Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 16:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
804c591d6ff5b6254b2830e7095c5616.exe
Resource
win7-20231215-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
804c591d6ff5b6254b2830e7095c5616.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
804c591d6ff5b6254b2830e7095c5616.exe
-
Size
512KB
-
MD5
804c591d6ff5b6254b2830e7095c5616
-
SHA1
1eeffa7793c6d11fcb824a840122cacdca0011d6
-
SHA256
f4c7db55a97184b0ab799d8f447197c89d152806effc4ac8d3d23fe559cbc402
-
SHA512
88c5e7ec2bef58aaa1750ebd74e71e860550da6f0e39c3ba3da0bc88ea59b623ecaf0e03f0a942758679918f58453749c8f6e0c14817f6210809a87c8889f70a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ztaisvmwgt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ztaisvmwgt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ztaisvmwgt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ztaisvmwgt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 804c591d6ff5b6254b2830e7095c5616.exe -
Executes dropped EXE 5 IoCs
pid Process 3488 ztaisvmwgt.exe 4564 fpusuwlzpuzcpfc.exe 2848 diqcknhw.exe 1988 paytysjkushxd.exe 3136 diqcknhw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ztaisvmwgt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uuxlrokb = "fpusuwlzpuzcpfc.exe" fpusuwlzpuzcpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "paytysjkushxd.exe" fpusuwlzpuzcpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlzlimx = "ztaisvmwgt.exe" fpusuwlzpuzcpfc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: ztaisvmwgt.exe File opened (read-only) \??\h: diqcknhw.exe File opened (read-only) \??\e: diqcknhw.exe File opened (read-only) \??\w: diqcknhw.exe File opened (read-only) \??\z: diqcknhw.exe File opened (read-only) \??\l: diqcknhw.exe File opened (read-only) \??\u: diqcknhw.exe File opened (read-only) \??\w: diqcknhw.exe File opened (read-only) \??\o: diqcknhw.exe File opened (read-only) \??\g: ztaisvmwgt.exe File opened (read-only) \??\z: ztaisvmwgt.exe File opened (read-only) \??\e: diqcknhw.exe File opened (read-only) \??\o: diqcknhw.exe File opened (read-only) \??\k: diqcknhw.exe File opened (read-only) \??\s: diqcknhw.exe File opened (read-only) \??\p: ztaisvmwgt.exe File opened (read-only) \??\j: diqcknhw.exe File opened (read-only) \??\p: diqcknhw.exe File opened (read-only) \??\t: diqcknhw.exe File opened (read-only) \??\v: diqcknhw.exe File opened (read-only) \??\x: diqcknhw.exe File opened (read-only) \??\y: diqcknhw.exe File opened (read-only) \??\r: ztaisvmwgt.exe File opened (read-only) \??\x: ztaisvmwgt.exe File opened (read-only) \??\i: ztaisvmwgt.exe File opened (read-only) \??\j: ztaisvmwgt.exe File opened (read-only) \??\k: ztaisvmwgt.exe File opened (read-only) \??\q: diqcknhw.exe File opened (read-only) \??\b: diqcknhw.exe File opened (read-only) \??\i: diqcknhw.exe File opened (read-only) \??\u: diqcknhw.exe File opened (read-only) \??\g: diqcknhw.exe File opened (read-only) \??\r: diqcknhw.exe File opened (read-only) \??\t: ztaisvmwgt.exe File opened (read-only) \??\k: diqcknhw.exe File opened (read-only) \??\m: diqcknhw.exe File opened (read-only) \??\m: ztaisvmwgt.exe File opened (read-only) \??\w: ztaisvmwgt.exe File opened (read-only) \??\s: diqcknhw.exe File opened (read-only) \??\e: ztaisvmwgt.exe File opened (read-only) \??\h: ztaisvmwgt.exe File opened (read-only) \??\g: diqcknhw.exe File opened (read-only) \??\t: diqcknhw.exe File opened (read-only) \??\n: ztaisvmwgt.exe File opened (read-only) \??\o: ztaisvmwgt.exe File opened (read-only) \??\s: ztaisvmwgt.exe File opened (read-only) \??\n: diqcknhw.exe File opened (read-only) \??\h: diqcknhw.exe File opened (read-only) \??\j: diqcknhw.exe File opened (read-only) \??\n: diqcknhw.exe File opened (read-only) \??\z: diqcknhw.exe File opened (read-only) \??\m: diqcknhw.exe File opened (read-only) \??\q: diqcknhw.exe File opened (read-only) \??\b: diqcknhw.exe File opened (read-only) \??\a: diqcknhw.exe File opened (read-only) \??\u: ztaisvmwgt.exe File opened (read-only) \??\r: diqcknhw.exe File opened (read-only) \??\a: ztaisvmwgt.exe File opened (read-only) \??\l: ztaisvmwgt.exe File opened (read-only) \??\a: diqcknhw.exe File opened (read-only) \??\b: ztaisvmwgt.exe File opened (read-only) \??\i: diqcknhw.exe File opened (read-only) \??\p: diqcknhw.exe File opened (read-only) \??\y: ztaisvmwgt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ztaisvmwgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ztaisvmwgt.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5060-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023127-6.dat autoit_exe behavioral2/files/0x0007000000023124-18.dat autoit_exe behavioral2/files/0x0007000000023128-27.dat autoit_exe behavioral2/files/0x000600000002312b-31.dat autoit_exe behavioral2/files/0x0006000000023138-61.dat autoit_exe behavioral2/files/0x0006000000023139-64.dat autoit_exe behavioral2/files/0x0003000000000717-130.dat autoit_exe behavioral2/files/0x0003000000000717-132.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\diqcknhw.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\paytysjkushxd.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\paytysjkushxd.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe diqcknhw.exe File created C:\Windows\SysWOW64\ztaisvmwgt.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\ztaisvmwgt.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\fpusuwlzpuzcpfc.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\fpusuwlzpuzcpfc.exe 804c591d6ff5b6254b2830e7095c5616.exe File created C:\Windows\SysWOW64\diqcknhw.exe 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ztaisvmwgt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe diqcknhw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe diqcknhw.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe diqcknhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal diqcknhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe diqcknhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe diqcknhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe diqcknhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal diqcknhw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 804c591d6ff5b6254b2830e7095c5616.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15844EF399A53C5BADC329DD4BE" 804c591d6ff5b6254b2830e7095c5616.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ztaisvmwgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CBFE13F2E384753A4686973EE2B38F03F14262033AE2CE42E608A9" 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFFF94F29826E9031D65D7DE6BDE6E6375844674F6236D790" 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9C5783566D3F77D670542DD97DF265DD" 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B4FE6822A9D27CD0A78A749062" 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ztaisvmwgt.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 804c591d6ff5b6254b2830e7095c5616.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 804c591d6ff5b6254b2830e7095c5616.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C7741493DAB7B9BD7C90ED9534CB" 804c591d6ff5b6254b2830e7095c5616.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ztaisvmwgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ztaisvmwgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ztaisvmwgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ztaisvmwgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ztaisvmwgt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3932 WINWORD.EXE 3932 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 2848 diqcknhw.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 1988 paytysjkushxd.exe 4564 fpusuwlzpuzcpfc.exe 4564 fpusuwlzpuzcpfc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 3136 diqcknhw.exe 3136 diqcknhw.exe 3136 diqcknhw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 5060 804c591d6ff5b6254b2830e7095c5616.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 3488 ztaisvmwgt.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 4564 fpusuwlzpuzcpfc.exe 1988 paytysjkushxd.exe 2848 diqcknhw.exe 3136 diqcknhw.exe 3136 diqcknhw.exe 3136 diqcknhw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5060 wrote to memory of 3488 5060 804c591d6ff5b6254b2830e7095c5616.exe 84 PID 5060 wrote to memory of 3488 5060 804c591d6ff5b6254b2830e7095c5616.exe 84 PID 5060 wrote to memory of 3488 5060 804c591d6ff5b6254b2830e7095c5616.exe 84 PID 5060 wrote to memory of 4564 5060 804c591d6ff5b6254b2830e7095c5616.exe 85 PID 5060 wrote to memory of 4564 5060 804c591d6ff5b6254b2830e7095c5616.exe 85 PID 5060 wrote to memory of 4564 5060 804c591d6ff5b6254b2830e7095c5616.exe 85 PID 5060 wrote to memory of 2848 5060 804c591d6ff5b6254b2830e7095c5616.exe 87 PID 5060 wrote to memory of 2848 5060 804c591d6ff5b6254b2830e7095c5616.exe 87 PID 5060 wrote to memory of 2848 5060 804c591d6ff5b6254b2830e7095c5616.exe 87 PID 5060 wrote to memory of 1988 5060 804c591d6ff5b6254b2830e7095c5616.exe 86 PID 5060 wrote to memory of 1988 5060 804c591d6ff5b6254b2830e7095c5616.exe 86 PID 5060 wrote to memory of 1988 5060 804c591d6ff5b6254b2830e7095c5616.exe 86 PID 3488 wrote to memory of 3136 3488 ztaisvmwgt.exe 88 PID 3488 wrote to memory of 3136 3488 ztaisvmwgt.exe 88 PID 3488 wrote to memory of 3136 3488 ztaisvmwgt.exe 88 PID 5060 wrote to memory of 3932 5060 804c591d6ff5b6254b2830e7095c5616.exe 89 PID 5060 wrote to memory of 3932 5060 804c591d6ff5b6254b2830e7095c5616.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe"C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\ztaisvmwgt.exeztaisvmwgt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\diqcknhw.exeC:\Windows\system32\diqcknhw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136
-
-
-
C:\Windows\SysWOW64\fpusuwlzpuzcpfc.exefpusuwlzpuzcpfc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4564
-
-
C:\Windows\SysWOW64\paytysjkushxd.exepaytysjkushxd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988
-
-
C:\Windows\SysWOW64\diqcknhw.exediqcknhw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54b339e00a65b3dd896e815f587fc8c85
SHA133ae98b3aa52ac1b54000afc3dee53e7b73730f9
SHA256c2b91bf3eb9d97d4d26305bceb00eec655745d415a4938c19c9bc9544b9228c9
SHA5120a9adb79dde66bfaa4411c8adddb13f373c65f09dad97c1a013339cce951943203cd48f74e066a34b2ea35f8e28ddb0de956b31fbe8d41b8be8670027bf89c25
-
Filesize
512KB
MD50c5c6b4f05cc1e7fa603a81bbf0a1165
SHA1969ae9b74b2ee9554e86cd6c3278c638ec975b2b
SHA256a27b6a46d5821468e43a6dfdcd7fc678022fcdfa494e31c6befec446ecfe962b
SHA51257509f4c3d4ad28231d2f958dbd59d026cc652c774c5780a55d3cdd2a51bacb85a1029f09f227bc150b3ce0d4fb324b4e922472b22ebcda6b0bcd3506a053721
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50cd0f707f2c8c96230f5b568cb9248ca
SHA18b69c7d2b1a24cd0bc49ddc6cc1d4d0fcbbafed8
SHA256b018f0f04d0180292a9b078bc83fb2f5e89b173b4f181d8fd1fe1762d7fae0cf
SHA51246fb3edaa3258c4968489d55a8d029bfa31a87bb0798076d63e08c9585e618bbc57a9bcbf5d44b7ed22d811e394a6a143d5cc1df01f0f5563c90971768f5f505
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fea570ce3cf3078ebf890d5f2b8bfe2b
SHA18e31417f092cceb4c4ea1995127c37d7cae2431e
SHA25605503ab43bf30931ee15477b91fa03267b96033c4c5ed344198ed4304ff27568
SHA5124ffa1099f0604a780dcf77d41a60ef56537a38c4addd62cebbeff6b0e54be5a76725ab07f2599a3b0934130be98a57834f98d0c554a0a05fe15305655803dc03
-
Filesize
512KB
MD5952185382dc83ce2b5981a4ecfb352d1
SHA1367030706a43df2a9cdb920027665674ac33fdda
SHA256b6bd1a9e8cc88c11bde63107fdfb90b1711d0d03c4981d9fd4a4ec24ea4d968a
SHA512de901ea58e89187c4b3ff880cdccb749e693c3dc5daaf1d48fafae2f4b893d814b57f250797a98237954f3277e5a7431c846f234b6afc50d41a78e1aabe522b3
-
Filesize
512KB
MD539a7f5228dfcb72a7a3b63c7a2017933
SHA1ab7e125f674d3cc443cca905ab65709668c273ca
SHA2565b3f5ad00a10d4e941b312dee47fc0154db64a975597a6d59a881a72286c2897
SHA512188d0e146d10cdb091e056cd1b757afb60594b5ab74ea9466d50463dfe47449de94f9a8df45d19dfbbbe8d8295690b90d83e82196e59b3d1ed3e4b69064cdbc6
-
Filesize
512KB
MD53614ca5ba73673cd959de41a683e7d05
SHA1e5b6cf1fa535be9a29504d05db07834c3f7c768f
SHA256e081aa5085f7eb0e0233d0e133e9db15a1287e5b78b6b375bdcbf52bc5321c68
SHA51291e4eeafcdcea492a6567c45582cd68ded1f5c234c0443edf1113f702a43f46ea9c3c4bee502001e6927128935d94b50de8fad90606e0bcc46498be7c9e933ba
-
Filesize
512KB
MD501e286b43d1910403a2c081ffcb4a4c1
SHA17742f54c58afb69923df5f836c1919bfbdac8f01
SHA2567e504e8f8609ad264ede944c9a7e1af2ab804c108737e5ddbb4a07ff99b5f2a9
SHA51271ed02605612d49cbf0903151713722d51c55ec2863126364b380eff5e26831df3081b3767b3a55bf2ddd679faffc07cfe89dd23c2db1ca435114ac83b22cbbb
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5268e7c0c47a201c8499652a9fb7af12f
SHA146b8cd8a07f846c6b1650c6f82a751dff454e36b
SHA2563e466c0af9932b7bca43afde3731fcdc0e7b4f536cbbed2b3630d96ea3653b1e
SHA5123ad20d5f3d21cd56fc85359cf1af99dc3f96894bcf57611677229fbc158fb422d9fd3afc5255b8a103dbfc98ea0527289aae243bd36d9de0a21f7a93a568d959
-
Filesize
512KB
MD5ff4a6cc29e9d28e3ac448d82a8706d89
SHA109a9e3d0dad32b8a233bf10bfd4776996f742491
SHA2562cdbc0699703f9ce10837ecf59584e639e96c24d98685d33b749930ff0afd759
SHA512e8d03fdfe143147b86d498974a6217e4e7c8143f08e3ba88ddadcc7d5e1b4843ec4d6c18c4a5ffa72fb2bc9290dd05494f258156a11a3cbbfc6620446f6f40f0