Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 18:15
Behavioral task
behavioral1
Sample
04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe
Resource
win7-20240215-en
windows7-x64
27 signatures
150 seconds
General
-
Target
04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe
-
Size
255KB
-
MD5
d5e6eb889b72ac38dd8d6b4e57d24fe7
-
SHA1
0dde6215e031b81db381cf824de5c43612da4002
-
SHA256
04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd
-
SHA512
915465aa96ba25bdb7dc716d33d5b8f1dbcc72f53cf760ef09a279b662ecd12981a84e2b84aca1c6e9403b3842415b93e55ed4763baec035862c44eb2771c137
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJC:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIb
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cqiiztykwd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cqiiztykwd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cqiiztykwd.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/4148-0-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000900000002326e-5.dat UPX behavioral2/files/0x000800000002326d-18.dat UPX behavioral2/memory/4148-19-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-21-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-25-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000800000002326f-27.dat UPX behavioral2/memory/4184-31-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x0009000000023270-33.dat UPX behavioral2/memory/4148-36-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-37-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4148-39-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-43-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-45-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-47-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-48-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-59-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x0008000000023115-67.dat UPX behavioral2/files/0x0007000000023277-73.dat UPX behavioral2/memory/3056-77-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-78-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-79-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-80-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-81-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-82-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-95-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-96-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-109-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-110-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-111-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-112-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-113-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-114-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-116-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-117-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-118-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-119-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-120-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-121-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-122-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-123-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-124-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x00030000000227ea-127.dat UPX behavioral2/memory/3248-133-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-135-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-136-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-137-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-138-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-139-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-142-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-143-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-144-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-145-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3248-146-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3056-149-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-150-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-151-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4332-152-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000800000002329a-155.dat UPX behavioral2/memory/3248-161-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000800000002329a-165.dat UPX behavioral2/memory/3056-167-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4884-168-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4184-169-0x0000000000400000-0x00000000004A0000-memory.dmp UPX -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cqiiztykwd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe -
Executes dropped EXE 5 IoCs
pid Process 3056 cqiiztykwd.exe 4884 iuqukzlnevpqitt.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 3248 hyrvqvci.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4148-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000900000002326e-5.dat upx behavioral2/files/0x000800000002326d-18.dat upx behavioral2/memory/4148-19-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-21-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-25-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002326f-27.dat upx behavioral2/memory/4184-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023270-33.dat upx behavioral2/memory/4148-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4148-39-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-43-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-45-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-48-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-59-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023115-67.dat upx behavioral2/files/0x0007000000023277-73.dat upx behavioral2/memory/3056-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00030000000227ea-127.dat upx behavioral2/memory/3248-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3248-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3056-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4332-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002329a-155.dat upx behavioral2/memory/3248-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002329a-165.dat upx behavioral2/memory/3056-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4884-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4184-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cqiiztykwd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulposjqr = "cqiiztykwd.exe" iuqukzlnevpqitt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ysgkhiee = "iuqukzlnevpqitt.exe" iuqukzlnevpqitt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qdatxkkvjnzot.exe" iuqukzlnevpqitt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: hyrvqvci.exe File opened (read-only) \??\q: hyrvqvci.exe File opened (read-only) \??\s: hyrvqvci.exe File opened (read-only) \??\a: cqiiztykwd.exe File opened (read-only) \??\m: cqiiztykwd.exe File opened (read-only) \??\h: hyrvqvci.exe File opened (read-only) \??\i: hyrvqvci.exe File opened (read-only) \??\x: hyrvqvci.exe File opened (read-only) \??\z: hyrvqvci.exe File opened (read-only) \??\q: cqiiztykwd.exe File opened (read-only) \??\u: hyrvqvci.exe File opened (read-only) \??\e: hyrvqvci.exe File opened (read-only) \??\p: hyrvqvci.exe File opened (read-only) \??\r: cqiiztykwd.exe File opened (read-only) \??\p: hyrvqvci.exe File opened (read-only) \??\j: cqiiztykwd.exe File opened (read-only) \??\g: hyrvqvci.exe File opened (read-only) \??\i: hyrvqvci.exe File opened (read-only) \??\m: hyrvqvci.exe File opened (read-only) \??\v: cqiiztykwd.exe File opened (read-only) \??\a: hyrvqvci.exe File opened (read-only) \??\z: hyrvqvci.exe File opened (read-only) \??\s: hyrvqvci.exe File opened (read-only) \??\t: hyrvqvci.exe File opened (read-only) \??\l: hyrvqvci.exe File opened (read-only) \??\u: hyrvqvci.exe File opened (read-only) \??\y: hyrvqvci.exe File opened (read-only) \??\n: cqiiztykwd.exe File opened (read-only) \??\e: hyrvqvci.exe File opened (read-only) \??\j: hyrvqvci.exe File opened (read-only) \??\k: cqiiztykwd.exe File opened (read-only) \??\j: hyrvqvci.exe File opened (read-only) \??\l: hyrvqvci.exe File opened (read-only) \??\b: hyrvqvci.exe File opened (read-only) \??\o: hyrvqvci.exe File opened (read-only) \??\e: cqiiztykwd.exe File opened (read-only) \??\t: cqiiztykwd.exe File opened (read-only) \??\b: hyrvqvci.exe File opened (read-only) \??\t: hyrvqvci.exe File opened (read-only) \??\p: cqiiztykwd.exe File opened (read-only) \??\y: cqiiztykwd.exe File opened (read-only) \??\k: hyrvqvci.exe File opened (read-only) \??\x: cqiiztykwd.exe File opened (read-only) \??\k: hyrvqvci.exe File opened (read-only) \??\o: hyrvqvci.exe File opened (read-only) \??\h: cqiiztykwd.exe File opened (read-only) \??\l: cqiiztykwd.exe File opened (read-only) \??\y: hyrvqvci.exe File opened (read-only) \??\n: hyrvqvci.exe File opened (read-only) \??\r: hyrvqvci.exe File opened (read-only) \??\w: hyrvqvci.exe File opened (read-only) \??\g: cqiiztykwd.exe File opened (read-only) \??\u: cqiiztykwd.exe File opened (read-only) \??\s: cqiiztykwd.exe File opened (read-only) \??\m: hyrvqvci.exe File opened (read-only) \??\n: hyrvqvci.exe File opened (read-only) \??\r: hyrvqvci.exe File opened (read-only) \??\v: hyrvqvci.exe File opened (read-only) \??\h: hyrvqvci.exe File opened (read-only) \??\o: cqiiztykwd.exe File opened (read-only) \??\w: cqiiztykwd.exe File opened (read-only) \??\b: cqiiztykwd.exe File opened (read-only) \??\x: hyrvqvci.exe File opened (read-only) \??\w: hyrvqvci.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cqiiztykwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cqiiztykwd.exe -
AutoIT Executable 64 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4148-19-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-21-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4148-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4148-39-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-43-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-45-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-47-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-48-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-59-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-172-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-173-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-174-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-175-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3248-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3056-183-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4884-184-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4184-185-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4332-186-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\cqiiztykwd.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File opened for modification C:\Windows\SysWOW64\qdatxkkvjnzot.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyrvqvci.exe File opened for modification C:\Windows\SysWOW64\cqiiztykwd.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File opened for modification C:\Windows\SysWOW64\hyrvqvci.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyrvqvci.exe File created C:\Windows\SysWOW64\hyrvqvci.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cqiiztykwd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyrvqvci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyrvqvci.exe File created C:\Windows\SysWOW64\iuqukzlnevpqitt.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File opened for modification C:\Windows\SysWOW64\iuqukzlnevpqitt.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File created C:\Windows\SysWOW64\qdatxkkvjnzot.exe 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyrvqvci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyrvqvci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyrvqvci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyrvqvci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyrvqvci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hyrvqvci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hyrvqvci.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF834858826E9030D72C7DE5BC92E141593266366331D690" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70B15E5DAB0B8CC7C92EDE234CC" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cqiiztykwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cqiiztykwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9B1FE17F2E5837B3A4B869739E6B08A038B42680238E1BE459D09D5" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B0584497389D52CFB9D432EFD7CF" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB9FF1F21AED173D0A48B789013" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cqiiztykwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cqiiztykwd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D799C2083566D3677D4772F2CAE7CF264DD" 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cqiiztykwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cqiiztykwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cqiiztykwd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4332 qdatxkkvjnzot.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 3248 hyrvqvci.exe 3248 hyrvqvci.exe 3248 hyrvqvci.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 3056 cqiiztykwd.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4884 iuqukzlnevpqitt.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 4184 hyrvqvci.exe 4332 qdatxkkvjnzot.exe 3248 hyrvqvci.exe 3248 hyrvqvci.exe 3248 hyrvqvci.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4148 wrote to memory of 3056 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 99 PID 4148 wrote to memory of 3056 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 99 PID 4148 wrote to memory of 3056 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 99 PID 4148 wrote to memory of 4884 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 100 PID 4148 wrote to memory of 4884 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 100 PID 4148 wrote to memory of 4884 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 100 PID 4148 wrote to memory of 4184 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 101 PID 4148 wrote to memory of 4184 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 101 PID 4148 wrote to memory of 4184 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 101 PID 4148 wrote to memory of 4332 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 102 PID 4148 wrote to memory of 4332 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 102 PID 4148 wrote to memory of 4332 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 102 PID 3056 wrote to memory of 3248 3056 cqiiztykwd.exe 103 PID 3056 wrote to memory of 3248 3056 cqiiztykwd.exe 103 PID 3056 wrote to memory of 3248 3056 cqiiztykwd.exe 103 PID 4148 wrote to memory of 3064 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 104 PID 4148 wrote to memory of 3064 4148 04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe"C:\Users\Admin\AppData\Local\Temp\04eb1f4f806513c9a5ac563fb0cb2e689acf76067a52ee02fefee3d7e5a68bdd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\cqiiztykwd.execqiiztykwd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\hyrvqvci.exeC:\Windows\system32\hyrvqvci.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248
-
-
-
C:\Windows\SysWOW64\iuqukzlnevpqitt.exeiuqukzlnevpqitt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4884
-
-
C:\Windows\SysWOW64\hyrvqvci.exehyrvqvci.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184
-
-
C:\Windows\SysWOW64\qdatxkkvjnzot.exeqdatxkkvjnzot.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4332
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ee987f4f42669aa4f308e6006f536ff1
SHA10b43d010386e5eba114939c257be471eb038eb72
SHA256a949744bada92a1d2ff1413972d1052b25e4ca1bdf6fb24505ae99fde803cec7
SHA512a577a222f5453da09bcea843677dc9d0c63655358a286bc601e06e7e5746d29e76950664d8e5357c9d437cb138c0c3d8d15458c419a1f32256f14262c44ddc6a
-
Filesize
255KB
MD59b87c77c499887e262fa53d7fafc5d4d
SHA1d2b5c00552cbd99ba57620f30fa6ec6675d80ecf
SHA256aa10ad3f61d8fd39b318839fbe0ae2a29d6a5ec5a978e56320b8db8afab2fa42
SHA512f7c61807e892002b3300a520fe094d315e8d8ffce25f883b99411971eb46c5f2633c95b3ae7047cf859d61d176bb8bc5918ab5fa839aaa0dfbb5b99a9912f4ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD526bd8b7a8d3663a857ee4e2eac2ebcbc
SHA12da48ae9d5a6c94ebb132be6a9546595340bb161
SHA25649a6fc745cd9961fafd1e3a2e9e69f2eed450b627caecbf1162a2dba7123c3d2
SHA512c6d67c96233d908ffe4af1cefa1461974f9ef4c7a276e34a68c8145a38a40bdbac9ba4d47d0874fda8e00c5268f2adc8b3ec0984ff8918da6526d3951da22d79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d68b950eeea8b225edd27f7408919df3
SHA1d1977b32e8b92451f37a0c9d42f505cd8ef2b940
SHA2563e01cfec7281c4e2ef227f7e8a42426632d8144c286c1f622b5cb3422d293454
SHA5124bede0448b1e6c54faeba76f54f9370aa4f2add0341cb6cef350668ffd5327cba034281c89c15f019456742a5e44b03e3cfd1b113b4ef9d50220ae7a48b8382b
-
Filesize
255KB
MD53055c31abcdc3634bd6ced8160819ae0
SHA1910b719bddfe23cdd3aea971dd2386f225d6d22a
SHA25601d37d2d9c65a0b274ad699076eff417e51e56278fcec7aa1b1b63a723ead828
SHA512ea78c7d89fcafdeb76d7afddfc148d9c002811b4eca572f33e503e5f2bd4f17d4f729ce3fe664ca2a2669e04c4e662f888eed638bc6bfee12432b253ebf4b634
-
Filesize
255KB
MD5b2cabd0bc45bbabda0f2b2652b49f890
SHA17b2c85caafa9018c3b4ef09817eb5933bf4f9a52
SHA2563fe36f05f1425404f44665b91b8367eb68586795363f9eeb0e0adf13c721feab
SHA5128de91359f45ce3430bff0eaeb74efae0aa1a63d7ad592c2647f81946d037c199efb2614b5351393d0149b2141e3565e8a6c496dc4d72a597e4aa80915e763cbf
-
Filesize
255KB
MD51580fe94011a6e4687e70784c54faa00
SHA1477d13d752fb8d07b802418596f96ac49670379a
SHA256a462e7095b8683726474868960ea4bea28699e4723437a2265fe5d3cbe149961
SHA512baf964ab6a23b8d724e42a64ceff896d4299fd6f08031ddd4fa05693845d4b2c8b0bad5376c3bfdc5a25d2feea3c754305e0eba696d3e81a20b29925e850599c
-
Filesize
255KB
MD5f8b2957a5227868665933c0dfdd2ce81
SHA1570759328c4d0218b6018441bcda2f72eaa3e2d6
SHA2561f0e1ae0ede6f04017154328cea8a9a7d4e976f28264969c462ffca642cc522c
SHA5122f206a2aeceb8e2740560b9e6ff781e67d950a040575dd69f646c8d400b1c0a9c362dc5a9a314d664e1ba76db6c8559a7f7bee4032b4de07699cb100900a0795
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5f3fde83c0ef003ba25d8620e124d0702
SHA1d5d58eb43789d92f1fc94820ee947fdc6e5908e5
SHA256388ac680b9a09f4aa2fed2eef51d884e77cdffc6a4ae09c5e30ca398bc40559d
SHA512af795d637eeb167890adc6b6a495d8637993c88650219b545d529156f3d8039c1108c3ecfff60022bfa2564b8d34f96ca815afc4d00ac567944bd5691cbe1207
-
Filesize
255KB
MD5b8c6fa019596455e12e0054ecf574346
SHA1044277c23ee0a7fe54886704f8425d2f64661f94
SHA25672d83311cc13b1b809904f4abae683c2e5420a25bfc01fa9afd997c3fc5c3fcb
SHA512e66eb4d7911a32660db9c70c9887e0b402bbd51f4d15d10320a2aa418c0a6796587b774754626333a04ad882ea066c94863ee4dbc20308321c29c143a5fee8b6
-
Filesize
255KB
MD5a49cc22e6c4926dcc440af987f2f959e
SHA1212f4178759468dc7ec421cf0d2b0f712d0b8f9b
SHA2560b89f80067971b62d8a9823f597a43afecc7b64092cdc9fa4fbbe3df31c661cf
SHA51214fb886c87ade34fb2e65c512234b2fbafe783fae54b56856eec02c93fbed12167999256fb160d7806e44e236828c26bcf3be4ed6e32c287087235c018e61422