Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 19:51
Static task
static1
Behavioral task
behavioral1
Sample
02e961514afb689fdbe3ed00211a8d47.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
02e961514afb689fdbe3ed00211a8d47.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
02e961514afb689fdbe3ed00211a8d47.exe
-
Size
512KB
-
MD5
02e961514afb689fdbe3ed00211a8d47
-
SHA1
31f2d960acd0f5d2390d16baeb3504e4fe866d84
-
SHA256
6588989ffa67d28b571211f87008a0139937a343fc7802830cd83e95e6bd3f52
-
SHA512
e77cea2feb48fa560bd8e9391c43d7bacd20b30af7bef5585afddd1860610424e3ce2196d80439d4e94379e5be2f7bf60bc8952a413ff55e252f996cd61d2d21
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ggikqzvtdq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ggikqzvtdq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggikqzvtdq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ggikqzvtdq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 02e961514afb689fdbe3ed00211a8d47.exe -
Executes dropped EXE 5 IoCs
pid Process 5008 ggikqzvtdq.exe 4444 rarazgifisgowke.exe 1244 eroavkaw.exe 4908 vleezdhmxnodf.exe 3932 eroavkaw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ggikqzvtdq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrsbhqqw = "ggikqzvtdq.exe" rarazgifisgowke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cglivwru = "rarazgifisgowke.exe" rarazgifisgowke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vleezdhmxnodf.exe" rarazgifisgowke.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: eroavkaw.exe File opened (read-only) \??\v: eroavkaw.exe File opened (read-only) \??\v: ggikqzvtdq.exe File opened (read-only) \??\x: ggikqzvtdq.exe File opened (read-only) \??\o: eroavkaw.exe File opened (read-only) \??\j: eroavkaw.exe File opened (read-only) \??\e: eroavkaw.exe File opened (read-only) \??\g: eroavkaw.exe File opened (read-only) \??\i: ggikqzvtdq.exe File opened (read-only) \??\l: ggikqzvtdq.exe File opened (read-only) \??\a: eroavkaw.exe File opened (read-only) \??\b: eroavkaw.exe File opened (read-only) \??\q: eroavkaw.exe File opened (read-only) \??\k: eroavkaw.exe File opened (read-only) \??\n: eroavkaw.exe File opened (read-only) \??\t: eroavkaw.exe File opened (read-only) \??\z: eroavkaw.exe File opened (read-only) \??\m: ggikqzvtdq.exe File opened (read-only) \??\x: eroavkaw.exe File opened (read-only) \??\s: ggikqzvtdq.exe File opened (read-only) \??\g: eroavkaw.exe File opened (read-only) \??\h: eroavkaw.exe File opened (read-only) \??\u: eroavkaw.exe File opened (read-only) \??\z: ggikqzvtdq.exe File opened (read-only) \??\i: eroavkaw.exe File opened (read-only) \??\i: eroavkaw.exe File opened (read-only) \??\l: eroavkaw.exe File opened (read-only) \??\p: eroavkaw.exe File opened (read-only) \??\e: ggikqzvtdq.exe File opened (read-only) \??\r: ggikqzvtdq.exe File opened (read-only) \??\y: ggikqzvtdq.exe File opened (read-only) \??\b: eroavkaw.exe File opened (read-only) \??\r: eroavkaw.exe File opened (read-only) \??\s: eroavkaw.exe File opened (read-only) \??\q: ggikqzvtdq.exe File opened (read-only) \??\v: eroavkaw.exe File opened (read-only) \??\a: ggikqzvtdq.exe File opened (read-only) \??\g: ggikqzvtdq.exe File opened (read-only) \??\j: eroavkaw.exe File opened (read-only) \??\p: eroavkaw.exe File opened (read-only) \??\k: eroavkaw.exe File opened (read-only) \??\r: eroavkaw.exe File opened (read-only) \??\h: eroavkaw.exe File opened (read-only) \??\y: eroavkaw.exe File opened (read-only) \??\o: ggikqzvtdq.exe File opened (read-only) \??\t: ggikqzvtdq.exe File opened (read-only) \??\n: eroavkaw.exe File opened (read-only) \??\p: ggikqzvtdq.exe File opened (read-only) \??\t: eroavkaw.exe File opened (read-only) \??\e: eroavkaw.exe File opened (read-only) \??\w: eroavkaw.exe File opened (read-only) \??\u: ggikqzvtdq.exe File opened (read-only) \??\j: ggikqzvtdq.exe File opened (read-only) \??\s: eroavkaw.exe File opened (read-only) \??\w: eroavkaw.exe File opened (read-only) \??\a: eroavkaw.exe File opened (read-only) \??\m: eroavkaw.exe File opened (read-only) \??\o: eroavkaw.exe File opened (read-only) \??\b: ggikqzvtdq.exe File opened (read-only) \??\h: ggikqzvtdq.exe File opened (read-only) \??\y: eroavkaw.exe File opened (read-only) \??\z: eroavkaw.exe File opened (read-only) \??\k: ggikqzvtdq.exe File opened (read-only) \??\l: eroavkaw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ggikqzvtdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ggikqzvtdq.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4964-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023207-5.dat autoit_exe behavioral2/files/0x0007000000023203-18.dat autoit_exe behavioral2/files/0x0007000000023203-19.dat autoit_exe behavioral2/files/0x0006000000023207-23.dat autoit_exe behavioral2/files/0x0006000000023207-22.dat autoit_exe behavioral2/files/0x0006000000023208-26.dat autoit_exe behavioral2/files/0x0006000000023209-32.dat autoit_exe behavioral2/files/0x0006000000023209-31.dat autoit_exe behavioral2/files/0x0006000000023208-27.dat autoit_exe behavioral2/files/0x0006000000023208-35.dat autoit_exe behavioral2/files/0x0006000000023211-72.dat autoit_exe behavioral2/files/0x0007000000023224-91.dat autoit_exe behavioral2/files/0x000b000000023102-115.dat autoit_exe behavioral2/files/0x000b000000023102-128.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eroavkaw.exe File opened for modification C:\Windows\SysWOW64\ggikqzvtdq.exe 02e961514afb689fdbe3ed00211a8d47.exe File created C:\Windows\SysWOW64\rarazgifisgowke.exe 02e961514afb689fdbe3ed00211a8d47.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eroavkaw.exe File created C:\Windows\SysWOW64\ggikqzvtdq.exe 02e961514afb689fdbe3ed00211a8d47.exe File opened for modification C:\Windows\SysWOW64\vleezdhmxnodf.exe 02e961514afb689fdbe3ed00211a8d47.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ggikqzvtdq.exe File created C:\Windows\SysWOW64\eroavkaw.exe 02e961514afb689fdbe3ed00211a8d47.exe File opened for modification C:\Windows\SysWOW64\eroavkaw.exe 02e961514afb689fdbe3ed00211a8d47.exe File created C:\Windows\SysWOW64\vleezdhmxnodf.exe 02e961514afb689fdbe3ed00211a8d47.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eroavkaw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eroavkaw.exe File opened for modification C:\Windows\SysWOW64\rarazgifisgowke.exe 02e961514afb689fdbe3ed00211a8d47.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eroavkaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eroavkaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eroavkaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal eroavkaw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eroavkaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eroavkaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal eroavkaw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eroavkaw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 02e961514afb689fdbe3ed00211a8d47.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8B485C856D9032D7587D9DBDE0E643593267316343D7E9" 02e961514afb689fdbe3ed00211a8d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC60F1597DAB2B9B97FE3ECE737CC" 02e961514afb689fdbe3ed00211a8d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ggikqzvtdq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 02e961514afb689fdbe3ed00211a8d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B7FF6721DAD278D1D68B789014" 02e961514afb689fdbe3ed00211a8d47.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 02e961514afb689fdbe3ed00211a8d47.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ggikqzvtdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ggikqzvtdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C7F9C2083546D4677A177202DDA7DF365D8" 02e961514afb689fdbe3ed00211a8d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFACCFE16F198847A3B4686EB3997B0FD038C43160349E2C942EB08D6" 02e961514afb689fdbe3ed00211a8d47.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ggikqzvtdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02847E139E352C8BAA032EDD4BE" 02e961514afb689fdbe3ed00211a8d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ggikqzvtdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ggikqzvtdq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 388 WINWORD.EXE 388 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 1244 eroavkaw.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 1244 eroavkaw.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 4908 vleezdhmxnodf.exe 5008 ggikqzvtdq.exe 4908 vleezdhmxnodf.exe 5008 ggikqzvtdq.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 4964 02e961514afb689fdbe3ed00211a8d47.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 5008 ggikqzvtdq.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4444 rarazgifisgowke.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 4908 vleezdhmxnodf.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 1244 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe 3932 eroavkaw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 388 WINWORD.EXE 388 WINWORD.EXE 388 WINWORD.EXE 388 WINWORD.EXE 388 WINWORD.EXE 388 WINWORD.EXE 388 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4964 wrote to memory of 5008 4964 02e961514afb689fdbe3ed00211a8d47.exe 91 PID 4964 wrote to memory of 5008 4964 02e961514afb689fdbe3ed00211a8d47.exe 91 PID 4964 wrote to memory of 5008 4964 02e961514afb689fdbe3ed00211a8d47.exe 91 PID 4964 wrote to memory of 4444 4964 02e961514afb689fdbe3ed00211a8d47.exe 92 PID 4964 wrote to memory of 4444 4964 02e961514afb689fdbe3ed00211a8d47.exe 92 PID 4964 wrote to memory of 4444 4964 02e961514afb689fdbe3ed00211a8d47.exe 92 PID 4964 wrote to memory of 1244 4964 02e961514afb689fdbe3ed00211a8d47.exe 94 PID 4964 wrote to memory of 1244 4964 02e961514afb689fdbe3ed00211a8d47.exe 94 PID 4964 wrote to memory of 1244 4964 02e961514afb689fdbe3ed00211a8d47.exe 94 PID 4964 wrote to memory of 4908 4964 02e961514afb689fdbe3ed00211a8d47.exe 93 PID 4964 wrote to memory of 4908 4964 02e961514afb689fdbe3ed00211a8d47.exe 93 PID 4964 wrote to memory of 4908 4964 02e961514afb689fdbe3ed00211a8d47.exe 93 PID 4964 wrote to memory of 388 4964 02e961514afb689fdbe3ed00211a8d47.exe 96 PID 4964 wrote to memory of 388 4964 02e961514afb689fdbe3ed00211a8d47.exe 96 PID 5008 wrote to memory of 3932 5008 ggikqzvtdq.exe 98 PID 5008 wrote to memory of 3932 5008 ggikqzvtdq.exe 98 PID 5008 wrote to memory of 3932 5008 ggikqzvtdq.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\02e961514afb689fdbe3ed00211a8d47.exe"C:\Users\Admin\AppData\Local\Temp\02e961514afb689fdbe3ed00211a8d47.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\ggikqzvtdq.exeggikqzvtdq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\eroavkaw.exeC:\Windows\system32\eroavkaw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932
-
-
-
C:\Windows\SysWOW64\rarazgifisgowke.exerarazgifisgowke.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
-
-
C:\Windows\SysWOW64\vleezdhmxnodf.exevleezdhmxnodf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4908
-
-
C:\Windows\SysWOW64\eroavkaw.exeeroavkaw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:388
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD531c4018e6e57b99e6c722a73b6abb392
SHA1ef7b3a2cdd552227e6a95b815ccb9f4bf1e84166
SHA2567f267b5eaca7ff4377bf0d24149b634ee152bf259655f94b6c3083616d423f7e
SHA512fc8eb138f2f3ae9d6f91febbcef9bf0d36c8398f7e54486a2373af1ae68df107530e6a9452b700ee962ca842d64a7991a6a188bffca8a5ada82b2579eab8da4f
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f15b3e94950ba4a750ea7d830600c61a
SHA1a6fe8240c906a7d11fc14d589d174391665dab64
SHA25632f8d4633e4b2837cfc0de5d8007cd79f2df0789774187b3e5a9ed08a7a1437e
SHA5120651a771d9224137b15b2187120f7c820d5f9e97fdca5fccd745c7113aecb5cb5d88a4acd62173e61767d6ac612d92994884062eed1a7f6409820206f87e92f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5480c5d2b1569779ba9b8c87a3604dacd
SHA17647271c13cbc622374f145e844434de26668357
SHA256ea32dac63f17c2695a13c59bce9e82b8137d1e962cbe982084a33808a4ff9b63
SHA51219ccacb7b5f0a7d30f88ae33f88730d4619f8ebda07c18887aa976adf34627438795d671e380b45bf2f98c72aba1de9c7c2b96b32d2dbd4d84e7deac1eda4541
-
Filesize
122KB
MD5db8d37e8bbd8f9b287541cc875bc86ed
SHA126774b063cb869321f7424cd6f57027b0b6f2954
SHA25645916e7c78c30975d45ef2329b4dae361638201815d102370bdd07cd22e35b9a
SHA51293269e8ba78bb8bd753f031528129e948dd4c55a89b87084f2c40bc9347277019fd9340d3ed13d614c890aee592a8bff898de345e70ab4cbd6236774bb5c46ad
-
Filesize
246KB
MD56be078b082074168cacd2aacdb3232f7
SHA1754da48db1c7a5c4a20e3224632074bae7064946
SHA2568db15e07a849036fade9e28ad9c80f99a731d08b38d28627fd979a015168c214
SHA5120dc0cb4bd527bde543b7b36f52150d2da0f9d9efd4503cd34a1fde45fd15a8c3bed79e7d661a52de439287647d1cc3a89f21d0ccd3f5e6f6fb84e130a608d807
-
Filesize
151KB
MD54cc3db4a0cfcd87c8422ad11962e890f
SHA1391ed69ea8e2f246aa3689ddfa31d10ea4db823c
SHA256f466d7b1331fbd337a98262789085024041c8d07e2d15ef010a5604cd82e121b
SHA51289636a2e57c262decab5efec61b6a4f0c90c0dfc3fc72ea8339b8b1ddbb4f6d6904661fecb7cbdad1be512bd3cf53ae0945a299548920e38b3256a03749dea0c
-
Filesize
141KB
MD57ece450a841c521e33989c9a29ce817c
SHA17c17636c6d94d7ee62ad162af41600ebad8594b9
SHA256bb6d9c60622dcd4e730197c37f224cc02a21ac4954d1e2bbc13e133034f9940c
SHA512493aa791d856346148ec1f957de04b2f408890a49baed7c19600e496cb25676a3a568e1697f35ddf844e19b206a375bf980efa36da0004ba9707211d053faee2
-
Filesize
170KB
MD530e1f2a68051d8c39204796d80d7511a
SHA12f94ee8325da2718d5dab7bf0612088bd8fdeefd
SHA25634a1a0e6abe778bfe233e58baca09a8564150ddf5fdf01a6c3ffd633f2165649
SHA512b3017f9879efbf67160c3331a383527d374dc2c798d1d9d33111d57aca275d6bcad040ae3925356f227b5b1bdfd2019c9a8f697ed729f849431293fa8015b65d
-
Filesize
240KB
MD59610364f2ec665f597e730b1d8d92801
SHA107a64fe680ffe3e3053bf90ee55eca02010bec99
SHA2563aa74ceb45c1ae145b75e7c49756c63f7230124ff0066ce7296b4e256fb8d11b
SHA5125274e9dffa55dabcc9654046bfcac11e91dc86d4fb41d1c4b34208def5a70125459f9a9ab4c2e99a2b7fec2e2049b551b9d5c1963bcd264327fc9b344196ce38
-
Filesize
163KB
MD51703e67f5edf777f4b4a15923e76bbd1
SHA1d4f58ea914903adb62fe4fe22abbbda81cd1ff96
SHA256a6493ae7d5927075441c254c07fbd7e504f3566e4a13e812f95d9bfac80f9fc6
SHA5122e7ae265f50ab397e334fc2db5ab240b801ae0a369dd5eeac32aaa2b54a0194a1d945cd9d60941e160327e1b853f21d85881e1e86425070aecf42c2174a8433d
-
Filesize
223KB
MD5466f020a546a6728e0ddecf62c98c14a
SHA13c1702653dd79ab95c379790d00f930968d22ad8
SHA2561c16d3a9ace94dcb53f9fecf38f8eaa826365198e623457d01e7da254be675ba
SHA512807877d3e4f63d0c5afe2e7784b01291392a8f4275a87cc713dfa6d9a3b8d90e3b27ad26fe73707a298dbf82a554b915da378491ad09d32a12b89a542a7cf627
-
Filesize
202KB
MD572130155b83a0202a21a0a8bb9e9640f
SHA170b82bc6b7698c4aaf37cf46872f4e1cb7addef6
SHA256faa8a93a154c566be14fa22fa0e6a9ace94054eebba1918deb3f10c32a86b529
SHA5128f651b7b476b08469321e3352f777aac8eed842c065910c095285855179ec660045bb568dc8c7382d8e55421d777ce321221fbd3e30d32ac3b12fd56e3c3f91f
-
Filesize
189KB
MD5e2ed77e419b781266d8c849a48f6d759
SHA12bd8c720a4dc0422d4d8a804583dca055dc02b93
SHA256a5f8c1da22889d192724ccbe5d7c73e39f54cf0464b1c323f287cbcd1c3c9099
SHA512ce47e5e2d557e4c60b440786737f96a67b2301ee0a5017c9f26d12959af597a09707bc82813fac3c6d02c066335f93092ad187aa129c7f6a999ff1deae7ab679
-
Filesize
257KB
MD5c0ee7a6f407a5ce955bfb9b8b624ece1
SHA12a2df0c2a176829e4cfef8512dd746c77b30c5a6
SHA256b90e72e04e61c56d78b5f04521360a70b53a8ccd4a24f849d14653bda7e2f4b5
SHA51210791023b2bc5c8fdbcf59283d513ebeb5f56be4ece5d6fc1407472def56ebd76b1cef8cb8f99691bd2981a7def74f671641bab969899faee4f2a3a60f865a4d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD572bf72ace609a65dfc203ca26fa41fb3
SHA11897975be0ada2cf378091000ef476cc49246167
SHA256375bb02c6aa6f119e28904728a2da08a2d8e68748987f2cccbe1d6b1b2765a4f
SHA5126abf35a874c5a064df80dfe1a8ff1a6510d2cd153ddf925cff1b2ba7327086b085408fbe51c045596000c99cf0765cba6b185d8730ac27328092fda19650fad6
-
Filesize
512KB
MD5a9bf73e1a5a59dca9b636333b7d4ff92
SHA1adbb1ba74591d22ef92cde1d39c9c0e9c7f93335
SHA25618d4236ba5e6fdc5dee2560e2366626a836fd50e633e9936d907eb5b4dfe6ee9
SHA5120923d1dc7c37c09fe48e506a4a310f74eb69a6427f1200d54016434941e86105b7508af22ef368238fbeeec1a76cf8919dee2e87617e4ee1cb43c3393e95087b