1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
Size

479KB
MD5

5b958cd60cf3bdc7962f19d1eb1086a0
SHA1

f760c8d88b26e505c293eb99e311e170d2679851
SHA256

1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c
SHA512

6bbb652e78ba5359cf15dd8162e36ba2be7a3a0ea434e24730a90301622f46c1a735dd631c94d590c024750b0ee38e01832bb7501b6ac116c2ac15c1051dbad9
SSDEEP

12288:N/AYUKZyq7sg+r6f3oR3Sx6eLBdNfNvixUCa:/nLwge6fK3SxVdNfpieCa

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
708	winlogon.exe
1012	AE 0124 BE.exe
1244	winlogon.exe
324	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
708	winlogon.exe
708	winlogon.exe
1012	AE 0124 BE.exe
1012	AE 0124 BE.exe
324	winlogon.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mydocs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\racpldlg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sppc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPC4_1.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wiaca00e.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wpdmtp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~sk-SK~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\openfiles.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\advpack.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\disk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0LB040.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRAK.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\rasmm.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\userenv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Starter	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\fdc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS7031N6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\mdmgl003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\elsTrans.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~sr-LATN-CS~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\rawsilo.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_neutral_83cc415156be45c8	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\CTRL.s3	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\mdmdcm6.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBP_303.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WcnEapAuthProxy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL04.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\mdmrock.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRM984DW.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBFUS.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_20838.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\appmgmts.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\nlasvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\multiprt.inf_amd64_neutral_988a34fc912eab54	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\mdmmot64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-HomePremium-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientStarter~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\offFilt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_20261.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rasctrs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZ5RWN7.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\usbport.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\recycle.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsn.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\NetworkConnections.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Design.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\it\Microsoft.Build.Tasks.v3.5.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\LocalizedData.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Windows7SP1-KB976933~31bf3856ad364e35~amd64~~6.1.0.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\certmgr.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\DB_DeviceErrorLibrary.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\a0401c16e342af1d26406c93706acb15\System.ServiceModel.Activities.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_ChangeVolume.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\ja\PresentationUI.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.xml.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Deployment.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\LocalizedData.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\setupact.log	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Services\2f157d250a738f7a6074e0f29b298998\System.Web.Services.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e1a68d2a01e132ebc60a5565a771902b\System.Workflow.ComponentModel.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.8da3333a#	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsData0009.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost\6.1.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmmcom.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.Specialized.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\040C\diskmgt.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\EventForwarding.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\baa30f3e0869fa3e8885df044c880bbc\System.Transactions.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\047c9c4a6b9dcd9d1985b95e0f4f1daa\Microsoft.Office.BusinessApplications.Diagnostics.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mstape.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC\0411\msdtcprf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_de_31bf3856ad364e35\microsoft.tpm.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\dfb5532e4cf07b7324280988a3e1cca4	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml.Hosting\fd6b42e0bdca1f3ed4dfde2639e39004\System.Xaml.Hosting.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmati.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\DFS.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-LocalPack-US-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\3.5.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Windows Notify.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CustomMarshalers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\NetworkProjection.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\Sideshow.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\DiskQuota.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.ja.resx	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
960	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
960	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE
Token: 33	960	vlc.exe
Token: SeIncBasePriorityPrivilege	960	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe
960	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
708	winlogon.exe
960	vlc.exe
1244	winlogon.exe
1012	AE 0124 BE.exe
324	winlogon.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 960	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	27
PID 1652 wrote to memory of 960	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	27
PID 1652 wrote to memory of 960	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	27
PID 1652 wrote to memory of 960	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	27
PID 1652 wrote to memory of 708	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	28
PID 1652 wrote to memory of 708	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	28
PID 1652 wrote to memory of 708	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	28
PID 1652 wrote to memory of 708	1652	1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe	28
PID 708 wrote to memory of 1012	708	winlogon.exe	29
PID 708 wrote to memory of 1012	708	winlogon.exe	29
PID 708 wrote to memory of 1012	708	winlogon.exe	29
PID 708 wrote to memory of 1012	708	winlogon.exe	29
PID 708 wrote to memory of 1244	708	winlogon.exe	30
PID 708 wrote to memory of 1244	708	winlogon.exe	30
PID 708 wrote to memory of 1244	708	winlogon.exe	30
PID 708 wrote to memory of 1244	708	winlogon.exe	30
PID 1012 wrote to memory of 324	1012	AE 0124 BE.exe	31
PID 1012 wrote to memory of 324	1012	AE 0124 BE.exe	31
PID 1012 wrote to memory of 324	1012	AE 0124 BE.exe	31
PID 1012 wrote to memory of 324	1012	AE 0124 BE.exe	31

C:\Users\Admin\AppData\Local\Temp\1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe
"C:\Users\Admin\AppData\Local\Temp\1d0b1c4795086771d006b97fec4c87554718df21e3d11213819a56a11468590c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\AE 0124 BE.wav"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:960
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:324
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
C:\Windows\AE 0124 BE.wav

Filesize
479KB

MD5
060df2db827f261e8f1675641602b95c

SHA1
2a09625831df28b5e21e2923632034935c8097ed

SHA256
2fd34eeba189473849c937d9801174c6f107c188e55976ea4002d7691292c095

SHA512
01cefdb4b0b474dd4569d7b1b1751ac8c2a166732432ce4435f8d9bbdaf91ccceac73b2395676c32c8fd08219f9b4c74150bd2da01c3fb2540b75e7b42b9cda7

Download Submit
C:\Windows\AE 0124 BE.wav

Filesize
545KB

MD5
9d21056bcaa4052ebc2dee7af7f7eebe

SHA1
3a6d242d354deb038965b670b24f16b8f7afaf94

SHA256
abf022e886f4c59e0f790fa4911e1945cdbedd2995e04bac76b32ea5cfb46bb5

SHA512
8ed6e696db79fb818519e3f4f8d001784391fd02550052d2d95fe7da5a5fc4e29b260771d9c51f1c23c4221998269b186de3dacc2b9a89c1c7a9f8d27750b515

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1762e3bc865912ed52df63e299d29fc9

SHA1
3109f5a85cc4c8c4ee274c971a607e66734243d5

SHA256
aa72877ebb3359a82c184ed9167cddf322e7fb2eaed86c942df1c4e7e12ddee1

SHA512
7ed4449a55d0cb2eba41eefb479ecbb09dd93dd10f8b834285cdfa16fd7b98e4f2977bacf3fc799b8981099e705bccdd7ee915759f84d98d6044b106fe2b2b0b

Download Submit
memory/960-59-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads