xmrig | 213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259

Analysis

max time kernel
151s
max time network
168s
platform
windows7_x64
resource
win7v20210408
submitted
11-06-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
Size

235KB
MD5

07f482fdc70a699d02495c8b4dc1ee63
SHA1

8c536b4c8a9a810635daa506c67f70180b048c83
SHA256

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259
SHA512

5a8ec11ed23b6e17e894965cf3fab92ae55e7408ee1f6bd00a59ba43c61648cd9d9fd7894288427a14446d3d9bc59c66b0416d57f7de9cd626d64e575ca14d91

Score

10^/10

xmrig miner persistence ransomware spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 64 IoCs

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\mountmgr.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\mrxsmb10.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\tdpipe.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\amdxata.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\BrUsbSer.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\Classpnp.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\dxgkrnl.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\lsi_sas.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\usbrpm.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\amdide.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\HdAudio.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\ipnat.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\nvraid.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\rmcast.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\swenum.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\adpahci.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\npfs.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\spsys.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\tape.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\en-US\i8042prt.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\msiscsi.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\sermouse.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\usbport.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\BTHUSB.SYS.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\1394ohci.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\drmk.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\ws2ifsl.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\mspqm.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\sbp2port.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\videoprt.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\ataport.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\bxvbda.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\fvevol.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\ks.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\mrxsmb20.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\wimmount.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\en-US\acpi.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\pnpmem.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\volmgrx.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\vwifibus.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\mssmbios.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\ndiscap.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\rasl2tp.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\vms3cap.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\hidbth.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\Dot4usb.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\bthmodem.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\fs_rec.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\msdsm.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\ULIAGPKX.SYS	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\atikmdag.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\dfsc.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\drmkaud.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\rndismp6.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\wmiacpi.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\en-US\bfe.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\drivers\en-US\scsiport.sys.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\AGP440.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\csc.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\null.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\tcpipreg.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\vmstorfl.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\drivers\viaide.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.ChupaCabra	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Drops startup file 1 IoCs

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 62 IoCs

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Music\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Documents\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Contacts\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Downloads\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Music\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Videos\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Desktop\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Videos\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Pictures\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Links\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Searches\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Pictures\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Desktop\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Documents\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Users\Admin\Favorites\desktop.ini	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Drops file in System32 directory 64 IoCs

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\system32\KBDBENE.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx64.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP10.GPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\spool\drivers\x64\3\en-US\CNBBR281.DLL.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\wbem\OfflineFilesWmiProvider_Uninstall.mof	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureProcedure.xsd	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\dskquoui.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\xmlfilter.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBXRF4.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\GENIBM9W.GPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1342E3.PPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\DriverStore\FileRepository\xnacc.inf_amd64_neutral_13c4e272a96185a1\xnacc.inf	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\spp\tokens\ppdlic\PeerToPeerBase-ppdlic.xrm-ms	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\pl-PL\WMPhoto.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\VmbusCoinstaller.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.cat	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\DriverStore\en-US\prnky002.inf_loc	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3100T.XML	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\PRNHP005.cat	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\en-US\msrle32.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\en-US\PSModuleDiscoveryProvider.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2f2b870b-fa08-4d57-bf02-98351e38652b}\snapshot.etl	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS3350.GPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\gpsvc.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\catroot2\edb0046F.log	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\DriverStore\en-US\acpi.inf_loc	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\en-US\usbport.inf_loc	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\Ph6xIB64.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNB_0317.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\prnge001.inf	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\LME250DN.GPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\WSDPrint.Inf	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\en-US\dhcpcore6.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\en-US\shimgvw.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\en-US\themeservice.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml_HTML_Style.xsl	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\zh-TW\cdosys.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\kbd101c.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\occache.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3300T.XML	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\en-US\netcfg.exe.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\spp\tokens\ppdlic\TabletPCInputPersonalization-ppdlic.xrm-ms	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\iasrecst.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\kbdnecnt.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Professional-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\oobe\W32UIRes.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\mscories.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBBR293.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNFRAJ.ICC	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\winusb.PNF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\gatherNetworkInfo.vbs	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\msafd.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\circlass.sys	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7400T.GPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\spool\drivers\x64\3\en-US\CNBP_324.DLL.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNB_0279.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SAC20203.PPD	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\en-US\btpanui.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Windows\system32\en-US\photowiz.dll.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Windows\system32\spool\drivers\x64\3\en-US\CNBP_316.DLL.mui	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\sentinel	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL.IDX_DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\THMBNAIL.PNG	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\MSB1ARFR.ITS	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_lv.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sv.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcfr.dll	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.INF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d	213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 1272 WerFault.exe

pid	pid_target	process	target process
1620	1272	WerFault.exe

Modifies registry class 5 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1620 WerFault.exe
1620 WerFault.exe
1620 WerFault.exe
1620 WerFault.exe
1620 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE

pid	process
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AUDIODG.EXEWerFault.exeExplorer.EXE

description	pid	process
Token: 33	884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	884	AUDIODG.EXE
Token: 33	884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	884	AUDIODG.EXE
Token: SeDebugPrivilege	1620	WerFault.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 1620 wrote to memory of 1380	1620	WerFault.exe	Explorer.EXE
PID 1620 wrote to memory of 1380	1620	WerFault.exe	Explorer.EXE
PID 1620 wrote to memory of 1380	1620	WerFault.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259.bin.sample.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1272 -s 3648
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db.ChupaCabra
MD5
63927c9c9654e7262bfc09373c0eadd1

SHA1
fd80e9a3144e5fd59b76add3ada5ca08e420d4ae

SHA256
ba1209886f1297d27cc55bd23cab96a9d90e62ef00d6ae4df020669bb1d387c9

SHA512
0feb9a5bd8867cee8de22769861cb67bbbc3f35d5fcf957117bf213c1662df9581eee4bcafd79adf2f4768ac011a81fa2e0b90617766c12d00a29e585ebb39ae

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.ChupaCabra
MD5
9df9e2c90ea8258611326287abfef7db

SHA1
73a8e5e3797009d111eb1e5acda2f0c9dd8abd2f

SHA256
c5b40129811c346dd91eba52e2bf42fe03d3e840541c5705f3af34e144b2c019

SHA512
298c5c7b84ac8cf800135237ff1765cc93cb9c1bc824b14e667489886aca90dc9bfdc256e8d397c062da134124322d33a03b6276db867a8b2296eeebd237a80e

Download Submit
C:\Users\Admin\Desktop\BackupExit.gif.ChupaCabra
MD5
f9dcdd64ab185fd98c7706eb7a363607

SHA1
df3dd4f66c16c9b1808bee2a29fe9a7c2130da55

SHA256
59e162d4618b167774882de0ac8872abf3dc5bf2a27a860ff0478acf4bd1e666

SHA512
a1d0d85e79396ebab6ddbbb453b827f9f9535d910b8cadc0e326498471aa501cf8086e9ddb424cea9024d75582d03fd7e809495187aa4ba00ec3f1f6198644e5

Download Submit
C:\Users\Admin\Desktop\BlockEnter.xps.ChupaCabra
MD5
dd72a2ed43f235936aeba23fa4a52dd3

SHA1
44a99b74a74a727e11af5e30060188a006918a62

SHA256
8dcd36af098e00e096e9c8abe6eec1cdea2c19cfbede5daccd8cdab5df5175c2

SHA512
6560c93c8d0b34379b6b02e1edc18726c1b342239dc7f69666f160b7475262763b5b6055ad1598ff3b28f07a4e27321955b13035328ef7ea134bde61073cdc65

Download Submit
C:\Users\Admin\Desktop\ClearExit.cfg.ChupaCabra
MD5
9bf6ca544c08e5c3d5ce08f22441a21f

SHA1
fe5ccf7e78926059e2594fcdde10d6b1c80dd066

SHA256
73419b7e5f50df74e049105bae6d4a5bc8eee6548044a78377ee2e20d3d5fd7c

SHA512
a86412c0343ba7f6a04fbb58d3bd1bea107fd7c729152fea4c32269323801e16ae6e5b9b8e184753ff8bf462e9b8ab289ee0f328e33b9e8d0584a553c17826ae

Download Submit
C:\Users\Admin\Desktop\CompressSuspend.MOD.ChupaCabra
MD5
be54f1f8e4b17c48e53200d86efd3d4a

SHA1
5b315a91e5f8eb5d9391032a81268244d5a326c0

SHA256
2c5a66b58ae9191ac2034f78929489372140bbd2b4b25392ee60afe9786e2cc7

SHA512
d13de80ff1065cc79c49f2474d1bbec7d9d2b5e69fa48a58874c477fe414d23c38a651a2ba6e823b439b7f56dd68922ad4dc05c7ac232e255249495e440708cf

Download Submit
C:\Users\Admin\Desktop\ConfirmAdd.jpeg.ChupaCabra
MD5
b5ebfcda3b71c4c2f793cc1d96929f77

SHA1
2e3d4d148ecf2f76994e5e1bcacc1150bff625eb

SHA256
93641e6122f9e3248f0d2c58cec872717f04be4f8cbbb4f920fa4872c5a09e9e

SHA512
74263cbbcdc99db03c15baefa4d2aa4f45fdd12d7190e0d513841557660bd183471be24e80c1baeb7f8a3f5be946b88d514dfd1a6cd67106341830bab3a16b7b

Download Submit
C:\Users\Admin\Desktop\ConnectMove.emf.ChupaCabra
MD5
440731767c893f855b2aca4c0cce0631

SHA1
499cf371c80d672479e05f3bcbddaa2c41643a27

SHA256
880d437620668bd03a528cc02771b3cf2bd7b0cc49e11d19a52dcd297d51a86f

SHA512
360881fa7629150d9b2ace98d6cfca4aa60105c67b7bfb75035eee7890659ded27a2f0bc1fce6461e2bfcdb8da47b927c19a491650523da4aa7ec43e8534f1ff

Download Submit
C:\Users\Admin\Desktop\ConvertFind.mpg.ChupaCabra
MD5
e9d129ad8dff69626cb54040561d9a77

SHA1
8789c04de843c6d347b8943a6e57cab67ebbf098

SHA256
d0a78d01c241279142b8a8fb6b0b72cbd534ce46478ceed34ad3df646da14ce2

SHA512
cbea8b4bf3c941aff53c31892b8f81a3382395fcb8c84b3de27402d015154a2092a852584109031c3816c7832270303f3cfd22bbb56a422d69a8a795f666b045

Download Submit
C:\Users\Admin\Desktop\DismountMeasure.css.ChupaCabra
MD5
a0a9bc34d57c20b54f8c7698935db72c

SHA1
44b3104cefd1e6884f4a760a1f347298ebf7d025

SHA256
46fcc2e8dc6a86496eddce13503d04474c07aa2e2fb1a7ff76e9f478eb899fca

SHA512
6e9ca3094530f3efd8fb7d84d02e3451f09016e12dc7efd716c4b8f453fb67ab9a7bf27646b37e2690178a6d245ebbe3813c947be7340d16f885197f30d9d736

Download Submit
C:\Users\Admin\Desktop\EditDebug.fon.ChupaCabra
MD5
a3509493ceb97bc550749bd41f8ef781

SHA1
587fe29536b0924a6e7212f66ad10c8b06a368d4

SHA256
5351576ca07eea3fa60fe3db69dbc5de3f4fa1bef006d4cd0d4c8a82a1565916

SHA512
f15667635212054b084e9831d9c43bdc275b2064010582b5c087956e28b985cecbbbdae179dfe79032b32e2b1b494675e18d367994ed3d103e1246d6ffbf8d06

Download Submit
C:\Users\Admin\Desktop\HideRepair.vsdx.ChupaCabra
MD5
3705995f41f4791c1107409e0cf0108e

SHA1
8670d055a02dadcd9a24025dbe15a7ea8f5b1473

SHA256
00e525cc1b312df39d51517c00c73973358f5986ba698aefbc6e2bebc29c7366

SHA512
6ec9b74985d387d48bffea98a96395b90d37c87065ddd3d2b37f69a2beb68376de89b733ffed89e0359b0a51cc909fe9838c7ce1048bc9ddb258da2c4c9d7e0a

Download Submit
C:\Users\Admin\Desktop\InstallLock.xps.ChupaCabra
MD5
a6f5c9cf08f4c9d2ed72c4fc2db7c294

SHA1
f4a7dc2b5d31c626c4e4e9a5ace6b8b358a4c82e

SHA256
35a1df4fc46a0d070989284436dd0dc544a7c2e5aa205ea9c917532b112a1be2

SHA512
0c5d31edb94c7e679c3304a5f7624659d6ea85d2c0befe218d83f2b25fe1c77cdf1e8a96e1f3827e591e7d363e410177cfde09cd3f882be0c89545aff4814867

Download Submit
C:\Users\Admin\Desktop\MountLock.mpp.ChupaCabra
MD5
d51929111d958e87470693b0bdaaad4e

SHA1
5e7fc2d434ae746dc30c0e2bc3ef5a40a7fe0f8d

SHA256
57ca00a4d5f1033ac1e3201b06efe53aa108bded0845ad1b55142f81ca380d43

SHA512
eb315d468648f6defe6a6a01c1a9a4f8cf85bb8f539097289b02c5d3d9be70ecc2fb0a1e19b3ceddfaf816376fb90eb7a7779f1e0ca52cd4c399acb21de4f270

Download Submit
C:\Users\Admin\Desktop\ReadRedo.vbe.ChupaCabra
MD5
0d90587c779f5941285cabbfad48a69c

SHA1
91dd66b3c1cf5b53b62c760c2310a4d41561984a

SHA256
60c298e4d0ba9ca76d6105019b4cce4e15e5b9d272c9d32ed8e7b73e405e94f6

SHA512
1ad6dd7801b5bb758858f4e473e58985c9f6a204a02c8dc31132df88775c40e540d213212a66721bf3144b3351a453822d9f31f2cba39d7a07ff951f87d61fbb

Download Submit
C:\Users\Admin\Desktop\ReadRequest.midi.ChupaCabra
MD5
b3df6677190d483f22887bb3a81438c7

SHA1
17c0a27e2ebba150543f0476b373d8bf437742b2

SHA256
8973708730cb3d50dea74817aafb5f6c99a4562bde4bc6a894acc2335b5d01eb

SHA512
9d8365cbf24779a84f6d00768b82fb7c307ce9eb02fe3e6fbd15993889bd379be56a01e8c235e5d9e48480f5708cb0f476efd28aab67ddeb54e05ea99c0bc2e7

Download Submit
C:\Users\Admin\Desktop\ReceiveConnect.M2T.ChupaCabra
MD5
04a9e08f39a1e429e11240cddec74c54

SHA1
49a4fb69aaf58cba8a5e5d202c6c3d0d785a3c16

SHA256
987599a8dc922ea79c43891263bf2e3fb470fbac3a8c2047e637e03655b0d8be

SHA512
1000c50a3fd75909a5f09392bf07b20f2be85193e6e98fffd210eab8958370130ec1341528a9ff8297640d7fd6ffb7df549cea58ee26df36e0d937725d98237d

Download Submit
C:\Users\Admin\Desktop\RepairBackup.dib.ChupaCabra
MD5
f5ed81fb2090ac44dafac443ebccf502

SHA1
3b9a60955256ea4f3aa23a4098e32b9edd0df603

SHA256
f280f13643a0818a3e1bdab7bf68f8eeeb7e714b24dfd2af06f8190acc748137

SHA512
76317a6afa06a740ce92c323ca799fce90fcc1af198797ccdcda5a2ea2d8eb38d65f06a549cfaeaa4c2e9ea32a04d5252dbdc9b78aba2de61daaed5fdabc8763

Download Submit
C:\Users\Admin\Desktop\RestartSearch.bmp.ChupaCabra
MD5
54cd181aa5b6b05b8dca8572b26873ef

SHA1
828884e01055adb0b29d33d13c4772691ac4280f

SHA256
2cb19b1c0e9a06e9344b907e580105ea0ec4951e93472de2943e6a523bfe0d5f

SHA512
d93cbaad5641d28af35b65d632ef2ceef185166b1f8572371d4a0ff8b9807a6dea06e14e86ad927c3e90b03917e99b9c81a03af45ab7aa41ae1b5d5993991c3c

Download Submit
C:\Users\Admin\Desktop\ShowSearch.gif.ChupaCabra
MD5
3d116782a7b3db35e693e04699e738a7

SHA1
86e843eeebf092dd1885e7777eb12e5e8f98a9f5

SHA256
648702a8e06472ed4e375cfd2474c8468445f82ffb8c84edfba356e9ff2f2631

SHA512
652c17956c4e204eb11cd6a8698b6721625c6db4e1a1fde1c118bd866efadc926a0569c8d499db661a6fa6d0c39582d5b01a3f79c96ab49cb770271590f342ca

Download Submit
C:\Users\Admin\Desktop\StartInitialize.png.ChupaCabra
MD5
8c0b8cd4c3b386f7d44f32db7cc47912

SHA1
c2591b1d0168d1cb9545e6267f1ac01fe0b539b0

SHA256
c63653c407f79d234b31b279e76d4c00d4c1b29f9d7cf5cf47ead380bdf393fb

SHA512
fd774c428cfe3c1cf222f7d3bba99f8be9a28b27315533e982fbd18b4c6909f760cb392c16dbc8773fb2d9776b723566bf2011af43f3431b1e91e4efe9724ec0

Download Submit
C:\Users\Admin\Desktop\StopSelect.dotx.ChupaCabra
MD5
28f67257fe5b26e98acbcb8da323fa48

SHA1
50019bc61fbb47cea389e7b67d64b326aba620a1

SHA256
c9be569049ae5fc27591ccc84783ae591360e8637c55a2e9ae8859a39750daec

SHA512
0b5f66d348c55079ba7e1530c239bbf62080b5c750282b348599066bb5695a075fc58b2fb298a15a95a37c6cbe8ac3e1090f88971a0422053ad6f52e440e9c63

Download Submit
C:\Users\Admin\Desktop\UnblockSearch.svg.ChupaCabra
MD5
1ac522330968e378fa11aec952d524ed

SHA1
4ca84a977b9c901f3576be93bb63ff9ecbbb619d

SHA256
977e555d23634d7a2d7e421884de74a6c70e054ad7fcebad80b0a0302fbc9a1a

SHA512
a16f63ad0581e4b432189ed4a9bc20fc2f512e3d766e0b4d1846baf4c4fa77cd82e5e33be1693287b7d104e41e53d9a9ca087649487a939fe77645b38d09c652

Download Submit
C:\Users\Admin\Desktop\UndoPush.cab.ChupaCabra
MD5
1ca12dff49c38285dd2c0dd039128f15

SHA1
3935a93e232f21f8bdddee61eefc92aa408ae2f8

SHA256
fb44f9a632b6d1f45f4ed969a9afaeecdd087d56b1b31f8dd8963ac0d825d129

SHA512
d9bf80da739517d34286ced9d3d9a1a8303ef8a92894702d92732a17abb1b6d1d4b2946dc7a3b5697995f86ef7e65e888e16f05c6b11211b02f862d3a8804605

Download Submit
C:\Users\Admin\Desktop\WatchStop.ps1.ChupaCabra
MD5
ee8856a8bc3998b84be39497fe568c71

SHA1
e21b8d16646f4a770bfacae7703deb6d635c90a0

SHA256
c1b3e23ce509ff72a89fb30b940fcba2d88da48165777915025838002c6b8ebb

SHA512
fd162f6df678de25af6fa48b272013d5a2143ad96484b7778a8452d7ad0e1f89ab53834f45af27c7877f9b9b7c00b6e46ac08d484921bc74fd51c78d7b5bec6e

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.ChupaCabra
MD5
1ab4ee17f53625a6fc55e45023cce28e

SHA1
ee7de6f8d9a011c1c1ab7a8ab4d0943e47cc7320

SHA256
a801e3ac2150a5d2e8f09b61f58e12acaea9558fdb59e6e11498a3dd269e7741

SHA512
4bc93b1183438294976aaf5149e2e5890d72841964fa76cd2a4a2fdfbf8508007116388b56d9947cabdfc61d24e9415b864814ca6eead615a52894c6d0a63a22

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.ChupaCabra
MD5
d1cf6f6b1156f1e11c4455203b2221c7

SHA1
affc56397f8d9a47b8affabfe15aafee84c62d0e

SHA256
260eec29d7801e3d8074fc01abd286f2782904418a9f67d31863d199651e0691

SHA512
4a5f7ed82e25fe3b90849a0f83a1f07e268104145cc5943ec7a6d4b8e510d22517d111fb137f166cb92d66585cfd2b28c7b442b37b4e458b35577d3d1170ca76

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.ChupaCabra
MD5
568bdacc08827bf8999b5270042489c0

SHA1
9eb482cea633f3837c0a9b5a7f696b8e30bd475c

SHA256
5a71bebd7adef0fef8d27870c576343056d61b1b65848e2d039f485b63333bc8

SHA512
39bf39810d04b3ae4f4744ccc9cd750925a4fe13fa5b0e13a4e3491a440b861d36249d84b0a5c1f056ee87634e944e52d99332e4d081e9cff7a857dcad131c94

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.ChupaCabra
MD5
0a5ff3f5f24816b14bca21ae96a32499

SHA1
ba3d8140c9242e3d4bb45d3780e8589bcb38e495

SHA256
cf37d383afcdcb40f9173e8130b95153617de5c0e32c0779c287df897838c52f

SHA512
a6222ed2af0c1c8d3b905cd0dc8b08f8b1c30b627caf3da9b7b6db3dd299d599d71b3f23245c39b3d4f3113116fa9d411d4025ac8850f40560844552ff724a31

Download Submit
memory/1380-95-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1380-64-0x0000000000000000-mapping.dmp

Download
memory/1620-62-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1620-63-0x00000000021A0000-0x0000000002460000-memory.dmp

Filesize
2.8MB

Download
memory/1932-61-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

Filesize
8KB

Download
memory/1932-59-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads