f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
Size

20KB
MD5

57f90e3d9df40904c7a19c6a65a169e0
SHA1

783bb0b9ee26cbe511a3c03643a006528900d735
SHA256

f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6
SHA512

c373dd41280074c9a0a640faaaa59255b2bcd1a0a935d2cbf79f658465933aecf057009490e5602aa03a83cf5539bdd20a3730b94edd92c04aa87f4537d00479
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBIybGlBD:1M3PnQoHDCpHf4I4Qwdc0G5KDJyy6lBD

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
908	winlogon.exe
1172	AE 0124 BE.exe
688	winlogon.exe
592	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
908	winlogon.exe
908	winlogon.exe
1172	AE 0124 BE.exe
1172	AE 0124 BE.exe
592	winlogon.exe

Drops desktop.ini file(s) 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fr-FR\termsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPAPI.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vcamp110.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-LanguagePack~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\usbd.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\CNFRAL.ICC	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DShowRdpFilter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\WMIC.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wpcao.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml405u.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SVC240D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sethc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\winbio.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\console.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\prnntfy.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mdmmoto1.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\nete1e3e.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5500t.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\comcat.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SV175N.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wiabr004.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wuapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0NB040.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LRC30006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\RI1404D3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\prnbr007.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\LXC540.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\prnrc003.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\EventViewer_EventDetails.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\doskey.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ro-RO\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_objects.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\FXUCYP04.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\TabletPC-UIHub-Replacement.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP\sapi.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Path_Syntax.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wecutil.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\bootcfg.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winrm\0C0A	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_28592.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzprw71.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IF25506.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\msdt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\RI3232D3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\gpresult.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\MFC42.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\com\ja-JP\MigRegDB.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\NET8185.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPAD.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64\LXX945.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rastapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smcomu1.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\smartcrd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\rastls.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-timedate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fb9755c3bbed1ab	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-alttab.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6f0b2de10f6e8bf9	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b658c4e8aa02b454	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..presenter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_85ef2c24ee8943a7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-peertopeeridmanager_31bf3856ad364e35_6.1.7600.16385_none_37390c23cfd5c2e6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed9a54ad162a8850	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..ifffilter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b298f8abe543175	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_21f72c556adb6572\miguiresource.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..rformance.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c47b28996eb0ff5d\DocumentPerformanceEvents.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Web.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmdcm6.inf_31bf3856ad364e35_6.1.7600.16385_none_742b5ddb091f6248	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-m_smsvchost_perf_c_vrg_31bf3856ad364e35_6.1.7600.16385_none_9206172424ada22d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e4f99b8509587b6a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_de-de_7048d71b28d25628	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..al-backcompat-tlb28_31bf3856ad364e35_6.1.7600.16385_none_a9b63229b1fd8735	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\digitalmediadevice.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..edtracing.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1667d0c70a538c1d	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.ResourceManager	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_umbus.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1ab812442e1d6e67	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_srpuxnativesnapin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dd46e0fcdc432842	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_averfx2hbtv_x64.inf_31bf3856ad364e35_6.1.7600.16385_none_2973b7e011e9c731	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..trolpanel.resources_31bf3856ad364e35_8.0.7601.17514_it-it_2815bb283ff89351	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-audio-dmusic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_60e8c0f10088f408	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnnr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7bed6f835b5846b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4a528b30a02d4cbd	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Ink.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00011809_31bf3856ad364e35_6.1.7600.16385_none_e9dac4a76e3682ef	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_sl-si_e951b6c1dfd4bd76	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_6.1.7600.16385_none_451a033a54709874\RS_RescanAllDevices.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icacls.resources_31bf3856ad364e35_6.1.7600.16385_en-us_51c111daa125ff5d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mfc40u.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aee19383fd4754dc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Flyout_Thumbnail_Shadow.png	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-azman.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b40eb32fbeb18f10	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_6.1.7601.17514_none_fb3795fb0be32033\WUDFCoinstaller.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wiaca00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2fa8b85aceec61ed	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..mplus.res.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a19448344eba6032\comres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_92faf9276e6c58d2	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\37ded.msi	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\palm.browser	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e42f29925aa17cf2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_hpoa1ss.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d1928992ddaef1b4\hpotscl1.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c65f31d113437677\gadget.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Pop-up Blocked.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_fdrespub.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4ee55ea213abf40	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-pnputil.resources_31bf3856ad364e35_6.1.7600.16385_en-us_38a299efcfd2d1c0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rpc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7d8b78f2166fbca5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-snmp-mib-files_31bf3856ad364e35_6.1.7600.16385_none_0efe01a545379abc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3eafd205c832f59d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..nt-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_41adcc54287ab0be\EAPQEC.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a\couf1256.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.NetTrace.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-vidclip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b8d66864efb0c916	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..roperties.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e19c69438322d2ca	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ation-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_881c3ba79183c33d\InputPersonalization.adml	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1908	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
908	winlogon.exe
1172	AE 0124 BE.exe
592	winlogon.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 908	240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe	29
PID 240 wrote to memory of 908	240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe	29
PID 240 wrote to memory of 908	240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe	29
PID 240 wrote to memory of 908	240	f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe	29
PID 908 wrote to memory of 1172	908	winlogon.exe	30
PID 908 wrote to memory of 1172	908	winlogon.exe	30
PID 908 wrote to memory of 1172	908	winlogon.exe	30
PID 908 wrote to memory of 1172	908	winlogon.exe	30
PID 908 wrote to memory of 688	908	winlogon.exe	32
PID 908 wrote to memory of 688	908	winlogon.exe	32
PID 908 wrote to memory of 688	908	winlogon.exe	32
PID 908 wrote to memory of 688	908	winlogon.exe	32
PID 1172 wrote to memory of 592	1172	AE 0124 BE.exe	31
PID 1172 wrote to memory of 592	1172	AE 0124 BE.exe	31
PID 1172 wrote to memory of 592	1172	AE 0124 BE.exe	31
PID 1172 wrote to memory of 592	1172	AE 0124 BE.exe	31

C:\Users\Admin\AppData\Local\Temp\f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe
"C:\Users\Admin\AppData\Local\Temp\f008ea17dc786743437c64b8c38fb9525390c1e6e818fd3b75bfb2f4f1ac6fd6.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:592
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.bmp

Filesize
20KB

MD5
7f8a60e146b5350b765d25ef4c2688a5

SHA1
2592f4f0a5dcb0aceed436986763e4dded6deae0

SHA256
82527628006fa25f31a36df678bea161a7ba7f7de72407a42e33458902d0df6d

SHA512
a021b9df39de02048cf9df02c105594597b503b6588dbd04554a812c33ddf1b2e594485cb365e68d61e276236443328b93edfce5261f72cf814ee6f7beeed915

Download Submit
C:\Windows\AE 0124 BE.bmp

Filesize
40KB

MD5
e28e4ac459991d4b2a2267f05e5218d3

SHA1
986c8b0ab4468b0fdfe23a672574b6904ec59f13

SHA256
bc19a272138ea83c7a7230d10814a3203b9b675e588d45738baa1eea7ec4795e

SHA512
a1a7f2d2443cbe66f335bcd09ef776565448ec43011cb9429d40e05dea19f498c69ae410cd389f483af3a57bf507628a9374c25f6777ba37c71639016c38b5a8

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
39466c554ab300c511a7fbb03cd403f0

SHA1
ab8118de2170b85f19a8c31acba8df60bcb6c957

SHA256
d9f693c32b1555606a2d823b6074fd067f1ef0d289a2d57848eb4dbc3bdc4be2

SHA512
1158146a4bb273d18b11def178f96c67d540a60e24629675d924d6d77ed25943dd6368b7b75c1e3733f512d5936ced2617ba5ed74bc16297054cbbf1c8e27fe1

Download Submit
memory/240-56-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads