7ccb257ff9a14b3bba762a48bfbdcf6f417375722aec8e68219d943f
SHA5122c562becc1dc91de9d9eb4938f103a6d56400d6c143c68c04c72f3816b9c19328eb28a7ebcdb961e4ee30d8231cf5cd2cf1e9cf16617d0200d0df8a997a33695
-
Filesize
168KB
MD58f4adb925e87a18e28174b3d44e5b1a2
SHA1cd2b6c58ce1768cfc1e20f4bebbf2196a7b7d592
SHA256210be1bb185c015384f8f6e4efe9811ff41158d52d627f8461cf99e97d486d64
SHA51285d0253bef191a73f200a642412305d804a71cdecf3ac51599f84c29422dbe50fbafce0a76ad1517088a621f7a49ea2ead6eb3b4de81290327ee24b97cfc71b0
-
Filesize
191KB
MD5b23502816e00697e43ce964e624e3404
SHA15009ca50913f9b26c3d62f2f58b5ba99e2888266
SHA2562b0702cc0c81b776aea478a53f459532e124115a2bf10071da22fc914865eb2d
SHA512269f60e81a8ef93b9719e1a684bd87bf388250524413ce703fa26cf0a74cc0656381dd7f0f96e62c05eb444f704b0115e16d2b67a1b7ba5957a647b56ac170ae
-
Filesize
75KB
MD57664c775c10c1e2fc06e752d2c27af98
SHA182690f2ba370714350a70d8fc11e926373d69177
SHA2568c6b18c17441ba9487950b74a07ff8d3d991faa577222a0454bd649676d2dae8
SHA512eae834c12e473cfeeb76f44cb45c5b02be83ae3627df74800b95820531853301af1f234ca9017919a2c29b6fe1b1bede8267c3e44f5bb720b9b50d5b5ec3329f
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
145KB
MD5a924f9346edc835c21558f214dd01a83
SHA13de842b21e8bcccd3c56bfe80f4e06920f4e1c80
SHA25624ab93f3004624e51db55884d61dd3b2bf4cb25c10626806ef5a94cf046a358d
SHA5121a4f5fa23cf84e281b228216d2b23b226c64c901e33776c08d97eb933096c70e22796d0edd9ae9c14c017ee98171626b49ccea60d6c8627ba9437e01becb15dd
-
Filesize
91KB
MD502c2760690eb9527ef9d51fce4497454
SHA16844a45c2e454d9c530662543d28c89c061cd0f4
SHA2569c4925bb3cc34af7b31c02440b64db14583ebbd4bf9081114916889786fdd8ec
SHA512b7de0542cb7abd6377b567791b6abd51789ce484abd94effe43ee280cfae58180967c34edc1cbb21bae0fe5695424a39137da652e43951b7aef35196fdfc2f94
-
Filesize
65KB
MD5649bb0518ee5a42d6cf63649e76f7c3a
SHA13ba501630833359b7a6ba348f949fe12c5e24cb1
SHA256c30b09d3c90042f1b44ef14cf0617e1fea54f3459883de5e5498788bda0ab597
SHA512f0245419a0c4f7e04f67338d10f186f9f03ce7d6c3c71b2cfbf80abe59064ceed0c6578010c6a37c9a6b370f8a6affd91d9a73515f27fd0dbd071856fc8580d7
-
Filesize
86KB
MD51cdd37e6af4a9db8f90458476517be6e
SHA1d57eae0b377fd04f634abe26d5a29af2283a590f
SHA2560b0a026feb55a911ebefd249fd4854c3e8e9a487e5443daf2aa57815db83a203
SHA5121b28d57d9e5598d1f8d14ff380f44d6421b5c5ae9eefe83bf2c781e0c0c8de35fc1506bb1878983d8113af78d85a889383ffa3c1d49416af0a5dbfacbf7ddcb3
-
Filesize
22KB
MD55271eaa1885e3bf0fd315f80e656230b
SHA130885afbd5ae380a5aaccd70c75eac1a2a06e9c2
SHA2568ca2b727695115beb2c90f1f1e372542df50120bfd20c04c51337be001997000
SHA5120683c63649ea9f337104ce1883ce8beff595c792b78c7c20285ed492ab1a105428fb49caf77fe099d2c5f1db87c50168b1729d58cf70bcedcb9ce193d6d3d824
-
Filesize
25KB
MD59a38033eeebb4c86d432df6a26a3ef2c
SHA19c0c27f4cd6b38315a42539006028a80fceed58d
SHA256a10e7f2915dc4970955b904f9ca08f0a5ee3a833d0e0fd72c6e53523262f36c7
SHA512177c1f354685a77864a57f39b6e623257730e47471e07f3d91a6d449ceadb4098be7fe74799082a42ac1445d1523371ecc6c1830367f5db824c7158b9982dfe5