Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:49
Behavioral task
behavioral1
Sample
b248bcbdbe526815338780a4bff07396.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b248bcbdbe526815338780a4bff07396.exe
Resource
win10v2004-20240226-en
General
-
Target
b248bcbdbe526815338780a4bff07396.exe
-
Size
54KB
-
MD5
b248bcbdbe526815338780a4bff07396
-
SHA1
d3cf32de841b69a366ff21b17f81acf835f1e243
-
SHA256
f94a26ecbd6c5f4d9a419787eb8a2c1e53e3f994df5d9d1f4664a8142ca262b5
-
SHA512
f40f3bf86eb0a8b4dee7cb9b9e58b8b2094fd3ece9d129b1514330004fdbd430596484c8537deaec9c5be319619799aef1a17fe4a4432faf97e26418c9acc629
-
SSDEEP
1536:bgCZucC+ne/6LyRa85FBcVpm7XqsPnwUB:bgCZA+rLUrBUpEb4k
Malware Config
Signatures
-
Drops file in Drivers directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\services whjtr.exe File opened for modification C:\Windows\system32\drivers\etc\services mxcdkdyn.exe File opened for modification C:\Windows\system32\drivers\etc\services ntbkumxi.exe File opened for modification C:\Windows\system32\drivers\etc\services vxqleglf.exe File opened for modification C:\Windows\system32\drivers\etc\services rfmxvqtb.exe File opened for modification C:\Windows\system32\drivers\etc\services aicmim.exe File opened for modification C:\Windows\system32\drivers\etc\services jwrop.exe File opened for modification C:\Windows\system32\drivers\etc\services b248bcbdbe526815338780a4bff07396.exe File opened for modification C:\Windows\system32\drivers\etc\services lclbsqgn.exe File opened for modification C:\Windows\system32\drivers\etc\services xdjbc.exe File opened for modification C:\Windows\system32\drivers\etc\services tugo.exe File opened for modification C:\Windows\system32\drivers\etc\services cqchoasu.exe File opened for modification C:\Windows\system32\drivers\etc\services nyoklsl.exe File opened for modification C:\Windows\system32\drivers\etc\services voxdqpw.exe File opened for modification C:\Windows\system32\drivers\etc\services wrkupdnu.exe File opened for modification C:\Windows\system32\drivers\etc\services rwtpjae.exe File opened for modification C:\Windows\system32\drivers\etc\services dfgsgs.exe File opened for modification C:\Windows\system32\drivers\etc\services rmguljf.exe File opened for modification C:\Windows\system32\drivers\etc\services bbuakcp.exe File opened for modification C:\Windows\system32\drivers\etc\services wsiyeyn.exe File opened for modification C:\Windows\system32\drivers\etc\services mjaj.exe File opened for modification C:\Windows\system32\drivers\etc\services idxfe.exe File opened for modification C:\Windows\system32\drivers\etc\services imrnrgr.exe -
Modifies Installed Components in the registry 2 TTPs 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\acqj rfmxvqtb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\tgaewggr\StubPath = "C:\\Windows\\system32\\tgaewggr.exe" aicmim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\xbddd wrkupdnu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ntdgg\StubPath = "C:\\Windows\\system32\\ntdgg.exe" tugo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\daup\StubPath = "C:\\Windows\\system32\\daup.exe" cqchoasu.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\djnxo rwtpjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\gxhokn mxcdkdyn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ntdgg tugo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\tgaewggr aicmim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\uatnieig imrnrgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\mfwyd\StubPath = "C:\\Windows\\system32\\mfwyd.exe" lclbsqgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\hryc ntbkumxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ikksknf\StubPath = "C:\\Windows\\system32\\ikksknf.exe" vxqleglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\xbddd\StubPath = "C:\\Windows\\system32\\xbddd.exe" wrkupdnu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\vjmv\StubPath = "C:\\Windows\\system32\\vjmv.exe" jwrop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\hbrkww voxdqpw.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ikksknf vxqleglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\djnxo\StubPath = "C:\\Windows\\system32\\djnxo.exe" rwtpjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\oiirxjbr nyoklsl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\mfwyd lclbsqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ymcjovp\StubPath = "C:\\Windows\\system32\\ymcjovp.exe" xdjbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ywdkn mjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\hryc\StubPath = "C:\\Windows\\system32\\hryc.exe" ntbkumxi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ephte dfgsgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ephte\StubPath = "C:\\Windows\\system32\\ephte.exe" dfgsgs.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ivjy bbuakcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\tpsm idxfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\tpsm\StubPath = "C:\\Windows\\system32\\tpsm.exe" idxfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ywdkn\StubPath = "C:\\Windows\\system32\\ywdkn.exe" mjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\uatnieig\StubPath = "C:\\Windows\\system32\\uatnieig.exe" imrnrgr.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\daup cqchoasu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\oiirxjbr\StubPath = "C:\\Windows\\system32\\oiirxjbr.exe" nyoklsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\lldm\StubPath = "C:\\Windows\\system32\\lldm.exe" rmguljf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\vjmv jwrop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\acqj\StubPath = "C:\\Windows\\system32\\acqj.exe" rfmxvqtb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\lldm rmguljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\vsfeil\StubPath = "C:\\Windows\\system32\\vsfeil.exe" jglwddt.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\jgkatwei wsiyeyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\jgkatwei\StubPath = "C:\\Windows\\system32\\jgkatwei.exe" wsiyeyn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ymcjovp xdjbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\jvluiu whjtr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\jvluiu\StubPath = "C:\\Windows\\system32\\jvluiu.exe" whjtr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\gxhokn\StubPath = "C:\\Windows\\system32\\gxhokn.exe" mxcdkdyn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\vsfeil jglwddt.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\kdwl b248bcbdbe526815338780a4bff07396.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\kdwl\StubPath = "C:\\Windows\\system32\\kdwl.exe" b248bcbdbe526815338780a4bff07396.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ivjy\StubPath = "C:\\Windows\\system32\\ivjy.exe" bbuakcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\hbrkww\StubPath = "C:\\Windows\\system32\\hbrkww.exe" voxdqpw.exe -
Deletes itself 1 IoCs
pid Process 1056 lclbsqgn.exe -
Executes dropped EXE 23 IoCs
pid Process 1056 lclbsqgn.exe 2112 bbuakcp.exe 1960 wsiyeyn.exe 1640 xdjbc.exe 1796 mjaj.exe 2712 ntbkumxi.exe 1812 voxdqpw.exe 2892 vxqleglf.exe 924 whjtr.exe 3040 wrkupdnu.exe 1044 mxcdkdyn.exe 3028 tugo.exe 2924 cqchoasu.exe 1656 rwtpjae.exe 2276 rfmxvqtb.exe 2164 nyoklsl.exe 2716 dfgsgs.exe 1264 rmguljf.exe 1900 aicmim.exe 3016 idxfe.exe 2844 imrnrgr.exe 776 jwrop.exe 2340 jglwddt.exe -
Loads dropped DLL 46 IoCs
pid Process 1708 b248bcbdbe526815338780a4bff07396.exe 1708 b248bcbdbe526815338780a4bff07396.exe 1056 lclbsqgn.exe 1056 lclbsqgn.exe 2112 bbuakcp.exe 2112 bbuakcp.exe 1960 wsiyeyn.exe 1960 wsiyeyn.exe 1640 xdjbc.exe 1640 xdjbc.exe 1796 mjaj.exe 1796 mjaj.exe 2712 ntbkumxi.exe 2712 ntbkumxi.exe 1812 voxdqpw.exe 1812 voxdqpw.exe 2892 vxqleglf.exe 2892 vxqleglf.exe 924 whjtr.exe 924 whjtr.exe 3040 wrkupdnu.exe 3040 wrkupdnu.exe 1044 mxcdkdyn.exe 1044 mxcdkdyn.exe 3028 tugo.exe 3028 tugo.exe 2924 cqchoasu.exe 2924 cqchoasu.exe 1656 rwtpjae.exe 1656 rwtpjae.exe 2276 rfmxvqtb.exe 2276 rfmxvqtb.exe 2164 nyoklsl.exe 2164 nyoklsl.exe 2716 dfgsgs.exe 2716 dfgsgs.exe 1264 rmguljf.exe 1264 rmguljf.exe 1900 aicmim.exe 1900 aicmim.exe 3016 idxfe.exe 3016 idxfe.exe 2844 imrnrgr.exe 2844 imrnrgr.exe 776 jwrop.exe 776 jwrop.exe -
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000c000000012331-5.dat upx behavioral1/memory/1708-6-0x0000000003430000-0x000000000345B000-memory.dmp upx behavioral1/memory/1708-14-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1056-15-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1056-30-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2112-33-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2112-49-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1960-50-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1960-66-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1640-67-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1640-82-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1640-84-0x00000000032E0000-0x000000000330B000-memory.dmp upx behavioral1/memory/1796-85-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1796-101-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2712-103-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2712-119-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1812-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1812-135-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2892-138-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2892-153-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2892-155-0x00000000032F0000-0x000000000331B000-memory.dmp upx behavioral1/memory/924-156-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/924-172-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3040-173-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1812-179-0x00000000032D0000-0x00000000032FB000-memory.dmp upx behavioral1/memory/3040-189-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1044-192-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1044-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3028-205-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3028-215-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2924-216-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2924-228-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1656-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1656-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2276-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2276-251-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2164-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2276-249-0x00000000032F0000-0x000000000331B000-memory.dmp upx behavioral1/memory/2164-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2716-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2716-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1264-273-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1264-283-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1900-285-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1900-295-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3016-296-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3016-306-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2844-307-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2844-317-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/776-318-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/776-328-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2340-330-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\lclbsqgn.exe" b248bcbdbe526815338780a4bff07396.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\bbuakcp.exe" lclbsqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\wsiyeyn.exe" bbuakcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\mjaj.exe" xdjbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\voxdqpw.exe" ntbkumxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\cqchoasu.exe" tugo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\rfmxvqtb.exe" rwtpjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\nyoklsl.exe" rfmxvqtb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\xdjbc.exe" wsiyeyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\mxcdkdyn.exe" wrkupdnu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\rwtpjae.exe" cqchoasu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\rmguljf.exe" dfgsgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\aicmim.exe" rmguljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\kpefqtim.exe" jglwddt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\ntbkumxi.exe" mjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\whjtr.exe" vxqleglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\tugo.exe" mxcdkdyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\dfgsgs.exe" nyoklsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\imrnrgr.exe" idxfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\jglwddt.exe" jwrop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\vxqleglf.exe" voxdqpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\wrkupdnu.exe" whjtr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\idxfe.exe" aicmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\jwrop.exe" imrnrgr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\bbuakcp.exe lclbsqgn.exe File created C:\Windows\SysWOW64\mfwyd.exe lclbsqgn.exe File opened for modification C:\Windows\SysWOW64\mjaj.exe xdjbc.exe File opened for modification C:\Windows\SysWOW64\nyoklsl.exe rfmxvqtb.exe File created C:\Windows\SysWOW64\kdwl.exe b248bcbdbe526815338780a4bff07396.exe File created C:\Windows\SysWOW64\aicmim.exe rmguljf.exe File opened for modification C:\Windows\SysWOW64\aicmim.exe rmguljf.exe File created C:\Windows\SysWOW64\hbrkww.exe voxdqpw.exe File opened for modification C:\Windows\SysWOW64\rwtpjae.exe cqchoasu.exe File opened for modification C:\Windows\SysWOW64\idxfe.exe aicmim.exe File created C:\Windows\SysWOW64\jwrop.exe imrnrgr.exe File created C:\Windows\SysWOW64\gxhokn.exe mxcdkdyn.exe File created C:\Windows\SysWOW64\cqchoasu.exe tugo.exe File created C:\Windows\SysWOW64\tgaewggr.exe aicmim.exe File opened for modification C:\Windows\SysWOW64\lclbsqgn.exe b248bcbdbe526815338780a4bff07396.exe File created C:\Windows\SysWOW64\mxcdkdyn.exe wrkupdnu.exe File created C:\Windows\SysWOW64\ephte.exe dfgsgs.exe File created C:\Windows\SysWOW64\tpsm.exe idxfe.exe File created C:\Windows\SysWOW64\vjmv.exe jwrop.exe File opened for modification C:\Windows\SysWOW64\bbuakcp.exe lclbsqgn.exe File opened for modification C:\Windows\SysWOW64\wsiyeyn.exe bbuakcp.exe File created C:\Windows\SysWOW64\voxdqpw.exe ntbkumxi.exe File created C:\Windows\SysWOW64\hryc.exe ntbkumxi.exe File created C:\Windows\SysWOW64\wrkupdnu.exe whjtr.exe File created C:\Windows\SysWOW64\ntdgg.exe tugo.exe File created C:\Windows\SysWOW64\oiirxjbr.exe nyoklsl.exe File created C:\Windows\SysWOW64\ivjy.exe bbuakcp.exe File opened for modification C:\Windows\SysWOW64\xdjbc.exe wsiyeyn.exe File opened for modification C:\Windows\SysWOW64\wrkupdnu.exe whjtr.exe File opened for modification C:\Windows\SysWOW64\mxcdkdyn.exe wrkupdnu.exe File created C:\Windows\SysWOW64\rfmxvqtb.exe rwtpjae.exe File opened for modification C:\Windows\SysWOW64\voxdqpw.exe ntbkumxi.exe File created C:\Windows\SysWOW64\ikksknf.exe vxqleglf.exe File opened for modification C:\Windows\SysWOW64\cqchoasu.exe tugo.exe File opened for modification C:\Windows\SysWOW64\rfmxvqtb.exe rwtpjae.exe File created C:\Windows\SysWOW64\djnxo.exe rwtpjae.exe File opened for modification C:\Windows\SysWOW64\dfgsgs.exe nyoklsl.exe File opened for modification C:\Windows\SysWOW64\imrnrgr.exe idxfe.exe File created C:\Windows\SysWOW64\nyoklsl.exe rfmxvqtb.exe File created C:\Windows\SysWOW64\lldm.exe rmguljf.exe File created C:\Windows\SysWOW64\whjtr.exe vxqleglf.exe File created C:\Windows\SysWOW64\daup.exe cqchoasu.exe File created C:\Windows\SysWOW64\acqj.exe rfmxvqtb.exe File created C:\Windows\SysWOW64\rmguljf.exe dfgsgs.exe File opened for modification C:\Windows\SysWOW64\jwrop.exe imrnrgr.exe File created C:\Windows\SysWOW64\wsiyeyn.exe bbuakcp.exe File created C:\Windows\SysWOW64\jgkatwei.exe wsiyeyn.exe File opened for modification C:\Windows\SysWOW64\tugo.exe mxcdkdyn.exe File created C:\Windows\SysWOW64\uatnieig.exe imrnrgr.exe File opened for modification C:\Windows\SysWOW64\kpefqtim.exe jglwddt.exe File opened for modification C:\Windows\SysWOW64\whjtr.exe vxqleglf.exe File created C:\Windows\SysWOW64\dfgsgs.exe nyoklsl.exe File created C:\Windows\SysWOW64\ymcjovp.exe xdjbc.exe File created C:\Windows\SysWOW64\ntbkumxi.exe mjaj.exe File created C:\Windows\SysWOW64\xbddd.exe wrkupdnu.exe File created C:\Windows\SysWOW64\kpefqtim.exe jglwddt.exe File created C:\Windows\SysWOW64\jvluiu.exe whjtr.exe File created C:\Windows\SysWOW64\rwtpjae.exe cqchoasu.exe File created C:\Windows\SysWOW64\jglwddt.exe jwrop.exe File opened for modification C:\Windows\SysWOW64\jglwddt.exe jwrop.exe File created C:\Windows\SysWOW64\vsfeil.exe jglwddt.exe File created C:\Windows\SysWOW64\lclbsqgn.exe b248bcbdbe526815338780a4bff07396.exe File created C:\Windows\SysWOW64\xdjbc.exe wsiyeyn.exe File created C:\Windows\SysWOW64\vxqleglf.exe voxdqpw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1708 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 1056 lclbsqgn.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 2112 bbuakcp.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1960 wsiyeyn.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1640 xdjbc.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 1796 mjaj.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 2712 ntbkumxi.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 1812 voxdqpw.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 2892 vxqleglf.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 924 whjtr.exe Token: SeSystemtimePrivilege 3040 wrkupdnu.exe Token: SeSystemtimePrivilege 3040 wrkupdnu.exe Token: SeSystemtimePrivilege 3040 wrkupdnu.exe Token: SeSystemtimePrivilege 3040 wrkupdnu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1056 1708 b248bcbdbe526815338780a4bff07396.exe 28 PID 1708 wrote to memory of 1056 1708 b248bcbdbe526815338780a4bff07396.exe 28 PID 1708 wrote to memory of 1056 1708 b248bcbdbe526815338780a4bff07396.exe 28 PID 1708 wrote to memory of 1056 1708 b248bcbdbe526815338780a4bff07396.exe 28 PID 1056 wrote to memory of 2112 1056 lclbsqgn.exe 29 PID 1056 wrote to memory of 2112 1056 lclbsqgn.exe 29 PID 1056 wrote to memory of 2112 1056 lclbsqgn.exe 29 PID 1056 wrote to memory of 2112 1056 lclbsqgn.exe 29 PID 2112 wrote to memory of 1960 2112 bbuakcp.exe 30 PID 2112 wrote to memory of 1960 2112 bbuakcp.exe 30 PID 2112 wrote to memory of 1960 2112 bbuakcp.exe 30 PID 2112 wrote to memory of 1960 2112 bbuakcp.exe 30 PID 1960 wrote to memory of 1640 1960 wsiyeyn.exe 31 PID 1960 wrote to memory of 1640 1960 wsiyeyn.exe 31 PID 1960 wrote to memory of 1640 1960 wsiyeyn.exe 31 PID 1960 wrote to memory of 1640 1960 wsiyeyn.exe 31 PID 1640 wrote to memory of 1796 1640 xdjbc.exe 32 PID 1640 wrote to memory of 1796 1640 xdjbc.exe 32 PID 1640 wrote to memory of 1796 1640 xdjbc.exe 32 PID 1640 wrote to memory of 1796 1640 xdjbc.exe 32 PID 1796 wrote to memory of 2712 1796 mjaj.exe 33 PID 1796 wrote to memory of 2712 1796 mjaj.exe 33 PID 1796 wrote to memory of 2712 1796 mjaj.exe 33 PID 1796 wrote to memory of 2712 1796 mjaj.exe 33 PID 2712 wrote to memory of 1812 2712 ntbkumxi.exe 34 PID 2712 wrote to memory of 1812 2712 ntbkumxi.exe 34 PID 2712 wrote to memory of 1812 2712 ntbkumxi.exe 34 PID 2712 wrote to memory of 1812 2712 ntbkumxi.exe 34 PID 1812 wrote to memory of 2892 1812 voxdqpw.exe 37 PID 1812 wrote to memory of 2892 1812 voxdqpw.exe 37 PID 1812 wrote to memory of 2892 1812 voxdqpw.exe 37 PID 1812 wrote to memory of 2892 1812 voxdqpw.exe 37 PID 2892 wrote to memory of 924 2892 vxqleglf.exe 38 PID 2892 wrote to memory of 924 2892 vxqleglf.exe 38 PID 2892 wrote to memory of 924 2892 vxqleglf.exe 38 PID 2892 wrote to memory of 924 2892 vxqleglf.exe 38 PID 924 wrote to memory of 3040 924 whjtr.exe 39 PID 924 wrote to memory of 3040 924 whjtr.exe 39 PID 924 wrote to memory of 3040 924 whjtr.exe 39 PID 924 wrote to memory of 3040 924 whjtr.exe 39 PID 3040 wrote to memory of 1044 3040 wrkupdnu.exe 40 PID 3040 wrote to memory of 1044 3040 wrkupdnu.exe 40 PID 3040 wrote to memory of 1044 3040 wrkupdnu.exe 40 PID 3040 wrote to memory of 1044 3040 wrkupdnu.exe 40 PID 1044 wrote to memory of 3028 1044 mxcdkdyn.exe 41 PID 1044 wrote to memory of 3028 1044 mxcdkdyn.exe 41 PID 1044 wrote to memory of 3028 1044 mxcdkdyn.exe 41 PID 1044 wrote to memory of 3028 1044 mxcdkdyn.exe 41 PID 3028 wrote to memory of 2924 3028 tugo.exe 42 PID 3028 wrote to memory of 2924 3028 tugo.exe 42 PID 3028 wrote to memory of 2924 3028 tugo.exe 42 PID 3028 wrote to memory of 2924 3028 tugo.exe 42 PID 2924 wrote to memory of 1656 2924 cqchoasu.exe 43 PID 2924 wrote to memory of 1656 2924 cqchoasu.exe 43 PID 2924 wrote to memory of 1656 2924 cqchoasu.exe 43 PID 2924 wrote to memory of 1656 2924 cqchoasu.exe 43 PID 1656 wrote to memory of 2276 1656 rwtpjae.exe 44 PID 1656 wrote to memory of 2276 1656 rwtpjae.exe 44 PID 1656 wrote to memory of 2276 1656 rwtpjae.exe 44 PID 1656 wrote to memory of 2276 1656 rwtpjae.exe 44 PID 2276 wrote to memory of 2164 2276 rfmxvqtb.exe 45 PID 2276 wrote to memory of 2164 2276 rfmxvqtb.exe 45 PID 2276 wrote to memory of 2164 2276 rfmxvqtb.exe 45 PID 2276 wrote to memory of 2164 2276 rfmxvqtb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe"C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe"1⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\lclbsqgn.exe"C:\Windows\system32\lclbsqgn.exe" 0C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe2⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\bbuakcp.exe"C:\Windows\system32\bbuakcp.exe" 0C:\Windows\SysWOW64\lclbsqgn.exe3⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\wsiyeyn.exe"C:\Windows\system32\wsiyeyn.exe" 0C:\Windows\SysWOW64\bbuakcp.exe4⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\xdjbc.exe"C:\Windows\system32\xdjbc.exe" 0C:\Windows\SysWOW64\wsiyeyn.exe5⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\mjaj.exe"C:\Windows\system32\mjaj.exe" 0C:\Windows\SysWOW64\xdjbc.exe6⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\ntbkumxi.exe"C:\Windows\system32\ntbkumxi.exe" 0C:\Windows\SysWOW64\mjaj.exe7⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\voxdqpw.exe"C:\Windows\system32\voxdqpw.exe" 0C:\Windows\SysWOW64\ntbkumxi.exe8⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\vxqleglf.exe"C:\Windows\system32\vxqleglf.exe" 0C:\Windows\SysWOW64\voxdqpw.exe9⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\whjtr.exe"C:\Windows\system32\whjtr.exe" 0C:\Windows\SysWOW64\vxqleglf.exe10⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\wrkupdnu.exe"C:\Windows\system32\wrkupdnu.exe" 0C:\Windows\SysWOW64\whjtr.exe11⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\mxcdkdyn.exe"C:\Windows\system32\mxcdkdyn.exe" 0C:\Windows\SysWOW64\wrkupdnu.exe12⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\tugo.exe"C:\Windows\system32\tugo.exe" 0C:\Windows\SysWOW64\mxcdkdyn.exe13⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cqchoasu.exe"C:\Windows\system32\cqchoasu.exe" 0C:\Windows\SysWOW64\tugo.exe14⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\rwtpjae.exe"C:\Windows\system32\rwtpjae.exe" 0C:\Windows\SysWOW64\cqchoasu.exe15⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\rfmxvqtb.exe"C:\Windows\system32\rfmxvqtb.exe" 0C:\Windows\SysWOW64\rwtpjae.exe16⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\nyoklsl.exe"C:\Windows\system32\nyoklsl.exe" 0C:\Windows\SysWOW64\rfmxvqtb.exe17⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\dfgsgs.exe"C:\Windows\system32\dfgsgs.exe" 0C:\Windows\SysWOW64\nyoklsl.exe18⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\rmguljf.exe"C:\Windows\system32\rmguljf.exe" 0C:\Windows\SysWOW64\dfgsgs.exe19⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\aicmim.exe"C:\Windows\system32\aicmim.exe" 0C:\Windows\SysWOW64\rmguljf.exe20⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\idxfe.exe"C:\Windows\system32\idxfe.exe" 0C:\Windows\SysWOW64\aicmim.exe21⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\imrnrgr.exe"C:\Windows\system32\imrnrgr.exe" 0C:\Windows\SysWOW64\idxfe.exe22⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\jwrop.exe"C:\Windows\system32\jwrop.exe" 0C:\Windows\SysWOW64\imrnrgr.exe23⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\jglwddt.exe"C:\Windows\system32\jglwddt.exe" 0C:\Windows\SysWOW64\jwrop.exe24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5d9e1a01b480d961b7cf0509d597a92d6
SHA1a6c322bf661502b33ab802de67022dd21ac87d9a
SHA256b26309dfd89a9cc94481536b4d662941429df79873bb59620f53db939ff5ec29
SHA512c8653c60d702a29e5bc68cc4dd09baf0d022d6687eb0e3c7731e6a3ebbeaaf17b127bd970fad53140c4155faf70697b631e1b7fd03318d340ae2ee8813e7ad69
-
Filesize
54KB
MD5b248bcbdbe526815338780a4bff07396
SHA1d3cf32de841b69a366ff21b17f81acf835f1e243
SHA256f94a26ecbd6c5f4d9a419787eb8a2c1e53e3f994df5d9d1f4664a8142ca262b5
SHA512f40f3bf86eb0a8b4dee7cb9b9e58b8b2094fd3ece9d129b1514330004fdbd430596484c8537deaec9c5be319619799aef1a17fe4a4432faf97e26418c9acc629