Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 02:51
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0c327b45e2e2619cc1116c01db9fecd4.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c327b45e2e2619cc1116c01db9fecd4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0c327b45e2e2619cc1116c01db9fecd4.exe
-
Size
512KB
-
MD5
0c327b45e2e2619cc1116c01db9fecd4
-
SHA1
1897e432062b78a0e44d387042f7feb7e8a50bba
-
SHA256
559797107580982cad1ab552b0d3b930315fd0caa04e143c13de2f4cd7d00774
-
SHA512
66b2b676e0208da13751c726c33b6a5a0c99f7a809262b90a499b3bbc6acea7876949553f63801ae1de1405ed8af4ababb44feda8953419161c5c21229d7986c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" emuuzqzvee.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" emuuzqzvee.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" emuuzqzvee.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" emuuzqzvee.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 0c327b45e2e2619cc1116c01db9fecd4.exe -
Executes dropped EXE 5 IoCs
pid Process 2412 emuuzqzvee.exe 3796 aiipkkhuhfaidht.exe 1428 pqgwjnpo.exe 3680 oknrxedzyevak.exe 3188 pqgwjnpo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" emuuzqzvee.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jewmwupj = "aiipkkhuhfaidht.exe" aiipkkhuhfaidht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oknrxedzyevak.exe" aiipkkhuhfaidht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxvwvtby = "emuuzqzvee.exe" aiipkkhuhfaidht.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: pqgwjnpo.exe File opened (read-only) \??\a: emuuzqzvee.exe File opened (read-only) \??\k: emuuzqzvee.exe File opened (read-only) \??\t: emuuzqzvee.exe File opened (read-only) \??\x: emuuzqzvee.exe File opened (read-only) \??\i: pqgwjnpo.exe File opened (read-only) \??\j: pqgwjnpo.exe File opened (read-only) \??\w: pqgwjnpo.exe File opened (read-only) \??\l: pqgwjnpo.exe File opened (read-only) \??\t: pqgwjnpo.exe File opened (read-only) \??\b: pqgwjnpo.exe File opened (read-only) \??\n: emuuzqzvee.exe File opened (read-only) \??\o: emuuzqzvee.exe File opened (read-only) \??\s: emuuzqzvee.exe File opened (read-only) \??\u: pqgwjnpo.exe File opened (read-only) \??\y: pqgwjnpo.exe File opened (read-only) \??\r: pqgwjnpo.exe File opened (read-only) \??\u: emuuzqzvee.exe File opened (read-only) \??\g: pqgwjnpo.exe File opened (read-only) \??\s: pqgwjnpo.exe File opened (read-only) \??\t: pqgwjnpo.exe File opened (read-only) \??\u: pqgwjnpo.exe File opened (read-only) \??\g: emuuzqzvee.exe File opened (read-only) \??\x: pqgwjnpo.exe File opened (read-only) \??\n: pqgwjnpo.exe File opened (read-only) \??\w: pqgwjnpo.exe File opened (read-only) \??\o: pqgwjnpo.exe File opened (read-only) \??\h: emuuzqzvee.exe File opened (read-only) \??\m: emuuzqzvee.exe File opened (read-only) \??\y: emuuzqzvee.exe File opened (read-only) \??\j: emuuzqzvee.exe File opened (read-only) \??\r: emuuzqzvee.exe File opened (read-only) \??\q: pqgwjnpo.exe File opened (read-only) \??\a: pqgwjnpo.exe File opened (read-only) \??\h: pqgwjnpo.exe File opened (read-only) \??\p: pqgwjnpo.exe File opened (read-only) \??\z: pqgwjnpo.exe File opened (read-only) \??\z: pqgwjnpo.exe File opened (read-only) \??\v: emuuzqzvee.exe File opened (read-only) \??\z: emuuzqzvee.exe File opened (read-only) \??\b: pqgwjnpo.exe File opened (read-only) \??\o: pqgwjnpo.exe File opened (read-only) \??\l: pqgwjnpo.exe File opened (read-only) \??\i: emuuzqzvee.exe File opened (read-only) \??\k: pqgwjnpo.exe File opened (read-only) \??\v: pqgwjnpo.exe File opened (read-only) \??\v: pqgwjnpo.exe File opened (read-only) \??\y: pqgwjnpo.exe File opened (read-only) \??\e: emuuzqzvee.exe File opened (read-only) \??\l: emuuzqzvee.exe File opened (read-only) \??\p: emuuzqzvee.exe File opened (read-only) \??\r: pqgwjnpo.exe File opened (read-only) \??\q: pqgwjnpo.exe File opened (read-only) \??\w: emuuzqzvee.exe File opened (read-only) \??\e: pqgwjnpo.exe File opened (read-only) \??\h: pqgwjnpo.exe File opened (read-only) \??\i: pqgwjnpo.exe File opened (read-only) \??\j: pqgwjnpo.exe File opened (read-only) \??\n: pqgwjnpo.exe File opened (read-only) \??\s: pqgwjnpo.exe File opened (read-only) \??\x: pqgwjnpo.exe File opened (read-only) \??\b: emuuzqzvee.exe File opened (read-only) \??\g: pqgwjnpo.exe File opened (read-only) \??\k: pqgwjnpo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" emuuzqzvee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" emuuzqzvee.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2228-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000e00000002316a-5.dat autoit_exe behavioral2/files/0x000200000001fafe-18.dat autoit_exe behavioral2/files/0x000200000001fafe-19.dat autoit_exe behavioral2/files/0x0008000000023218-26.dat autoit_exe behavioral2/files/0x0008000000023218-27.dat autoit_exe behavioral2/files/0x000600000002321d-32.dat autoit_exe behavioral2/files/0x0008000000023218-35.dat autoit_exe behavioral2/files/0x0007000000023237-97.dat autoit_exe behavioral2/files/0x0007000000023237-106.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pqgwjnpo.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File created C:\Windows\SysWOW64\oknrxedzyevak.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification C:\Windows\SysWOW64\emuuzqzvee.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File created C:\Windows\SysWOW64\pqgwjnpo.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File opened for modification C:\Windows\SysWOW64\oknrxedzyevak.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File created C:\Windows\SysWOW64\emuuzqzvee.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File opened for modification C:\Windows\SysWOW64\aiipkkhuhfaidht.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pqgwjnpo.exe File created C:\Windows\SysWOW64\aiipkkhuhfaidht.exe 0c327b45e2e2619cc1116c01db9fecd4.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll emuuzqzvee.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pqgwjnpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pqgwjnpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pqgwjnpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pqgwjnpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pqgwjnpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pqgwjnpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pqgwjnpo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pqgwjnpo.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification C:\Windows\mydoc.rtf 0c327b45e2e2619cc1116c01db9fecd4.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pqgwjnpo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pqgwjnpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pqgwjnpo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668C4FF1D22DFD109D1D18A7B9063" 0c327b45e2e2619cc1116c01db9fecd4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc emuuzqzvee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" emuuzqzvee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" emuuzqzvee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg emuuzqzvee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf emuuzqzvee.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" emuuzqzvee.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FABDF964F299837B3B4A86EC3E94B0FE028B4369034BE1CA42E809D5" 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB02B4790389E53C4BADC33EED7C9" 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8C482E82139030D75B7D91BCE7E64059426641633FD79F" 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67414E5DAB6B9BA7FE1EC9E34BC" 0c327b45e2e2619cc1116c01db9fecd4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat emuuzqzvee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh emuuzqzvee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C0C9D2C82236D3677D177552DD87DF464DC" 0c327b45e2e2619cc1116c01db9fecd4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" emuuzqzvee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" emuuzqzvee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs emuuzqzvee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" emuuzqzvee.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3940 WINWORD.EXE 3940 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 1428 pqgwjnpo.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 1428 pqgwjnpo.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 2412 emuuzqzvee.exe 2412 emuuzqzvee.exe 1428 pqgwjnpo.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3796 aiipkkhuhfaidht.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3680 oknrxedzyevak.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe 3188 pqgwjnpo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3940 WINWORD.EXE 3940 WINWORD.EXE 3940 WINWORD.EXE 3940 WINWORD.EXE 3940 WINWORD.EXE 3940 WINWORD.EXE 3940 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2412 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 88 PID 2228 wrote to memory of 2412 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 88 PID 2228 wrote to memory of 2412 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 88 PID 2228 wrote to memory of 3796 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 91 PID 2228 wrote to memory of 3796 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 91 PID 2228 wrote to memory of 3796 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 91 PID 2228 wrote to memory of 1428 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 89 PID 2228 wrote to memory of 1428 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 89 PID 2228 wrote to memory of 1428 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 89 PID 2228 wrote to memory of 3680 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 90 PID 2228 wrote to memory of 3680 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 90 PID 2228 wrote to memory of 3680 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 90 PID 2228 wrote to memory of 3940 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 92 PID 2228 wrote to memory of 3940 2228 0c327b45e2e2619cc1116c01db9fecd4.exe 92 PID 2412 wrote to memory of 3188 2412 emuuzqzvee.exe 94 PID 2412 wrote to memory of 3188 2412 emuuzqzvee.exe 94 PID 2412 wrote to memory of 3188 2412 emuuzqzvee.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c327b45e2e2619cc1116c01db9fecd4.exe"C:\Users\Admin\AppData\Local\Temp\0c327b45e2e2619cc1116c01db9fecd4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\emuuzqzvee.exeemuuzqzvee.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\pqgwjnpo.exeC:\Windows\system32\pqgwjnpo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3188
-
-
-
C:\Windows\SysWOW64\pqgwjnpo.exepqgwjnpo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428
-
-
C:\Windows\SysWOW64\oknrxedzyevak.exeoknrxedzyevak.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3680
-
-
C:\Windows\SysWOW64\aiipkkhuhfaidht.exeaiipkkhuhfaidht.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3796
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e895c6633f55141064947973ea4afeaf
SHA19c1354bcf73cc912d742b54a47f0732a95d4d232
SHA2562b12b3229fe497302c9bd25a20dd6b4fbc4a51109242014cab777dc8cd0b8d16
SHA512e37752b4f3503772e6a1694f5c5a2d3e9a129c391da89359e5f3064bd0fc82d3c32ad8e1810a240971a8733adbe0f6163df8b4bfdc76168bcd8730cb662dbe9e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5446b95045d5784e3e1c19583ec71e771
SHA107a8d83d9fa2d56277ab171c9754289db091ddc6
SHA2564f1f4c9bb438389ed4cb5758be0a2c85326986e2993f452e95f495289a907271
SHA512e65e2c8fcfbf3d48416e7d5cea5166e9871bdd5d80273c725cee88b330659aefaa49f719a9d7ea16a964127d2c7dfaab811adab284f0523d45a8f0a2e341ddaa
-
Filesize
512KB
MD588d813845610f2754840f24ee37c186d
SHA158b9952ae3b28f0137612a57e2b1a3e290696154
SHA2560f1c6dbb848e600f50a5d891f5a15bedd78f64c1fa6234a65dcd58b77bcbeeeb
SHA51254a9f45607211821c9048453eedadbf710139485cc3eec671078342f6029c9f316d361dfce4e7b22dec0122aa7383c42981c399e927517bc8dbcc6912d83257e
-
Filesize
512KB
MD54f25284118768208fe119bbbfc14fa14
SHA1b45b7de632b1e8f5c635bc8d6da47fa041c96a0e
SHA256379ff25fa6b18e8ec9a1c7d959fd86ff49606e7b434339b1237fae823b16089c
SHA512d11ab2507db2fc8da4956f68fe0afe9d1f6b9dc3868240fd2c715e71384fd935fa14c80954fec7da5b75a75630db0ea687ad590c9110111f7dfb6ff0a89dca12
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b
-
Filesize
512KB
MD555fc848c32ed2a78b3eb51e0bdfcecf9
SHA1f4fd5afaf6a377f5920350ff2cc8b6309a12081a
SHA25654b6c90187d6dcf3e365bf41a6d7e8706f7219983edfac72e19eb5532f868c33
SHA512ffbb47c133f7fab69ce3a4513f2090bacd2753eb7f44a5f1a1ac2bda0e3a98bd6ee3b64e51c466eefe40f016f884eb4bcae61e0e6fb70188040f4fbce11aa51a
-
Filesize
512KB
MD55421cb1cbba708b4ea0c07a64e19ffed
SHA19667419b526c83905b2456a5cc3b17cb320ba48c
SHA256d3ff18b4c4808393aaed293e30733cb03eab694e34439d82e77b5cc9e9c16cad
SHA512f89a18405de14bb7d0da267798935e952f29d6161e007c7f298976e9099ab72217eeca283032818d8cf764efe4bc1c9e86c722b1c192e5050fff5e1f8e1d075d
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
512KB
MD57ad701e399caec6bc4a08f41ce53da26
SHA1b67b1dba13284ba16e5188eb48db89db30bb8e82
SHA256adecea8d582a4940479b99cf422cea88cdfcded0155b3cc9630d1f3afdaa018c
SHA5120315df02bcf9b9393dce5fd6bd8e89584c1f13b04fc6c82d3030953292beabb13ef061420b2e5249db048b410e86f3378efaeb53cdb3b270d8dd4518ffd8d4f7
-
Filesize
512KB
MD5c7ffefa000347a03bc8667117b25dcb9
SHA14950d745f2f1b71404151ed6331148a40854c8d4
SHA25637eaf63dbd5b4effdeb8d1ebbe47e7f74f929975f74f1f2dcace1eca6fdd7ca3
SHA512f21595eeb4588f5c2686fbc7ed3abb74d5a16f96ce207e6b548af912e10afd39a182d039edd62b16e4fde4512624e831fccb8e429c11d1761fed5a62bb7a8cf1
-
Filesize
512KB
MD53ac0457604ccb3df2d181ade9322e64f
SHA13da1df05e5bd7ea97b946d4da1bf59c3277142eb
SHA256aeca0b9d89d833f62262b089a65a05400400241756c88cc8618aca286e970ecd
SHA512b393de750729afa55b3707cd33866c20139867d00db6a60201fc7c5a9fe8b87cf0f2d7cef3ef0ccc6202c5d87173211a168cc47902f75f14aa75376c9e0a26b8