Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 02:50
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
85bb1afcb209c6e462a5a0758e02886a.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
85bb1afcb209c6e462a5a0758e02886a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
85bb1afcb209c6e462a5a0758e02886a.exe
-
Size
512KB
-
MD5
85bb1afcb209c6e462a5a0758e02886a
-
SHA1
d71024ae4d476663e9e9d42698515ff16726f7cb
-
SHA256
47c941d290649db65bb691f83c02134889baa324904154945907e581efd2a140
-
SHA512
f919243840bdbf682f120bb83858b86f69c830b708519a5f825801d686c3dd40203776d2e5a082985d343be3daf6ce9ac0e64028aa358bc882eeeaa940143215
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" snmpeqsqsh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" snmpeqsqsh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" snmpeqsqsh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" snmpeqsqsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 85bb1afcb209c6e462a5a0758e02886a.exe -
Executes dropped EXE 5 IoCs
pid Process 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 4964 ygofivqo.exe 2628 sqkjycdohfeck.exe 4612 ygofivqo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" snmpeqsqsh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uaughuhk = "snmpeqsqsh.exe" ncwlrtkezouuovh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ckfxpaee = "ncwlrtkezouuovh.exe" ncwlrtkezouuovh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sqkjycdohfeck.exe" ncwlrtkezouuovh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: snmpeqsqsh.exe File opened (read-only) \??\o: ygofivqo.exe File opened (read-only) \??\l: snmpeqsqsh.exe File opened (read-only) \??\a: ygofivqo.exe File opened (read-only) \??\b: ygofivqo.exe File opened (read-only) \??\i: ygofivqo.exe File opened (read-only) \??\k: ygofivqo.exe File opened (read-only) \??\y: ygofivqo.exe File opened (read-only) \??\z: ygofivqo.exe File opened (read-only) \??\j: snmpeqsqsh.exe File opened (read-only) \??\k: snmpeqsqsh.exe File opened (read-only) \??\s: snmpeqsqsh.exe File opened (read-only) \??\n: ygofivqo.exe File opened (read-only) \??\g: ygofivqo.exe File opened (read-only) \??\p: ygofivqo.exe File opened (read-only) \??\a: snmpeqsqsh.exe File opened (read-only) \??\b: snmpeqsqsh.exe File opened (read-only) \??\j: ygofivqo.exe File opened (read-only) \??\m: ygofivqo.exe File opened (read-only) \??\b: ygofivqo.exe File opened (read-only) \??\o: snmpeqsqsh.exe File opened (read-only) \??\r: snmpeqsqsh.exe File opened (read-only) \??\p: ygofivqo.exe File opened (read-only) \??\w: ygofivqo.exe File opened (read-only) \??\u: ygofivqo.exe File opened (read-only) \??\s: ygofivqo.exe File opened (read-only) \??\i: snmpeqsqsh.exe File opened (read-only) \??\e: ygofivqo.exe File opened (read-only) \??\r: ygofivqo.exe File opened (read-only) \??\a: ygofivqo.exe File opened (read-only) \??\o: ygofivqo.exe File opened (read-only) \??\w: ygofivqo.exe File opened (read-only) \??\u: snmpeqsqsh.exe File opened (read-only) \??\i: ygofivqo.exe File opened (read-only) \??\z: ygofivqo.exe File opened (read-only) \??\j: ygofivqo.exe File opened (read-only) \??\n: snmpeqsqsh.exe File opened (read-only) \??\p: snmpeqsqsh.exe File opened (read-only) \??\t: snmpeqsqsh.exe File opened (read-only) \??\x: snmpeqsqsh.exe File opened (read-only) \??\t: ygofivqo.exe File opened (read-only) \??\h: ygofivqo.exe File opened (read-only) \??\k: ygofivqo.exe File opened (read-only) \??\m: ygofivqo.exe File opened (read-only) \??\l: ygofivqo.exe File opened (read-only) \??\r: ygofivqo.exe File opened (read-only) \??\n: ygofivqo.exe File opened (read-only) \??\v: ygofivqo.exe File opened (read-only) \??\x: ygofivqo.exe File opened (read-only) \??\u: ygofivqo.exe File opened (read-only) \??\h: ygofivqo.exe File opened (read-only) \??\q: ygofivqo.exe File opened (read-only) \??\e: snmpeqsqsh.exe File opened (read-only) \??\l: ygofivqo.exe File opened (read-only) \??\y: snmpeqsqsh.exe File opened (read-only) \??\z: snmpeqsqsh.exe File opened (read-only) \??\s: ygofivqo.exe File opened (read-only) \??\t: ygofivqo.exe File opened (read-only) \??\y: ygofivqo.exe File opened (read-only) \??\h: snmpeqsqsh.exe File opened (read-only) \??\w: snmpeqsqsh.exe File opened (read-only) \??\g: ygofivqo.exe File opened (read-only) \??\v: snmpeqsqsh.exe File opened (read-only) \??\m: snmpeqsqsh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" snmpeqsqsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" snmpeqsqsh.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1848-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023218-5.dat autoit_exe behavioral2/files/0x000e00000002316a-18.dat autoit_exe behavioral2/files/0x000600000002321e-26.dat autoit_exe behavioral2/files/0x000600000002321f-32.dat autoit_exe behavioral2/files/0x000400000001d879-82.dat autoit_exe behavioral2/files/0x000400000001693d-75.dat autoit_exe behavioral2/files/0x000500000001db3e-105.dat autoit_exe behavioral2/files/0x000500000001db3e-107.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\snmpeqsqsh.exe 85bb1afcb209c6e462a5a0758e02886a.exe File opened for modification C:\Windows\SysWOW64\ncwlrtkezouuovh.exe 85bb1afcb209c6e462a5a0758e02886a.exe File created C:\Windows\SysWOW64\ygofivqo.exe 85bb1afcb209c6e462a5a0758e02886a.exe File created C:\Windows\SysWOW64\sqkjycdohfeck.exe 85bb1afcb209c6e462a5a0758e02886a.exe File opened for modification C:\Windows\SysWOW64\sqkjycdohfeck.exe 85bb1afcb209c6e462a5a0758e02886a.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygofivqo.exe File created C:\Windows\SysWOW64\snmpeqsqsh.exe 85bb1afcb209c6e462a5a0758e02886a.exe File created C:\Windows\SysWOW64\ncwlrtkezouuovh.exe 85bb1afcb209c6e462a5a0758e02886a.exe File opened for modification C:\Windows\SysWOW64\ygofivqo.exe 85bb1afcb209c6e462a5a0758e02886a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll snmpeqsqsh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygofivqo.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ygofivqo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygofivqo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygofivqo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ygofivqo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygofivqo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygofivqo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification C:\Windows\mydoc.rtf 85bb1afcb209c6e462a5a0758e02886a.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygofivqo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygofivqo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygofivqo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB4FF1821DFD278D1D28A0E9161" 85bb1afcb209c6e462a5a0758e02886a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C769C2482246A4277D177252DDF7CF664A8" 85bb1afcb209c6e462a5a0758e02886a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12D47E1399D53BEB9D433EDD7C9" 85bb1afcb209c6e462a5a0758e02886a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat snmpeqsqsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh snmpeqsqsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" snmpeqsqsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACEFE6AF195840B3A4586E93994B3FC02FB4214023CE1B845E608A2" 85bb1afcb209c6e462a5a0758e02886a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67A15E4DBB3B9BB7CE5EDE234CC" 85bb1afcb209c6e462a5a0758e02886a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" snmpeqsqsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" snmpeqsqsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf snmpeqsqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" snmpeqsqsh.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 85bb1afcb209c6e462a5a0758e02886a.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 85bb1afcb209c6e462a5a0758e02886a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCF9482B851B9031D75D7D91BDE2E143594167426346D79F" 85bb1afcb209c6e462a5a0758e02886a.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4884 WINWORD.EXE 4884 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1848 85bb1afcb209c6e462a5a0758e02886a.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 1820 snmpeqsqsh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4032 ncwlrtkezouuovh.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 4964 ygofivqo.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 2628 sqkjycdohfeck.exe 4612 ygofivqo.exe 4612 ygofivqo.exe 4612 ygofivqo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4884 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1820 1848 85bb1afcb209c6e462a5a0758e02886a.exe 84 PID 1848 wrote to memory of 1820 1848 85bb1afcb209c6e462a5a0758e02886a.exe 84 PID 1848 wrote to memory of 1820 1848 85bb1afcb209c6e462a5a0758e02886a.exe 84 PID 1848 wrote to memory of 4032 1848 85bb1afcb209c6e462a5a0758e02886a.exe 86 PID 1848 wrote to memory of 4032 1848 85bb1afcb209c6e462a5a0758e02886a.exe 86 PID 1848 wrote to memory of 4032 1848 85bb1afcb209c6e462a5a0758e02886a.exe 86 PID 1848 wrote to memory of 4964 1848 85bb1afcb209c6e462a5a0758e02886a.exe 85 PID 1848 wrote to memory of 4964 1848 85bb1afcb209c6e462a5a0758e02886a.exe 85 PID 1848 wrote to memory of 4964 1848 85bb1afcb209c6e462a5a0758e02886a.exe 85 PID 1848 wrote to memory of 2628 1848 85bb1afcb209c6e462a5a0758e02886a.exe 87 PID 1848 wrote to memory of 2628 1848 85bb1afcb209c6e462a5a0758e02886a.exe 87 PID 1848 wrote to memory of 2628 1848 85bb1afcb209c6e462a5a0758e02886a.exe 87 PID 1848 wrote to memory of 4884 1848 85bb1afcb209c6e462a5a0758e02886a.exe 89 PID 1848 wrote to memory of 4884 1848 85bb1afcb209c6e462a5a0758e02886a.exe 89 PID 1820 wrote to memory of 4612 1820 snmpeqsqsh.exe 90 PID 1820 wrote to memory of 4612 1820 snmpeqsqsh.exe 90 PID 1820 wrote to memory of 4612 1820 snmpeqsqsh.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\85bb1afcb209c6e462a5a0758e02886a.exe"C:\Users\Admin\AppData\Local\Temp\85bb1afcb209c6e462a5a0758e02886a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\snmpeqsqsh.exesnmpeqsqsh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\ygofivqo.exeC:\Windows\system32\ygofivqo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
-
C:\Windows\SysWOW64\ygofivqo.exeygofivqo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964
-
-
C:\Windows\SysWOW64\ncwlrtkezouuovh.exencwlrtkezouuovh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
-
-
C:\Windows\SysWOW64\sqkjycdohfeck.exesqkjycdohfeck.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58651ed67202528801726a5e80706c7a6
SHA1af19ab20b071c0843c79a8380959728ea5e5b0c2
SHA256c3617fc6f06aa1abf2024b7901a74b58e03c58ec9573d709fe24c21c1fb479cc
SHA512912c73ab6c0a8a524b322be70de0e5d53812cc7d72a07b6117f89c914273f6a887dbef36833919965c37b7471e00b4eb7d42e9bc0244303f4e4a625249a798c1
-
Filesize
512KB
MD5fa07778c5edf1e467958c8a044a94fb2
SHA143fcd7a6998e53ceac646d33b3fe952a316f968d
SHA25666cabace041c22518820912329f81b2aa37a17336b7b1f1e8d9855a9a7c2cf67
SHA512c4af30c170c0688744d20f66251889119eefc3da91312cd84382ca417e627d6476d2710c6289b545b10768585b22c46245bccfd75104c133ffa8dc516a1fa527
-
Filesize
239B
MD50c59a5f4b604bdb95d678de25e7be485
SHA1b2f63dc74e24096cfaec01add4039bb6b4221650
SHA2564f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA5129e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a61f9bd265d4c51f7bfc628998643871
SHA1ffa3bb3aa786ef55bd46195daf8c930a6038e6ff
SHA256769f28ccbebda1b59e81d9064eee32942bbc3ea043b451e9a2ce6539b5d019a2
SHA512bf6c150b5b6ac5c070f1dcb3e539a8cc59d5e4dd2ea304179607fbda7022cd895b93ae83269cfebc7926abb0a709306a5a051c76ddc9688bd7ab5721174a4257
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f20d91764e5badde05d79df9898b01ee
SHA1dd692ffdfc17aad406833ed51e3b28aa83932241
SHA256b06ad69e28ec430c7cccb70cf2ada3e6c817b0a6e462c582a088d092b04db0e9
SHA5127b600fa76cb508533ba66c90f5bf6f196f0b46a9cfaf4db19b64e9bba7e19024c2e1dfe5310619200bceaf09477f80edcad864ce0949c86feb6c01fdef002e1c
-
Filesize
512KB
MD523ebb09c92c9481a7d15e3853db0ce68
SHA158df8871058496e8503bef3794be5c72d940c786
SHA256fe9430b9416dcb0621f54cca2ee461be3fda52c10e68621a24d180d2dd6f9eb8
SHA512b6c2765389ea9b4f7020b688183ed02c4850f066599e0f9a52d8aef59def735d438799dffc31290af4685859750033a3f038f41f7765240ecf0de003006083fa
-
Filesize
512KB
MD54dc6e4ef383a2698de0c672bbb4aeafb
SHA1d2d6ecb2d75dd2a96d6c1741dca67ffcfd555c37
SHA2569823401137d45699e4b2272384b3cc37a1bb75926c07db77ca758e73422d17a0
SHA51295f08fd8ec617120368c1750f7ddaed6f2e48c9238462817566891ff7c823f75669161c435cfc7fa953ba175db52f2369ac66960e8dc6e1d80c9291bd951fd91
-
Filesize
512KB
MD560c8069a7d51cadab950c3eeaab9ea96
SHA1287a72cea6a0f6a12d1e8459cd98df1a1da99c72
SHA256046402c3a58d1419591bbb5db2b414d7fcc8af39abfbc137358be0b6761e449c
SHA51269bc87fbff885679f3d9234f1c45fb52ebb1b3068ab03fdf7be143e7ec93ec1b9f6a6bc75dc43dca6ef5bc5dfa846e8fdc0909637e7638017b03cf624502d924
-
Filesize
512KB
MD5c4da03185aed04a9d137411a3570a113
SHA10f7c646ccca7fc35e8f08f47aab7288dd8fc2290
SHA25667077e2c9917d68640ef6ed4022fe2fb61caa5135c703ced74e60fa120ddde4f
SHA5126c6b576c0b772d5f5ff2fc3748401bcbb8b5fabd6b030257a7d912700c47e01fd4ac02b659eee3f28ac4ebadd908eb028c3e25dd7ce98b3ace772ab09d084bce
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD552ce9befe8f98f0e3b0a4e6331177347
SHA1ae95f230b20535284ba99d712c31c4ba38b8621a
SHA2565b4070057300788746a2b944e848ebeb629f8a53c848edd09925b6ead8789603
SHA51243d4006ebaf4c01309a2252c7ddfc7fda3f915b68292c48bbc52556c618088eedc01afc7536a3f36d25dddcc83175ac37adcd8b3893c89b1930936d61eeef15f
-
Filesize
512KB
MD5ce8d4b8d931b9297b83919a9e35b02d2
SHA1421f7028bf53cece7baf596c9e7259bcd00ccf32
SHA25646fce7e129a45e1361faaa850a549a803396f449a27b55726a13dcad197e0b42
SHA512a8538e90e6a8d0c8c12b5f1607c5be6421985c39b1941e7ebe8f6ad1af81c751b19a54398b13a63814c3031509dc3b7315c8dfece015cdba3c4325b07751aed6