Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
173s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 18:32
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
419bacbe17f2854a74f4dc8147e6b25a.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
419bacbe17f2854a74f4dc8147e6b25a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
419bacbe17f2854a74f4dc8147e6b25a.exe
-
Size
512KB
-
MD5
419bacbe17f2854a74f4dc8147e6b25a
-
SHA1
5a8c9da397dcbbe098d985da62858a1ab01e014a
-
SHA256
652f8702be627fc380f162a3d568d2214da9141b2494a47da1b958c9491ab2e8
-
SHA512
ecfac2a7e03fc0140184f430c5e4241852e09594cec84dc03c76632feab06efc9c39f0aa6292a5029daeae2bac2dfd9a2264cce37a5fdf6e3b755b23b13f1b9e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bdijmcctcx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bdijmcctcx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bdijmcctcx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdijmcctcx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 419bacbe17f2854a74f4dc8147e6b25a.exe -
Executes dropped EXE 5 IoCs
pid Process 3472 bdijmcctcx.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 2868 hydesxhpwmjee.exe 4692 nzzsrrxx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bdijmcctcx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgimqfhm = "bdijmcctcx.exe" fshuukmigmizkpz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fasyfjti = "fshuukmigmizkpz.exe" fshuukmigmizkpz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hydesxhpwmjee.exe" fshuukmigmizkpz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: nzzsrrxx.exe File opened (read-only) \??\p: nzzsrrxx.exe File opened (read-only) \??\z: nzzsrrxx.exe File opened (read-only) \??\m: bdijmcctcx.exe File opened (read-only) \??\x: bdijmcctcx.exe File opened (read-only) \??\b: nzzsrrxx.exe File opened (read-only) \??\h: nzzsrrxx.exe File opened (read-only) \??\q: nzzsrrxx.exe File opened (read-only) \??\b: bdijmcctcx.exe File opened (read-only) \??\q: bdijmcctcx.exe File opened (read-only) \??\n: nzzsrrxx.exe File opened (read-only) \??\t: nzzsrrxx.exe File opened (read-only) \??\u: nzzsrrxx.exe File opened (read-only) \??\i: nzzsrrxx.exe File opened (read-only) \??\n: nzzsrrxx.exe File opened (read-only) \??\h: bdijmcctcx.exe File opened (read-only) \??\y: nzzsrrxx.exe File opened (read-only) \??\o: nzzsrrxx.exe File opened (read-only) \??\q: nzzsrrxx.exe File opened (read-only) \??\x: nzzsrrxx.exe File opened (read-only) \??\s: bdijmcctcx.exe File opened (read-only) \??\w: bdijmcctcx.exe File opened (read-only) \??\x: nzzsrrxx.exe File opened (read-only) \??\k: bdijmcctcx.exe File opened (read-only) \??\y: bdijmcctcx.exe File opened (read-only) \??\j: nzzsrrxx.exe File opened (read-only) \??\o: bdijmcctcx.exe File opened (read-only) \??\u: bdijmcctcx.exe File opened (read-only) \??\k: nzzsrrxx.exe File opened (read-only) \??\r: nzzsrrxx.exe File opened (read-only) \??\v: bdijmcctcx.exe File opened (read-only) \??\a: nzzsrrxx.exe File opened (read-only) \??\p: nzzsrrxx.exe File opened (read-only) \??\e: nzzsrrxx.exe File opened (read-only) \??\e: bdijmcctcx.exe File opened (read-only) \??\g: bdijmcctcx.exe File opened (read-only) \??\p: bdijmcctcx.exe File opened (read-only) \??\m: nzzsrrxx.exe File opened (read-only) \??\s: nzzsrrxx.exe File opened (read-only) \??\z: nzzsrrxx.exe File opened (read-only) \??\h: nzzsrrxx.exe File opened (read-only) \??\t: nzzsrrxx.exe File opened (read-only) \??\y: nzzsrrxx.exe File opened (read-only) \??\r: bdijmcctcx.exe File opened (read-only) \??\t: bdijmcctcx.exe File opened (read-only) \??\g: nzzsrrxx.exe File opened (read-only) \??\e: nzzsrrxx.exe File opened (read-only) \??\i: nzzsrrxx.exe File opened (read-only) \??\l: nzzsrrxx.exe File opened (read-only) \??\m: nzzsrrxx.exe File opened (read-only) \??\s: nzzsrrxx.exe File opened (read-only) \??\w: nzzsrrxx.exe File opened (read-only) \??\j: bdijmcctcx.exe File opened (read-only) \??\n: bdijmcctcx.exe File opened (read-only) \??\v: nzzsrrxx.exe File opened (read-only) \??\i: bdijmcctcx.exe File opened (read-only) \??\b: nzzsrrxx.exe File opened (read-only) \??\o: nzzsrrxx.exe File opened (read-only) \??\g: nzzsrrxx.exe File opened (read-only) \??\a: nzzsrrxx.exe File opened (read-only) \??\k: nzzsrrxx.exe File opened (read-only) \??\a: bdijmcctcx.exe File opened (read-only) \??\r: nzzsrrxx.exe File opened (read-only) \??\w: nzzsrrxx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bdijmcctcx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bdijmcctcx.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3356-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000001e7ed-5.dat autoit_exe behavioral2/files/0x000700000001e7e9-18.dat autoit_exe behavioral2/files/0x000800000001e7ed-23.dat autoit_exe behavioral2/files/0x000600000001e7ee-26.dat autoit_exe behavioral2/files/0x000300000001e7ef-31.dat autoit_exe behavioral2/files/0x000300000001e7ec-56.dat autoit_exe behavioral2/files/0x000600000002312d-65.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\bdijmcctcx.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File opened for modification C:\Windows\SysWOW64\fshuukmigmizkpz.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File opened for modification C:\Windows\SysWOW64\bdijmcctcx.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File created C:\Windows\SysWOW64\fshuukmigmizkpz.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File created C:\Windows\SysWOW64\nzzsrrxx.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File opened for modification C:\Windows\SysWOW64\nzzsrrxx.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File created C:\Windows\SysWOW64\hydesxhpwmjee.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File opened for modification C:\Windows\SysWOW64\hydesxhpwmjee.exe 419bacbe17f2854a74f4dc8147e6b25a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bdijmcctcx.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nzzsrrxx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nzzsrrxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nzzsrrxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nzzsrrxx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nzzsrrxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nzzsrrxx.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 419bacbe17f2854a74f4dc8147e6b25a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bdijmcctcx.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 419bacbe17f2854a74f4dc8147e6b25a.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CEF965F2E584753B4A86963998B08802F943610233E1C5459909A0" 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02044E4389A52CCB9D0339DD4CE" 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC60914E1DBB2B8B97C97ECE534B9" 419bacbe17f2854a74f4dc8147e6b25a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bdijmcctcx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7C9C2083556A3176D370252DDA7DF665A8" 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bdijmcctcx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB2FE6D21ACD108D0A88A0E9167" 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bdijmcctcx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FC8E485F856D9042D62F7D9DBC94E635594A67366344D791" 419bacbe17f2854a74f4dc8147e6b25a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bdijmcctcx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bdijmcctcx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bdijmcctcx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 4692 nzzsrrxx.exe 4692 nzzsrrxx.exe 4692 nzzsrrxx.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 3472 bdijmcctcx.exe 1504 fshuukmigmizkpz.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 1504 fshuukmigmizkpz.exe 3096 nzzsrrxx.exe 3096 nzzsrrxx.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 2868 hydesxhpwmjee.exe 4692 nzzsrrxx.exe 4692 nzzsrrxx.exe 4692 nzzsrrxx.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3356 wrote to memory of 3472 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 96 PID 3356 wrote to memory of 3472 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 96 PID 3356 wrote to memory of 3472 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 96 PID 3356 wrote to memory of 1504 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 97 PID 3356 wrote to memory of 1504 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 97 PID 3356 wrote to memory of 1504 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 97 PID 3356 wrote to memory of 3096 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 98 PID 3356 wrote to memory of 3096 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 98 PID 3356 wrote to memory of 3096 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 98 PID 3356 wrote to memory of 2868 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 99 PID 3356 wrote to memory of 2868 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 99 PID 3356 wrote to memory of 2868 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 99 PID 3472 wrote to memory of 4692 3472 bdijmcctcx.exe 102 PID 3472 wrote to memory of 4692 3472 bdijmcctcx.exe 102 PID 3472 wrote to memory of 4692 3472 bdijmcctcx.exe 102 PID 3356 wrote to memory of 2600 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 106 PID 3356 wrote to memory of 2600 3356 419bacbe17f2854a74f4dc8147e6b25a.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\419bacbe17f2854a74f4dc8147e6b25a.exe"C:\Users\Admin\AppData\Local\Temp\419bacbe17f2854a74f4dc8147e6b25a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\bdijmcctcx.exebdijmcctcx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\nzzsrrxx.exeC:\Windows\system32\nzzsrrxx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692
-
-
-
C:\Windows\SysWOW64\fshuukmigmizkpz.exefshuukmigmizkpz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504
-
-
C:\Windows\SysWOW64\nzzsrrxx.exenzzsrrxx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3096
-
-
C:\Windows\SysWOW64\hydesxhpwmjee.exehydesxhpwmjee.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56162d6424dd3213342ed78ef22189aa1
SHA18d66ce76bc6ed6fd0581b0939dc82b34a2aceba0
SHA2568d405a384d946cfe76110cee07a4c95a73cc2314e643cd758fff46ef52aed8f1
SHA51253be57555e7f9a00a2f08c38b6a3a5a56df4194759b6656fae3f7aef98fbbcadd2aa2c4ba4171df76f8041547f164930b794be47e42c75275ced725633510e1a
-
Filesize
512KB
MD5df8a2cb39923f4c67795320bf666a397
SHA1b9600009a738cc7a8eca00a158606e591ae15a57
SHA2565ffce96ece6b3a9d8fe6aa87c8b1ea695518fec496a53b5aa3b7f153214a98e1
SHA512bde4614dc79e12bd2b6258214e1782f1b7bf2d477d9bead66d1c7789655ca42287a7c9ea5e6b2a808a8ad8be2eea97dca7a36f2417d1f84600bd1269f237e5e5
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b
-
Filesize
512KB
MD53bd7498890e6ad7f1102e1d25bee4cf8
SHA17481f242dc4c82122f4edcc1549b34d672851bf4
SHA256945c9f422fec2a2d8f6a51c8b7306f6ff8782b5dc119505efeb206fbc15e9a98
SHA5126ddc55cb550dcd1e98d6202e3b4dc3cf078a3d7c9a1088fc2b402c873520d630b4bbd4c0a7b56af3121f4800e5409ece3aa90b9bc84f495504e0ad76a7f60739
-
Filesize
512KB
MD58c54526225b9934dca8eef1c711ea548
SHA10cfce5aaf149e08c25ac8493aebf75aee6968f74
SHA256f7f626ed0a4bf2901359ba90abedbebcdf07212df12d4ced55b5d02b8827e7cb
SHA51236264078e184d1edd646522fa1dceac3ba0b62c93da2f514e53ab491a4e630050ff360250fba4083fd7ea0e8d1b6be0c2ef9c4db44597d67898a4eed6a3cb70c
-
Filesize
512KB
MD5bd9fad36b6e8ddbe45a44d4b9e93d2a7
SHA13ca9c2771325f4da600847ffd16bc5909f2c35d5
SHA256b413671f06b7a85705177f4bb23a97918b9f708ba679dd3a036842404958f8b9
SHA512a2bfe5aec77666d63219087cd9ae7e186f6a894d53f08b0cbe3d208815aa306c5d6d8f7573d69a2d5cf8248cf8d21ae7653917cd9b731ab1d282489677c238a5
-
Filesize
512KB
MD532066bc73e6b2b07bb1e343161de60e0
SHA145374556c16ade372f2f568b3b0a417840b24dcd
SHA2566aeb138b59ca9ddfb1590f19e8e2c7523214e1e658edb780dab73521bd14d06e
SHA5123185de8879932accf44c8b122dd4b786910cefcc31653de7535754f4b5f29512096ef039d71d8c74e2c684667709ac7e17c73707304d00acc00ec547c9cc5b23