Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
469c9f35d47dcbbdf7135c893430fa33.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
469c9f35d47dcbbdf7135c893430fa33.exe
Resource
win10v2004-20231215-en
General
-
Target
469c9f35d47dcbbdf7135c893430fa33.exe
-
Size
512KB
-
MD5
469c9f35d47dcbbdf7135c893430fa33
-
SHA1
04b660df1b63c0da69de9b0ff1d3cca546cd548a
-
SHA256
f74e1f8bb9b8fd81cb1174c39233ca2f6c2726bd0c015e3fc3e87313a4a721bf
-
SHA512
96bbf0129bb4af6161b765f02e8d639bb6dcbc83a6996cac274174b003f504c618ae5c30bf04d5925eda1d9a015475fadeb6e1d1929e767b8612aacf5ea7aadb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pakejpxztr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pakejpxztr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pakejpxztr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pakejpxztr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 469c9f35d47dcbbdf7135c893430fa33.exe -
Executes dropped EXE 5 IoCs
pid Process 1120 pakejpxztr.exe 1844 knklgywvvzgbagp.exe 3648 pbmnpslm.exe 3484 cajrdsmcjhunj.exe 2056 pbmnpslm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pakejpxztr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\onjyzeny = "pakejpxztr.exe" knklgywvvzgbagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdnqsrtu = "knklgywvvzgbagp.exe" knklgywvvzgbagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cajrdsmcjhunj.exe" knklgywvvzgbagp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: pbmnpslm.exe File opened (read-only) \??\n: pakejpxztr.exe File opened (read-only) \??\r: pakejpxztr.exe File opened (read-only) \??\t: pakejpxztr.exe File opened (read-only) \??\h: pbmnpslm.exe File opened (read-only) \??\m: pbmnpslm.exe File opened (read-only) \??\q: pbmnpslm.exe File opened (read-only) \??\v: pbmnpslm.exe File opened (read-only) \??\u: pbmnpslm.exe File opened (read-only) \??\y: pbmnpslm.exe File opened (read-only) \??\o: pakejpxztr.exe File opened (read-only) \??\q: pakejpxztr.exe File opened (read-only) \??\b: pbmnpslm.exe File opened (read-only) \??\l: pbmnpslm.exe File opened (read-only) \??\x: pbmnpslm.exe File opened (read-only) \??\i: pbmnpslm.exe File opened (read-only) \??\w: pbmnpslm.exe File opened (read-only) \??\h: pakejpxztr.exe File opened (read-only) \??\n: pbmnpslm.exe File opened (read-only) \??\y: pbmnpslm.exe File opened (read-only) \??\a: pbmnpslm.exe File opened (read-only) \??\s: pbmnpslm.exe File opened (read-only) \??\a: pakejpxztr.exe File opened (read-only) \??\y: pakejpxztr.exe File opened (read-only) \??\i: pbmnpslm.exe File opened (read-only) \??\v: pbmnpslm.exe File opened (read-only) \??\b: pakejpxztr.exe File opened (read-only) \??\u: pbmnpslm.exe File opened (read-only) \??\g: pakejpxztr.exe File opened (read-only) \??\z: pbmnpslm.exe File opened (read-only) \??\r: pbmnpslm.exe File opened (read-only) \??\m: pbmnpslm.exe File opened (read-only) \??\o: pbmnpslm.exe File opened (read-only) \??\p: pbmnpslm.exe File opened (read-only) \??\z: pbmnpslm.exe File opened (read-only) \??\e: pbmnpslm.exe File opened (read-only) \??\o: pbmnpslm.exe File opened (read-only) \??\g: pbmnpslm.exe File opened (read-only) \??\j: pbmnpslm.exe File opened (read-only) \??\t: pbmnpslm.exe File opened (read-only) \??\k: pakejpxztr.exe File opened (read-only) \??\j: pbmnpslm.exe File opened (read-only) \??\p: pbmnpslm.exe File opened (read-only) \??\h: pbmnpslm.exe File opened (read-only) \??\q: pbmnpslm.exe File opened (read-only) \??\m: pakejpxztr.exe File opened (read-only) \??\x: pakejpxztr.exe File opened (read-only) \??\n: pbmnpslm.exe File opened (read-only) \??\p: pakejpxztr.exe File opened (read-only) \??\w: pakejpxztr.exe File opened (read-only) \??\g: pbmnpslm.exe File opened (read-only) \??\w: pbmnpslm.exe File opened (read-only) \??\e: pakejpxztr.exe File opened (read-only) \??\i: pakejpxztr.exe File opened (read-only) \??\l: pakejpxztr.exe File opened (read-only) \??\s: pakejpxztr.exe File opened (read-only) \??\t: pbmnpslm.exe File opened (read-only) \??\l: pbmnpslm.exe File opened (read-only) \??\u: pakejpxztr.exe File opened (read-only) \??\a: pbmnpslm.exe File opened (read-only) \??\z: pakejpxztr.exe File opened (read-only) \??\k: pbmnpslm.exe File opened (read-only) \??\b: pbmnpslm.exe File opened (read-only) \??\e: pbmnpslm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pakejpxztr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pakejpxztr.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4652-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002321d-5.dat autoit_exe behavioral2/files/0x000600000002321c-19.dat autoit_exe behavioral2/files/0x000600000002321e-26.dat autoit_exe behavioral2/files/0x000600000002321f-31.dat autoit_exe behavioral2/files/0x000600000002321f-32.dat autoit_exe behavioral2/files/0x000600000002321e-27.dat autoit_exe behavioral2/files/0x000600000002321e-35.dat autoit_exe behavioral2/files/0x0003000000022765-84.dat autoit_exe behavioral2/files/0x0003000000022763-78.dat autoit_exe behavioral2/files/0x000700000002322e-87.dat autoit_exe behavioral2/files/0x0006000000023230-98.dat autoit_exe behavioral2/files/0x000600000002322f-92.dat autoit_exe behavioral2/files/0x000600000002322f-90.dat autoit_exe behavioral2/files/0x0006000000023260-123.dat autoit_exe behavioral2/files/0x0006000000023260-127.dat autoit_exe behavioral2/files/0x0006000000023260-132.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbmnpslm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbmnpslm.exe File created C:\Windows\SysWOW64\pakejpxztr.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\pakejpxztr.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\knklgywvvzgbagp.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\pbmnpslm.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\pbmnpslm.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbmnpslm.exe File opened for modification C:\Windows\SysWOW64\knklgywvvzgbagp.exe 469c9f35d47dcbbdf7135c893430fa33.exe File created C:\Windows\SysWOW64\cajrdsmcjhunj.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\cajrdsmcjhunj.exe 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pakejpxztr.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pbmnpslm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbmnpslm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbmnpslm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbmnpslm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbmnpslm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pbmnpslm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pbmnpslm.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 469c9f35d47dcbbdf7135c893430fa33.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABAF966F195830C3A31819C3E97B38903FE4316033BE1CF42E709D1" 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB12847E339EC52CEB9D13299D7CB" 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pakejpxztr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pakejpxztr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pakejpxztr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C799C2283236A3677D0772E2DAD7CF365DB" 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BC2FE6E22D1D17AD0D28A0C9063" 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pakejpxztr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFFF9482A8213913CD65D7DE7BDEEE141593066426330D79E" 469c9f35d47dcbbdf7135c893430fa33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pakejpxztr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pakejpxztr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pakejpxztr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pakejpxztr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pakejpxztr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67515ECDBC5B9BE7FE6ECE537CC" 469c9f35d47dcbbdf7135c893430fa33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pakejpxztr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pakejpxztr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pakejpxztr.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings 469c9f35d47dcbbdf7135c893430fa33.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1388 WINWORD.EXE 1388 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 4652 469c9f35d47dcbbdf7135c893430fa33.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1120 pakejpxztr.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 1844 knklgywvvzgbagp.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3648 pbmnpslm.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 3484 cajrdsmcjhunj.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe 2056 pbmnpslm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1388 WINWORD.EXE 1388 WINWORD.EXE 1388 WINWORD.EXE 1388 WINWORD.EXE 1388 WINWORD.EXE 1388 WINWORD.EXE 1388 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4652 wrote to memory of 1120 4652 469c9f35d47dcbbdf7135c893430fa33.exe 91 PID 4652 wrote to memory of 1120 4652 469c9f35d47dcbbdf7135c893430fa33.exe 91 PID 4652 wrote to memory of 1120 4652 469c9f35d47dcbbdf7135c893430fa33.exe 91 PID 4652 wrote to memory of 1844 4652 469c9f35d47dcbbdf7135c893430fa33.exe 92 PID 4652 wrote to memory of 1844 4652 469c9f35d47dcbbdf7135c893430fa33.exe 92 PID 4652 wrote to memory of 1844 4652 469c9f35d47dcbbdf7135c893430fa33.exe 92 PID 4652 wrote to memory of 3648 4652 469c9f35d47dcbbdf7135c893430fa33.exe 96 PID 4652 wrote to memory of 3648 4652 469c9f35d47dcbbdf7135c893430fa33.exe 96 PID 4652 wrote to memory of 3648 4652 469c9f35d47dcbbdf7135c893430fa33.exe 96 PID 4652 wrote to memory of 3484 4652 469c9f35d47dcbbdf7135c893430fa33.exe 93 PID 4652 wrote to memory of 3484 4652 469c9f35d47dcbbdf7135c893430fa33.exe 93 PID 4652 wrote to memory of 3484 4652 469c9f35d47dcbbdf7135c893430fa33.exe 93 PID 1120 wrote to memory of 2056 1120 pakejpxztr.exe 99 PID 1120 wrote to memory of 2056 1120 pakejpxztr.exe 99 PID 1120 wrote to memory of 2056 1120 pakejpxztr.exe 99 PID 4652 wrote to memory of 1388 4652 469c9f35d47dcbbdf7135c893430fa33.exe 97 PID 4652 wrote to memory of 1388 4652 469c9f35d47dcbbdf7135c893430fa33.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\pakejpxztr.exepakejpxztr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\pbmnpslm.exeC:\Windows\system32\pbmnpslm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056
-
-
-
C:\Windows\SysWOW64\knklgywvvzgbagp.exeknklgywvvzgbagp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844
-
-
C:\Windows\SysWOW64\cajrdsmcjhunj.execajrdsmcjhunj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
-
-
C:\Windows\SysWOW64\pbmnpslm.exepbmnpslm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3648
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1388
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD51857e4470c5c0405eea6032c87e12441
SHA1b148d2bc036416c4918b70e0edad515b07b82c99
SHA256b7b9b05bb46a719e113d466996dadb3ecd970a3c233f00248a6141e8877e5dff
SHA512b62ef3743cd78f478eba1e745e3cfcb53844ff26c9516a489df4d5d0b4ff7aa8954434cc851f326dec3c4e0f1a762513746103c38801f729954b428340c0179b
-
Filesize
66KB
MD58275487192d0022ea520ed52a6d6f95e
SHA13341f0eedafb5a8f8df0406109ecb394cd0b37a8
SHA256765c04a961c2fc72bfbf8d1ff83e3f2acf9af62e459e25e305b80d42ca1af7c8
SHA5124258290226feec11423748b1a2b9e127d8b12ae90f5fa18d041e3ab2709c60367ada8bff574066b4db4788008d58bcd760e300a1f7bf8f084ddf785de4a0a72a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bfbe543a47b87d687c299b696bb120f5
SHA1d88f6330bdc17788b8aa5009b563d3217e4088bf
SHA2562485e7eba3b242a7cd0cc413f6e70d3089aec1e4f344e5889362713f1e2046e5
SHA5122dcead34efff60b99055dfb6239e75c501e7ad85c1a611b37fe4aa31c320f3bc914a7a97eae5a764e4909d07bb450c0aa43b2af342718a2bf3815d5269dd2038
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50b74c5ce5057bb616900506b0699cb6c
SHA17e3e78b662f8839d43342fbe004d1a72f6b9a799
SHA25680e8978b5d659299af2d9b6b5db5df32bc57819e5612327ee1ea440d13ff2bd1
SHA512f084558b984fabb4f3e080afd1609f9b2d58cb997f8f293ad163ef87d626c49b25782a6b608f81a2e7e1fe1dc79dd79b22c57634bab89473fd92adbd5c8fe074
-
Filesize
181KB
MD558694c4c12288b2bd684c3cf4ad829ca
SHA1471962924b5e8df2ff64296d177ebe445c768bde
SHA256c8511c9093f2f55841a06876356a5a5989421fb542823434bbafe2436921b763
SHA51285b631b1f2efee3099265ba964d05a361f978d6a5e800ffb073ddebe82a4d3c4cb81d913505b2dbecc3d112b0c2308a40f5b2091e9b596f73c581878cabeac2d
-
Filesize
109KB
MD55459809c987db83de5a85b80de7b0016
SHA14c5744b78ce06576446214a9f24feac57108483e
SHA2563ad57181e70428b60917f0a652f0b7d5ecf04cd10233a951e3d1ad15f9a15abb
SHA512dd59d2886894dacff762b9534f617574d2b9a4fb28f78acf3b1941e122b7f9a66ad9aed7260628b530f2404d2c8952adb59294ab5f4e314b09fe7ef04fbd40ee
-
Filesize
307KB
MD5a10d724fc3558a543926fcb7deea9807
SHA17617197261420ff2f5474256f761408bab3ef748
SHA2562974de93fa10f22b731e6f044a6e64c4b5dc2ef38c12e25c590cb64a3f7fd3c5
SHA5120807ffaf69113f5302fbb32bae2f5f9c4eae4faa234ddf62562bd0287549a16be65bf68b33cfade503eae8ee1b033ba8789d5cbb96de1b8a14c240b22cccbfa0
-
Filesize
146KB
MD5698b1cb0e5ced2031af2856dc05ee4c5
SHA126f9aa47011a6f7785112865215ac81add42135e
SHA2564ae5aebf7563e528c6232c3688a389e4b883b80dddd45de11c73390bf415c19a
SHA512145ef0d0423f9ae824aadf7ed1cafd4e4b9477d32a739f0ac03a55d91c12661fbc7b8735758f4bb559a9a46b907cd0994b97916c8df5ba98bef85b515f6f3d10
-
Filesize
124KB
MD5de83bfac85a2c62d0cb12eb47652d5dc
SHA11990b0d527e8ea6e7503d0084dced33b9ffce8a6
SHA2565d14fa9e8658105bdf0715b3de050ea871e8b3aceb585810c35435c966aed51c
SHA512fee49bcb9c25cce746b005724afca9832b0b74b422569a441bb521bec8d31bca3f286c599b8822e7926cae1d0866a27215be6baf8b285356cd1a0bdf4f5da51e
-
Filesize
512KB
MD58c2496846a5a54a1bfe293572f4190e5
SHA105ef646ddb826e2568b4ab074145ec1949ec04ba
SHA256f936618b8d33a545eb5aec3f67982d7ccf50909a37e2f59fe03e198df3c8d63a
SHA512ea448cb3fbd5ab3a6ac074e7d38869a3d12942faf202494df2d3b78176bc7cc56d258a2950fa2b402ce6e02e41579918cdbaffd72ab6e45145ab0d052809611a
-
Filesize
512KB
MD57739e49dd783d71e2700a1b38a383c0d
SHA11c5dfa0ee0f82836fdbec9f02c9c97f338acf5c0
SHA25618b03a9a8f9c8202f367f57ca878850904c6238e6c018ee2a9e53d67e913e378
SHA5124d7a700e2d5ec396e89029f6b8cd7eb154f03d24681633ad9d8f67a8d5b6d333ae1dccd4fb59639c7d23f930a7ea36ab625b2fa6371df26f668b0c7b5f7817cb
-
Filesize
512KB
MD54e571612ad59b288954134e5d30005c0
SHA1667200218147dc383de4adc81c9df0ca6b003e5e
SHA2564a24827e026be2506751e05501224866cef07038c915753a144df26fd39e15a4
SHA5122961ace91eccac835083ee6bef449e9f73b78bcc0525884ed82c166774ad1524b18ef96abc69e03bff35f332d89ad91520593b08b246fb5e755e06d986def49c
-
Filesize
46KB
MD506e87148328e96caa3090d2329c94cf8
SHA139fab5e0dc1b3b52192ea09499533ac100112d89
SHA25654329e1b3f74c1b13deca812aea8350867d1612aa0ce498c997ab3cb685e1b9f
SHA5120888272e8c516a1b2da9c6456ea51353380fa694181cf3b9ed21c4d3d9c0d060d93b0972c76df3cd92e3ddcde396328490c54c9e53e7ad4254a4f444902e56af
-
Filesize
81KB
MD5731be1bddd08413549ef02036e2d5e20
SHA189c177092f812574def172c41bb271ce3cc770f9
SHA2560d829ec2eb71997fb0af89fdf888e39f5dee58c21041ad22e5facff0cf4ce821
SHA512f2e871ac02fd78fa07f1edc65a9ebf813cb47c837baa7a07d0c86407e7ebc81e06fad600030e0501545da3f0d19eb06dfc0b59a2102e49379ec01af03e6191a2
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
244KB
MD5215dc89b46d8404b0394dddc5678dd05
SHA1a564d11c448c0bc23b735fb82d4906268065f614
SHA2560af286ab7b518c285800238753b492714775bf375c2ae9fd5847bb91affbae82
SHA5125dce532f78e82c8cf5e01662729d98d9384c058c960d570f2d4d81c932c31814cd79e16ad3a95c797a58cd91552d5e87ffcf105b79af03659af8f3cc8da3fee2
-
Filesize
192KB
MD5110f40dbeb901f612cee1dc242fdb309
SHA10d668d172ef81b3f17c1f870513988629c697600
SHA2562776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82
SHA512076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1
-
Filesize
216KB
MD55b9c43f3acda66288926108bbd9f64d4
SHA1db391a04ba3434f316df01e0ec713ae2aff18ae0
SHA2568f6da58c2e35705e5f94a8d1a20b6ceda1b5df3c2cbd886f3226689e22ee35bc
SHA51211f80c9fd767a70bb5bf784f8975a63394ef0898b43a589f7054db3a0d1e390dfe043a04444437c7c238345c635064cafa0d8b70523ff346e5f53421d8ee6f5c
-
Filesize
223KB
MD56499087f19524509495cd079859a3977
SHA1ff0352811bc247c19c52a1e8ebce284cd8eaa00d
SHA256aa1964c687f04a5c5bd033f34c065cbeb7915a229af919374fef9ad1c328c45f
SHA512188b3c1342f9954c1f619ba7ff96e6ecda932f7c73edf3400954ae1d628c53ff4f3d9fd4309025b744e67f982c3c22e8abf5057be717cdc8635599454d234ddd