Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 19:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
bc99c4677a06951c7c1b7ce58f5d29d3.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc99c4677a06951c7c1b7ce58f5d29d3.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
bc99c4677a06951c7c1b7ce58f5d29d3.exe
-
Size
512KB
-
MD5
bc99c4677a06951c7c1b7ce58f5d29d3
-
SHA1
7d7d01882e8cf2a5afc3324f88c21817405c5632
-
SHA256
ce425c663951485304a21f3bd6bfb536f0c270478f411bafc09ebeea86324559
-
SHA512
c216c2a0ce0dbaf52aae43a70a75f1ffbc812bc1e38057bfa3850dd7d996b48561d97f7240570a65780e30f317cb12a4dbc7357392cf9e967f52115ab29a9721
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tiuhohagll.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiuhohagll.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tiuhohagll.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tiuhohagll.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation bc99c4677a06951c7c1b7ce58f5d29d3.exe -
Executes dropped EXE 5 IoCs
pid Process 3748 tiuhohagll.exe 1196 rygjvdkvjstrajs.exe 4840 kfgporfc.exe 4332 fismwiebwrekz.exe 3372 kfgporfc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tiuhohagll.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufrvpyew = "tiuhohagll.exe" rygjvdkvjstrajs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgzutngt = "rygjvdkvjstrajs.exe" rygjvdkvjstrajs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fismwiebwrekz.exe" rygjvdkvjstrajs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: kfgporfc.exe File opened (read-only) \??\m: tiuhohagll.exe File opened (read-only) \??\n: tiuhohagll.exe File opened (read-only) \??\s: kfgporfc.exe File opened (read-only) \??\e: kfgporfc.exe File opened (read-only) \??\h: kfgporfc.exe File opened (read-only) \??\h: tiuhohagll.exe File opened (read-only) \??\i: tiuhohagll.exe File opened (read-only) \??\w: tiuhohagll.exe File opened (read-only) \??\o: kfgporfc.exe File opened (read-only) \??\a: kfgporfc.exe File opened (read-only) \??\a: tiuhohagll.exe File opened (read-only) \??\q: tiuhohagll.exe File opened (read-only) \??\v: tiuhohagll.exe File opened (read-only) \??\v: kfgporfc.exe File opened (read-only) \??\u: kfgporfc.exe File opened (read-only) \??\y: tiuhohagll.exe File opened (read-only) \??\b: kfgporfc.exe File opened (read-only) \??\j: kfgporfc.exe File opened (read-only) \??\l: kfgporfc.exe File opened (read-only) \??\o: kfgporfc.exe File opened (read-only) \??\r: kfgporfc.exe File opened (read-only) \??\s: kfgporfc.exe File opened (read-only) \??\x: kfgporfc.exe File opened (read-only) \??\g: kfgporfc.exe File opened (read-only) \??\j: tiuhohagll.exe File opened (read-only) \??\e: kfgporfc.exe File opened (read-only) \??\z: kfgporfc.exe File opened (read-only) \??\e: tiuhohagll.exe File opened (read-only) \??\v: kfgporfc.exe File opened (read-only) \??\q: kfgporfc.exe File opened (read-only) \??\t: tiuhohagll.exe File opened (read-only) \??\u: tiuhohagll.exe File opened (read-only) \??\j: kfgporfc.exe File opened (read-only) \??\x: kfgporfc.exe File opened (read-only) \??\l: tiuhohagll.exe File opened (read-only) \??\l: kfgporfc.exe File opened (read-only) \??\n: kfgporfc.exe File opened (read-only) \??\t: kfgporfc.exe File opened (read-only) \??\s: tiuhohagll.exe File opened (read-only) \??\t: kfgporfc.exe File opened (read-only) \??\u: kfgporfc.exe File opened (read-only) \??\k: kfgporfc.exe File opened (read-only) \??\x: tiuhohagll.exe File opened (read-only) \??\g: kfgporfc.exe File opened (read-only) \??\p: tiuhohagll.exe File opened (read-only) \??\r: tiuhohagll.exe File opened (read-only) \??\p: kfgporfc.exe File opened (read-only) \??\o: tiuhohagll.exe File opened (read-only) \??\z: tiuhohagll.exe File opened (read-only) \??\a: kfgporfc.exe File opened (read-only) \??\h: kfgporfc.exe File opened (read-only) \??\k: kfgporfc.exe File opened (read-only) \??\q: kfgporfc.exe File opened (read-only) \??\b: tiuhohagll.exe File opened (read-only) \??\k: tiuhohagll.exe File opened (read-only) \??\i: kfgporfc.exe File opened (read-only) \??\r: kfgporfc.exe File opened (read-only) \??\y: kfgporfc.exe File opened (read-only) \??\b: kfgporfc.exe File opened (read-only) \??\z: kfgporfc.exe File opened (read-only) \??\m: kfgporfc.exe File opened (read-only) \??\m: kfgporfc.exe File opened (read-only) \??\w: kfgporfc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tiuhohagll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tiuhohagll.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2524-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000900000002325d-5.dat autoit_exe behavioral2/files/0x000800000002325c-18.dat autoit_exe behavioral2/files/0x000900000002325f-29.dat autoit_exe behavioral2/files/0x000800000002325e-31.dat autoit_exe behavioral2/files/0x000800000002325e-28.dat autoit_exe behavioral2/files/0x000800000002325e-34.dat autoit_exe behavioral2/files/0x000900000002326c-52.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rygjvdkvjstrajs.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File created C:\Windows\SysWOW64\kfgporfc.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\SysWOW64\kfgporfc.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File created C:\Windows\SysWOW64\fismwiebwrekz.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\SysWOW64\fismwiebwrekz.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tiuhohagll.exe File created C:\Windows\SysWOW64\tiuhohagll.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\SysWOW64\tiuhohagll.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\SysWOW64\rygjvdkvjstrajs.exe bc99c4677a06951c7c1b7ce58f5d29d3.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfgporfc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kfgporfc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kfgporfc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kfgporfc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfgporfc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfgporfc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf bc99c4677a06951c7c1b7ce58f5d29d3.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BDF96AF193840F3B4586E93E97B0FC038C4213023BE1CF42EA09A9" bc99c4677a06951c7c1b7ce58f5d29d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tiuhohagll.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings bc99c4677a06951c7c1b7ce58f5d29d3.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes bc99c4677a06951c7c1b7ce58f5d29d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C089D2C83576A3376A770272CD97D8264AC" bc99c4677a06951c7c1b7ce58f5d29d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tiuhohagll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tiuhohagll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC60F1491DBBEB9C07C93EDE037CD" bc99c4677a06951c7c1b7ce58f5d29d3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB3FF6622DED10BD1A78A7C9014" bc99c4677a06951c7c1b7ce58f5d29d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tiuhohagll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tiuhohagll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B12C479038E253B8B9D03293D7C5" bc99c4677a06951c7c1b7ce58f5d29d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8E4F5A851C9046D72E7D90BDEFE635584567426335D69E" bc99c4677a06951c7c1b7ce58f5d29d3.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2096 WINWORD.EXE 2096 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 3372 kfgporfc.exe 3372 kfgporfc.exe 3372 kfgporfc.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 3748 tiuhohagll.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 1196 rygjvdkvjstrajs.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4840 kfgporfc.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 4332 fismwiebwrekz.exe 3372 kfgporfc.exe 3372 kfgporfc.exe 3372 kfgporfc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2096 WINWORD.EXE 2096 WINWORD.EXE 2096 WINWORD.EXE 2096 WINWORD.EXE 2096 WINWORD.EXE 2096 WINWORD.EXE 2096 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2524 wrote to memory of 3748 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 99 PID 2524 wrote to memory of 3748 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 99 PID 2524 wrote to memory of 3748 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 99 PID 2524 wrote to memory of 1196 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 100 PID 2524 wrote to memory of 1196 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 100 PID 2524 wrote to memory of 1196 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 100 PID 2524 wrote to memory of 4840 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 101 PID 2524 wrote to memory of 4840 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 101 PID 2524 wrote to memory of 4840 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 101 PID 2524 wrote to memory of 4332 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 102 PID 2524 wrote to memory of 4332 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 102 PID 2524 wrote to memory of 4332 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 102 PID 3748 wrote to memory of 3372 3748 tiuhohagll.exe 104 PID 3748 wrote to memory of 3372 3748 tiuhohagll.exe 104 PID 3748 wrote to memory of 3372 3748 tiuhohagll.exe 104 PID 2524 wrote to memory of 2096 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 106 PID 2524 wrote to memory of 2096 2524 bc99c4677a06951c7c1b7ce58f5d29d3.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc99c4677a06951c7c1b7ce58f5d29d3.exe"C:\Users\Admin\AppData\Local\Temp\bc99c4677a06951c7c1b7ce58f5d29d3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\tiuhohagll.exetiuhohagll.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\kfgporfc.exeC:\Windows\system32\kfgporfc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
-
-
-
C:\Windows\SysWOW64\rygjvdkvjstrajs.exerygjvdkvjstrajs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
C:\Windows\SysWOW64\kfgporfc.exekfgporfc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840
-
-
C:\Windows\SysWOW64\fismwiebwrekz.exefismwiebwrekz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4332
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a8564abbf3a5a915f3502fe604c318a2
SHA1652dcca09125d88d1193abb87274c05c80177e43
SHA256df9de67cac9dba235fe2b51a17a85aed0dc93ee70106371971b0366f9c7c189d
SHA512593fc7261a39108c3531cae8688d414641c38227d7f671613ad8f41762fff4f901187ae15caaaf2d456382fa3842f47992c94e8cd8b88ba5b2a9c7b48673c44b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a07bbfb2efc9e4ee265775dd461e4e64
SHA10e8f5b0bc497e76e8d7f36aa4c9e829c98d9be9e
SHA2565e45af408ac7b2d3ed3bde1cac0cbb342402500381b38866cb9f4ec35c934ae0
SHA512a2f1ec08de4e1b1c855628cffe3af8ef34fc53c5a9f59c528d6bdc8cba9c3a12f0acc4bf35fcda621a98b8953d12ba1b5335ab4704ff4428b72378b8fc12d51a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54620e2ec0717585078343c079f63ff00
SHA19609e26e49a3b559f18028235c0a708b8d3a3a1e
SHA256886e8ceabe51cdc37b4a0017cf87c7059f4b0e7430cd7d28238db01f1a858b13
SHA512c3d52a09d7e9d7e0a22da341cf9f06f365778ceb96e3daa9a2a385b9d40848db022ae11d0b5e9a23e9a8fef11f08a01ccddc7d4dc093bb566b01d5135f12e915
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
192KB
MD5110f40dbeb901f612cee1dc242fdb309
SHA10d668d172ef81b3f17c1f870513988629c697600
SHA2562776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82
SHA512076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
512KB
MD5c97d61ada1b5fbd6d806fc81bed04609
SHA142c284aeb7ee24c36c88e9d2f024fb6317884451
SHA25676ed3377aafe6fed1553753a8860d9636338c3106ab3475e422570995c572522
SHA512edaf4d831389f6b3e9d8e1b08db36e69d76b41e869cdfdbe592360d8e4971cb9df560073569791cd1c423f738cb1fe321f2a2c13a275719698c24e88d5cf8c87
-
Filesize
512KB
MD5cef73be4ce53f36ed9c0aa88028a1f71
SHA1e798c90b633d07a83d4693b0fd6d6530ae68c6a9
SHA25602c24e83fdbd380f7f5f8c3558951f75294768444f5b7785cf0fb55ede7e19ee
SHA512b857c905f9b157873503d83db30bd92c2c396a55194208633991e0dbc19d89974d5b1c65cb97383dbf936ab5437315e083bf3ffa79fba829ee31711418d0258f
-
Filesize
512KB
MD58e2527158da32eeceecacb238fe7a086
SHA10f1c02831dbbb030c166fbb6a4f23117af272f85
SHA2566aa51110532d76347b5a1aba8ba40e18df6f04bd7403d72b85a66ec63aef7edf
SHA512ac252e02566cc983a2c7804a76d833c6952e828abc997a6d24884b918a22a9a65f1db861f12e54298367de8040746dbcaf871a188bde469900a80fbb3352010e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7