Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12/10/2022, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Resource
win10v2004-20220901-en
General
-
Target
1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
-
Size
20KB
-
MD5
65e20fe33e32e5bbfce06725da9f1390
-
SHA1
7a8e41de13760f158edac9045d6cf64036ecafea
-
SHA256
1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904
-
SHA512
4f6c9758364541dfd362c69424c0b9242ddf4137a474615a3648100588b9127931eb5b302697d22f30189c0960757932f3d5cad164f73f346ff5dcf2541b33f7
-
SSDEEP
192:4/bROG+bO5r+C+isnpHfB7FhO8C0lzWvI4QwFt9V+jqCNa5KDJBaV:4L+q5r+PpHfXhUkKvI4QwjQNa5KDJq
Malware Config
Signatures
-
Drops file in Drivers directory 59 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 1624 winlogon.exe 540 AE 0124 BE.exe 1988 winlogon.exe 828 winlogon.exe -
Loads dropped DLL 7 IoCs
pid Process 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 540 AE 0124 BE.exe 540 AE 0124 BE.exe 1624 winlogon.exe 1624 winlogon.exe 1344 iexplore.exe -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 25 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification D:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\dsprop.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\auditpolmsg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA4.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYFS820.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\msdri.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\msv1_0.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\EventCreate.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\sc.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\ipsecsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_neutral_d9eee378245b3b8b\net8187bv64.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\olecli32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\scksp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\sti.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\efsadu.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\label.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\bthprops.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\RestartManagerUninstall.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\msscript.ocx.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ntprint.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\AdvancedInstallers\OEMHelpIns.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\wdma_usb.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcpq2.inf_amd64_neutral_e9784021af1f5e24\mdmcpq2.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\napinsp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\msctf.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\cscript.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRD7045N.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYTS250c.PPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN2221E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wialx006.inf_amd64_neutral_ae607a72b46f9cfc\lxa5WIA.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\net8187se64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Display.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPV4.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR16006.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SA1341E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDUR.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\sethc.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Dism\it-IT\CompatProvider.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\bthpan.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\umbus.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\dtsh.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\setupcln.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\ssdpsrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sr-Latn-CS\comctl32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnin002.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_neutral_f54222cc59267e1e\flpydisk.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPP4.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\modemui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\swenum.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\msports.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500gt.cfg AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHH51N04.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\mciqtz32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\sberes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\win32spl.dll.mui AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_20dbe216b7fa97c4 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_es-es_01eee11bdf6f7755 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.resx AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\COM.adml AE 0124 BE.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\th-TH_BitLockerToGo.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6846ee899eb2f8b1 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_battery.inf_31bf3856ad364e35_6.1.7600.16385_none_721c84936d812c57 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_lsi_fc.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2027b86856e610bb AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_be93ac22d37c8051 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-intl_31bf3856ad364e35_6.1.7601.17514_none_156874b463b94921 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\System.Web.Extensions.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\inf\ESENT\esentprf.hxx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f0e6b9729f6b6972 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-magnification_31bf3856ad364e35_6.1.7600.16385_none_537dafcd9f940b98\Magnification.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..njifinderdictionary_31bf3856ad364e35_6.1.7600.16385_none_a20bb1f2cf82b3c4\IMJPKDIC.DLL AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1c9c0689f800ffeb\diskraid.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_512fa3b8707f96fa AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_c3e31e3d1b53bd5a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1 AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Windows Battery Critical.wav AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.Composition.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ae5495c772f5647 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_unknown.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e3df5dcc076ae20b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1f70a0fdb12439de AE 0124 BE.exe File opened for modification C:\Windows\Web AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\napcrypt AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8df008402077a058\FXSEVENT.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..integration-support_31bf3856ad364e35_6.1.7600.16385_none_8429bbdebd38db4a\idq.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..c-runtime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_acd8878978b9f62d\msdtc.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_506d995dde4fc5ec\RS_RestoreIEconnection.psd1 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-msi-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1999bdf21cdafb8a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_system.drawing.resources_b03f5f7f11d50a3a_6.1.7600.16385_fr-fr_eb224e17115bc4a7 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Linq.Parallel.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_es-es_fdd58ced73f62bda AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_lsi_sas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_61a63821397a90a8\lsi_sas2.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.7601.17514_none_ed30b91fe51eb56b\iedkcs32.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99b742cd983bba61\L2SecHC.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.InfoPath.Permission AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\361ef62867b1804328cf3616dc8a7f7b\System.Workflow.ComponentModel.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e7fc600777ea8426 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\16-on-black.gif AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\sspisrv.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\aspnet_rc.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\InstallUtil.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8002fc80e6c60075 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.efi AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34345a337e310068\cacls.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cb09ab873574da8f\dssec.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fdddo_31bf3856ad364e35_6.1.7600.16385_none_b0de2afe4ca7a1e2 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00011009_31bf3856ad364e35_6.1.7600.16385_none_e9d2c2576e3db837 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41a3cfa3d390ea26 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cfc47fe37fac61ff AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.de.resx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..-mcplayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1268989a682b8fa1 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-security-negoexts_31bf3856ad364e35_6.1.7600.16385_none_b81643545ac42615 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\sysglobl.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{817790C1-4A3B-11ED-A584-DA3F1CB7DA19} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372350478" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b3db6fdbeed082905777e56a8713221617b827e6106d678e2bb9e2ea6abffd32000000000e8000000002000020000000a6509508e124c5992904509378a172a3c32e5b9a5ff518199e4214f5e5384eba900000005d42bb40c1c478784bfff7a3f5a3c4cd1c17f9e16530f6b02ab7e4517412ed4b612eb3c06da18405843a74fe4a682796d3db2aad9c6766ac67fa91dcd9264b5ec90f6aa56fb6cf9950db4be43d8b4b11c165d51c6fae0d7c00a23a7efe9457d3b44751fd4629148567b8772c4d42f2403d8976a71a8cebbebca45180f382aeda4cded17458757aca281db6f945d30b3440000000f8e10899b1dbcee989d6e60700cd5bba87e9636f2165bbee2c17535123a85c7e5e6287e785400c2ec072eb81eff93c6034ec9a6beeca2c8141d1e70b7ef96840 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fcf55748ded801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000006280990cb80327742c125d1496425e8b0abc464d083cc676f7c60ea7a3e0d903000000000e8000000002000020000000d95a502dc51e19a7a9e5e6c679ec8ac73230b45d995a5136fe08e9f6f03a8376200000006715d75bebcb0aef46226b42bd0c1eb7ae8ee92b9f5faae7a812bba93f18aa0a40000000d617953f92af44f8c396d6400d7e7d93ef2c1cd2766e73056582d38be5107bbb39d36697f888c3e5277bd74c1379188b81bf1a529369ffb1ca4e0795d5ad69c9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1344 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 1344 iexplore.exe 1344 iexplore.exe 1624 winlogon.exe 1692 IEXPLORE.EXE 1692 IEXPLORE.EXE 540 AE 0124 BE.exe 1988 winlogon.exe 1692 IEXPLORE.EXE 1692 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1344 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 27 PID 2016 wrote to memory of 1344 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 27 PID 2016 wrote to memory of 1344 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 27 PID 2016 wrote to memory of 1344 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 27 PID 1344 wrote to memory of 1692 1344 iexplore.exe 29 PID 1344 wrote to memory of 1692 1344 iexplore.exe 29 PID 1344 wrote to memory of 1692 1344 iexplore.exe 29 PID 1344 wrote to memory of 1692 1344 iexplore.exe 29 PID 2016 wrote to memory of 1624 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 30 PID 2016 wrote to memory of 1624 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 30 PID 2016 wrote to memory of 1624 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 30 PID 2016 wrote to memory of 1624 2016 1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe 30 PID 1624 wrote to memory of 540 1624 winlogon.exe 31 PID 1624 wrote to memory of 540 1624 winlogon.exe 31 PID 1624 wrote to memory of 540 1624 winlogon.exe 31 PID 1624 wrote to memory of 540 1624 winlogon.exe 31 PID 540 wrote to memory of 1988 540 AE 0124 BE.exe 32 PID 540 wrote to memory of 1988 540 AE 0124 BE.exe 32 PID 540 wrote to memory of 1988 540 AE 0124 BE.exe 32 PID 540 wrote to memory of 1988 540 AE 0124 BE.exe 32 PID 1624 wrote to memory of 828 1624 winlogon.exe 33 PID 1624 wrote to memory of 828 1624 winlogon.exe 33 PID 1624 wrote to memory of 828 1624 winlogon.exe 33 PID 1624 wrote to memory of 828 1624 winlogon.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe"C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Executes dropped EXE
PID:828
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603B
MD5a5d1fa5202bed88d0e04a0b0c910b954
SHA1e98195ae5d42407a2a39c556882b9c75ef426060
SHA2565a3eb703dd58eac88cd9a6450a459d288aef561cb4056225c6e96cf28e51add9
SHA5128152ffbb06d46865cc2bdc98ee7a9a289c7fb680bec119c629a1abd2702e999c7eefcce2cd5591a91b35f7cc1db6677bb9a3ac2c2339977853be379c28027881
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
20KB
MD50d5e2e43e00d824a7521bd0627a1cc3d
SHA1f3d6e45e00c9b84ea7ef5068e521c819f562c831
SHA256215d792d1d0e12da5aa5ac34934931d56178410798abed238418b58ee4b8fede
SHA512da76a14da6633b3a4b7e075505cedbfa150dddf3da6f72ec3524026ef652e908894039d593d8ed0469c19e6015a3d1f98412a4cca74dd5c8552a3ef49107c570
-
Filesize
40KB
MD530f7ca80a305cd73654099b91cfb35f2
SHA1ec39e92e72e6f63c639d612733529a98435b8e1e
SHA256c1b1285a4bba9f89e415edef6f099eaeca27ae6da76cdfccd36c9e7ad55f6f28
SHA51218d242a110be722af70f49059737da9e785250f6c61d4afcd33339dbb3a20ef6aa8cc99c64ae93f7b94d6f9386eeadd4818b13f1df79d4e63ce0ed8d902835e1
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
615KB
MD57b2a54732d38cd19c79c8184d6932f6f
SHA16d42bd8fe510e9a4ed6c13409daf4c7a49e7db04
SHA25676fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d
SHA512acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87
-
Filesize
40KB
MD57d5a7b7a6c7b24fbbf4441699deb2b5c
SHA14ab3b7cac29197e382c84e7817e5b22625c9b2cd
SHA2562d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb
SHA512fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87