Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 22:19
Behavioral task
behavioral1
Sample
493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe
Resource
win7-20240705-en
windows7-x64
29 signatures
150 seconds
General
-
Target
493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe
-
Size
255KB
-
MD5
cd2cfda14fdebc2474a5cf7c4d1524df
-
SHA1
87feb6ac2070ccb2dcd9e44584e3ecedcabb270a
-
SHA256
493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7
-
SHA512
3b23f50bf703a30813cad819ec428786ca9a55654174fbd287c188e81ecd2fef1aae17c7e80cf1941e68a5a7984ae8f3ade1f0e78c6567f75fc2f124d9cf5933
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJL:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIQ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zfrljscnzg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zfrljscnzg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zfrljscnzg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zfrljscnzg.exe -
Executes dropped EXE 5 IoCs
pid Process 2312 zfrljscnzg.exe 1176 bojnhrwdzcgpaxd.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 3060 ckyjcfzh.exe -
Loads dropped DLL 5 IoCs
pid Process 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2312 zfrljscnzg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2408-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000016c03-9.dat upx behavioral1/files/0x00080000000120fd-17.dat upx behavioral1/files/0x0008000000016884-27.dat upx behavioral1/memory/2428-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000016c7d-42.dat upx behavioral1/memory/1176-28-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-22-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2408-46-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3060-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2408-49-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000016dd5-66.dat upx behavioral1/memory/2312-70-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0005000000019394-76.dat upx behavioral1/memory/1176-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2464-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3060-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2464-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3060-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3060-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2464-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2464-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3060-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2428-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2312-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zfrljscnzg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bapfnmvwehamo.exe" bojnhrwdzcgpaxd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qdazarfn = "zfrljscnzg.exe" bojnhrwdzcgpaxd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pstuxuiv = "bojnhrwdzcgpaxd.exe" bojnhrwdzcgpaxd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: zfrljscnzg.exe File opened (read-only) \??\n: ckyjcfzh.exe File opened (read-only) \??\w: ckyjcfzh.exe File opened (read-only) \??\j: zfrljscnzg.exe File opened (read-only) \??\z: ckyjcfzh.exe File opened (read-only) \??\p: ckyjcfzh.exe File opened (read-only) \??\x: ckyjcfzh.exe File opened (read-only) \??\y: ckyjcfzh.exe File opened (read-only) \??\h: ckyjcfzh.exe File opened (read-only) \??\o: ckyjcfzh.exe File opened (read-only) \??\h: ckyjcfzh.exe File opened (read-only) \??\v: ckyjcfzh.exe File opened (read-only) \??\i: ckyjcfzh.exe File opened (read-only) \??\k: ckyjcfzh.exe File opened (read-only) \??\r: ckyjcfzh.exe File opened (read-only) \??\e: ckyjcfzh.exe File opened (read-only) \??\x: ckyjcfzh.exe File opened (read-only) \??\b: zfrljscnzg.exe File opened (read-only) \??\h: zfrljscnzg.exe File opened (read-only) \??\i: zfrljscnzg.exe File opened (read-only) \??\m: zfrljscnzg.exe File opened (read-only) \??\o: ckyjcfzh.exe File opened (read-only) \??\p: zfrljscnzg.exe File opened (read-only) \??\v: zfrljscnzg.exe File opened (read-only) \??\n: ckyjcfzh.exe File opened (read-only) \??\q: ckyjcfzh.exe File opened (read-only) \??\y: ckyjcfzh.exe File opened (read-only) \??\w: ckyjcfzh.exe File opened (read-only) \??\j: ckyjcfzh.exe File opened (read-only) \??\e: zfrljscnzg.exe File opened (read-only) \??\l: zfrljscnzg.exe File opened (read-only) \??\x: zfrljscnzg.exe File opened (read-only) \??\j: ckyjcfzh.exe File opened (read-only) \??\p: ckyjcfzh.exe File opened (read-only) \??\u: ckyjcfzh.exe File opened (read-only) \??\g: zfrljscnzg.exe File opened (read-only) \??\k: zfrljscnzg.exe File opened (read-only) \??\k: ckyjcfzh.exe File opened (read-only) \??\l: ckyjcfzh.exe File opened (read-only) \??\t: ckyjcfzh.exe File opened (read-only) \??\q: zfrljscnzg.exe File opened (read-only) \??\w: zfrljscnzg.exe File opened (read-only) \??\y: zfrljscnzg.exe File opened (read-only) \??\g: ckyjcfzh.exe File opened (read-only) \??\a: ckyjcfzh.exe File opened (read-only) \??\n: zfrljscnzg.exe File opened (read-only) \??\b: ckyjcfzh.exe File opened (read-only) \??\g: ckyjcfzh.exe File opened (read-only) \??\r: zfrljscnzg.exe File opened (read-only) \??\s: zfrljscnzg.exe File opened (read-only) \??\u: zfrljscnzg.exe File opened (read-only) \??\z: zfrljscnzg.exe File opened (read-only) \??\a: zfrljscnzg.exe File opened (read-only) \??\a: ckyjcfzh.exe File opened (read-only) \??\b: ckyjcfzh.exe File opened (read-only) \??\q: ckyjcfzh.exe File opened (read-only) \??\m: ckyjcfzh.exe File opened (read-only) \??\t: ckyjcfzh.exe File opened (read-only) \??\t: zfrljscnzg.exe File opened (read-only) \??\r: ckyjcfzh.exe File opened (read-only) \??\s: ckyjcfzh.exe File opened (read-only) \??\e: ckyjcfzh.exe File opened (read-only) \??\l: ckyjcfzh.exe File opened (read-only) \??\v: ckyjcfzh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zfrljscnzg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zfrljscnzg.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2428-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-28-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2408-46-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3060-47-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2408-49-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-70-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2464-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3060-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2464-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3060-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3060-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2464-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2464-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3060-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2428-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2312-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bapfnmvwehamo.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File created C:\Windows\SysWOW64\bojnhrwdzcgpaxd.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File opened for modification C:\Windows\SysWOW64\bojnhrwdzcgpaxd.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File created C:\Windows\SysWOW64\ckyjcfzh.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File opened for modification C:\Windows\SysWOW64\ckyjcfzh.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File created C:\Windows\SysWOW64\bapfnmvwehamo.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File created C:\Windows\SysWOW64\zfrljscnzg.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File opened for modification C:\Windows\SysWOW64\zfrljscnzg.exe 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zfrljscnzg.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ckyjcfzh.exe File opened for modification \??\c:\Program Files\MoveComplete.doc.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ckyjcfzh.exe File opened for modification C:\Program Files\MoveComplete.nal ckyjcfzh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ckyjcfzh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File created \??\c:\Program Files\MoveComplete.doc.exe ckyjcfzh.exe File opened for modification C:\Program Files\MoveComplete.doc.exe ckyjcfzh.exe File opened for modification \??\c:\Program Files\MoveComplete.doc.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ckyjcfzh.exe File opened for modification C:\Program Files\MoveComplete.nal ckyjcfzh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ckyjcfzh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ckyjcfzh.exe File opened for modification C:\Program Files\MoveComplete.doc.exe ckyjcfzh.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ckyjcfzh.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ckyjcfzh.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfrljscnzg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bojnhrwdzcgpaxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bapfnmvwehamo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckyjcfzh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckyjcfzh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zfrljscnzg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zfrljscnzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zfrljscnzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zfrljscnzg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zfrljscnzg.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABBF967F19783783A43819C3995B3FC028C43160239E1CF45E808D5" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB1FE1C22A9D208D1D38A7F9164" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zfrljscnzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zfrljscnzg.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zfrljscnzg.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C7E9D5283536A3677D370252CA97C8464DE" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FFF94F5B85689136D72A7E93BC95E137593067466333D79B" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC70B14E6DBBEB9CC7FE1ED9737CF" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zfrljscnzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zfrljscnzg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zfrljscnzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zfrljscnzg.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12144E739E853CDBAD4339FD7CE" 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 1176 bojnhrwdzcgpaxd.exe 1176 bojnhrwdzcgpaxd.exe 1176 bojnhrwdzcgpaxd.exe 1176 bojnhrwdzcgpaxd.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 2312 zfrljscnzg.exe 2312 zfrljscnzg.exe 2312 zfrljscnzg.exe 2312 zfrljscnzg.exe 2464 ckyjcfzh.exe 2464 ckyjcfzh.exe 2464 ckyjcfzh.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe 2428 bapfnmvwehamo.exe 2428 bapfnmvwehamo.exe 1176 bojnhrwdzcgpaxd.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe Token: SeShutdownPrivilege 1452 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 2428 bapfnmvwehamo.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 2464 ckyjcfzh.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 1176 bojnhrwdzcgpaxd.exe 2312 zfrljscnzg.exe 2428 bapfnmvwehamo.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 2464 ckyjcfzh.exe 2464 ckyjcfzh.exe 2428 bapfnmvwehamo.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 3060 ckyjcfzh.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe 1452 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2756 WINWORD.EXE 2756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2312 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 28 PID 2408 wrote to memory of 2312 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 28 PID 2408 wrote to memory of 2312 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 28 PID 2408 wrote to memory of 2312 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 28 PID 2408 wrote to memory of 1176 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 29 PID 2408 wrote to memory of 1176 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 29 PID 2408 wrote to memory of 1176 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 29 PID 2408 wrote to memory of 1176 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 29 PID 2408 wrote to memory of 2464 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 30 PID 2408 wrote to memory of 2464 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 30 PID 2408 wrote to memory of 2464 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 30 PID 2408 wrote to memory of 2464 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 30 PID 2408 wrote to memory of 2428 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 31 PID 2408 wrote to memory of 2428 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 31 PID 2408 wrote to memory of 2428 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 31 PID 2408 wrote to memory of 2428 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 31 PID 2312 wrote to memory of 3060 2312 zfrljscnzg.exe 32 PID 2312 wrote to memory of 3060 2312 zfrljscnzg.exe 32 PID 2312 wrote to memory of 3060 2312 zfrljscnzg.exe 32 PID 2312 wrote to memory of 3060 2312 zfrljscnzg.exe 32 PID 2408 wrote to memory of 2756 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 33 PID 2408 wrote to memory of 2756 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 33 PID 2408 wrote to memory of 2756 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 33 PID 2408 wrote to memory of 2756 2408 493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe 33 PID 2756 wrote to memory of 2816 2756 WINWORD.EXE 38 PID 2756 wrote to memory of 2816 2756 WINWORD.EXE 38 PID 2756 wrote to memory of 2816 2756 WINWORD.EXE 38 PID 2756 wrote to memory of 2816 2756 WINWORD.EXE 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe"C:\Users\Admin\AppData\Local\Temp\493eda0e24cea8fa7eb424854094f31b2381deb4ebca7a7a4c5195ebca3354f7.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\zfrljscnzg.exezfrljscnzg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\ckyjcfzh.exeC:\Windows\system32\ckyjcfzh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060
-
-
-
C:\Windows\SysWOW64\bojnhrwdzcgpaxd.exebojnhrwdzcgpaxd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1176
-
-
C:\Windows\SysWOW64\ckyjcfzh.execkyjcfzh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464
-
-
C:\Windows\SysWOW64\bapfnmvwehamo.exebapfnmvwehamo.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2816
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5c026998b5a3086c48dbab7e020c2387a
SHA1d64e244c1cd1ba435eb2410fb804f96babdd9a4f
SHA256e5c6d0e4ca2c7de543a77f9b3971d24ad1db588b1fd7927c8ac2db1e2af96dbe
SHA5126d0b7bbeb96b9e9468f7553802ebd73e830393e4fd8c5b8e39cc95aaeffde6de2a7ec1415a199ed1505283345e9454f20ee2a50d303fe679a935c561a4f5db0a
-
Filesize
255KB
MD59b6e47f55b40d08efb1cddc995bcca9f
SHA16cc2e39dbe062ef820fec132b836b9f5c9d69048
SHA2565a0ab4fb7f38a234ad84e99baf18d34cecb6fff9cf102c337168b9cf51e8ac75
SHA51253f77a27a8b48f33bc27c7aabd065009e818d92cf4d8b45ac151e78b7f1717b02d4cc66931d6cf50d9295e9287a4baf1d34142041e3aba3939c6225550460ffe
-
Filesize
255KB
MD5e195420f6e39e8c79affbce5384325ae
SHA1241989747e9905dd1a11d3e6a40d641421a5163d
SHA256823668cd098c53415b774a11ea8bc0dadf3e81948429e4ff57bbff2c822639c9
SHA5123c36a31297024c50ba582493ce3333fd8793e7b85680a079827cac14f37456bbb8e6e9811d76c557fba6b48df193d9d4fd1f5a5c2a232df8493dfea4bf9a7bd8
-
Filesize
255KB
MD5e21d07936e91772f15ef92d59dea2480
SHA197789201f3ae415c5092276e71feaaaa0a726190
SHA256f0cdeebbd43b2bae57ea224ee0265cb4582dd98031e3a35e5f287fd6170164c5
SHA5126f22a93249a948bed7814bf98c72ff1216d97cc753b2ee1331ea82190009ca2d39369c643bbed91cb38fbe1c72a237fb45a9f8e69bd3b8512343d441914b63bd
-
Filesize
255KB
MD5fc7457152f7385c70e0bfd2e919a9cdd
SHA1120d3f3361eac805e14c1deaa3abfb8ea6db8a77
SHA2561dcde94237bd2ade232ff08e04e7bdcdab5072d9736d090582400bd05bc1b2ea
SHA512e13fa48563ae662e577216d2d95df6bbe49dcbdf9940bbd963287d594da77b026e04a7a4cbfcfc27bcd6889d4d4ff9deb4b810a86b41e3467bf12bd005843226
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5d3c41e5023ce4fbb8da515047621f2d3
SHA147b179636b8ea419ca91ac50bb7272e8f94871a1
SHA256fbc25f92b1926b08c9607acb841dee02afa331786ad6e41146245fd01952ec27
SHA5129e6a5b2761e86c061b939a4ae95fa81714cee147c03e61a101fe45b6e9d4e331701b08977fe0bf234cc5f76418076b764b1d0429c50d5623c5c338782fca899f