ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8

Analysis

max time kernel
151s
max time network
210s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe
Size

1.2MB
MD5

41af5d97063e79571d2657ba3187c266
SHA1

54b0f7f811b543f336fc60c6bac9ac8b9402c67f
SHA256

ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8
SHA512

99d466ff3262ef412d61f426ea2bff455b6e586b76d81fc77cabde9c8b8fa7188bf6699f3339ee6b1714bd85ad8ddb4ae816135b9b81b60894a90064716471ff
SSDEEP

24576:KAFJnZX4kxKlUJKztq+qGh0FyCBQW6HYTa6ac+VHnX23Om5ewVR4eotaE:HFJnjPKzttIIRHca6aBwdfVRMME

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1164	FULLHA~1.EXE
1300	bootc0g.exe

Loads dropped DLL 14 IoCs

pid	Process
1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe
1164	FULLHA~1.EXE
1164	FULLHA~1.EXE
1164	FULLHA~1.EXE
1164	FULLHA~1.EXE
1164	FULLHA~1.EXE
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe
1300	bootc0g.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	bootc0g.exe
File opened (read-only)	\??\I:	bootc0g.exe
File opened (read-only)	\??\J:	bootc0g.exe
File opened (read-only)	\??\M:	bootc0g.exe
File opened (read-only)	\??\P:	bootc0g.exe
File opened (read-only)	\??\W:	bootc0g.exe
File opened (read-only)	\??\S:	bootc0g.exe
File opened (read-only)	\??\T:	bootc0g.exe
File opened (read-only)	\??\Z:	bootc0g.exe
File opened (read-only)	\??\B:	bootc0g.exe
File opened (read-only)	\??\E:	bootc0g.exe
File opened (read-only)	\??\G:	bootc0g.exe
File opened (read-only)	\??\H:	bootc0g.exe
File opened (read-only)	\??\K:	bootc0g.exe
File opened (read-only)	\??\A:	bootc0g.exe
File opened (read-only)	\??\U:	bootc0g.exe
File opened (read-only)	\??\V:	bootc0g.exe
File opened (read-only)	\??\X:	bootc0g.exe
File opened (read-only)	\??\R:	bootc0g.exe
File opened (read-only)	\??\F:	bootc0g.exe
File opened (read-only)	\??\L:	bootc0g.exe
File opened (read-only)	\??\N:	bootc0g.exe
File opened (read-only)	\??\O:	bootc0g.exe
File opened (read-only)	\??\Q:	bootc0g.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\bootc0g.exe	FULLHA~1.EXE
File opened for modification	C:\windows\SysWOW64\bootc0g.exe	FULLHA~1.EXE
File created	C:\windows\SysWOW64\GIFviewer.ocx	FULLHA~1.EXE
File opened for modification	C:\windows\SysWOW64\GIFviewer.ocx	FULLHA~1.EXE
File created	C:\windows\SysWOW64\ds0und3d.dll	FULLHA~1.EXE
File opened for modification	C:\windows\SysWOW64\ds0und3d.dll	FULLHA~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000f84a0dd74318e20cb654e02c1a25b6909f06df5945f5da0b7972b6ca7db0d9d1000000000e80000000020000200000009ce8c7125086f2ed407e07a85412ba2ff8a8afbde812abb4a050a912df1b30ab20000000240adb15b3d9eb3b753c78eac64497ddc96bebbcb69d8b642e932d8fca64aa4d4000000053a78fa1fa7eb2e9e25d145da46aec1e4898354f5b3d44d0939a47f01fe1fadbc6c6afd89879ba3e495856573ca0c0e1a8449a2a2dce506cb8e562fd9a7ac385	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373089811"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E787CB41-50F4-11ED-8C74-D6AAFEFD221A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000e0240c39f1f2c47aa2c067289cbc0cf9a77cbc6e2bf0dde11dd0cefc41784434000000000e8000000002000020000000400a7b4700350dd17a22004795df7bed12b090deacc18b49000bc59388e0735a90000000865004f22dd15b88b05397dc49f11535f19664a0fc69892949b73d267e5a790a0e9f83c3f3aaab6965b3ab62b4bb536cb0d997aae56c74f732fd7817ffca79e7b8440cfcdcaa92a7aaeed0c72769c51a04c06672e2c8d9b5ca69d880b0c4b848decf5d3d5e38e11c5515206440f9374b118b21c5808eb8af1f3a4755cbd862650fac0f6118c405f200fcc86d80affe97400000008e1575300d26ad67aeab469b53a7201577db1c74c1d854503daa33daf38620844d5e652bd50604eb1d77c7208fcd5017e1b19c688f17417d5819a8c30450bfd4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E78D97A1-50F4-11ED-8C74-D6AAFEFD221A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603591c701e5d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\windows\\SysWOW64"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\windows\\SysWOW64\\GIFviewer.ocx"	bootc0g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	bootc0g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\windows\\SysWOW64\\GIFviewer.ocx, 30000"	bootc0g.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1164	FULLHA~1.EXE
Token: SeBackupPrivilege	1164	FULLHA~1.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1548	iexplore.exe
1824	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1300	bootc0g.exe
1300	bootc0g.exe
1824	iexplore.exe
1824	iexplore.exe
1548	iexplore.exe
1548	iexplore.exe
364	IEXPLORE.EXE
364	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1516 wrote to memory of 1164	1516	ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe	27
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1164 wrote to memory of 1300	1164	FULLHA~1.EXE	28
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1824	1300	bootc0g.exe	29
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1300 wrote to memory of 1548	1300	bootc0g.exe	30
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1824 wrote to memory of 2020	1824	iexplore.exe	32
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33
PID 1548 wrote to memory of 364	1548	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe
"C:\Users\Admin\AppData\Local\Temp\ef7d5edea1d6cd87ea8cfcf720aab0261bd20c0e06de4c093317dd1fd73bfac8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\windows\SysWOW64\bootc0g.exe
    "C:\windows\system32\bootc0g.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://adf.ly/ynSD
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://toyibg.blogspot.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
e6598e78d16f0c2e1ec90aef53c66a01

SHA1
c5d66a9ea974bc0be87ef3a1bc023597a7048d7a

SHA256
98b5923fa0f04b0461cb24ff88a5f8f2d6bf6beca0a56afa75b920de6d84994c

SHA512
b8cdbdc4fe640f1512490888176b4aeec8885880ef110ea16bf18e0b9b39d03c3961f8000653b68a2e39a48a9d8391bf50f60b2073647147cf1d4c7d130481bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
226B

MD5
ae2cf8a69a2b4f1ab430cdb410746f48

SHA1
8479a403620c859e69a4795cb7c6a99d883009b6

SHA256
6e46c296742fe5de188635f12cc2d70c4f1982c07bb98f451012d75825cbf8f8

SHA512
cbf4fcfe4ae83aa22977d52648bf9c52721beb941a051df029506154c8b989072121a5ae034c4401219b1e044dcb87a52ea50d6c8760799d196f9ebcb2b0c2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
dde51b24c49e340fc03639565a4b2f8c

SHA1
b024498ea37587b4672d9d47abcf469d681ffc25

SHA256
423d267118b70a55968796430494401ff92b96cc6f756adc100165b25f690fb9

SHA512
6b4b03edc7fd63f809ab7c0e3fa541a5a6cc5889e6fb03f4c1e9656b2bd17d19812aecf68951a4ed27d037f936305788c3469212de259436d849b7f84a114b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E787CB41-50F4-11ED-8C74-D6AAFEFD221A}.dat

Filesize
5KB

MD5
7369f528020d41cb6a4bceed2dabb573

SHA1
18e7ec405b53adeb293172c7a61990b0f7e95649

SHA256
0816a1f17ec4ef026f43e9eca3c1ef5b7c13dbf5076963033b6f0d2edfc5e36d

SHA512
1c9e46b6409c3f57b4a2cc059be8290bc70c10dc5e7c22d4c7599487c2b9667b7031b01644ac6654a14752a37a3843663af129de7acd4652a963162b88a4795c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E78D97A1-50F4-11ED-8C74-D6AAFEFD221A}.dat

Filesize
4KB

MD5
c37b2bc9c43a8456eb438b03ac7a04f1

SHA1
3095112de950ac61dc505089036a964a041beac8

SHA256
d7118be03cd4b0d859b403346d8dbf98e330bd264a41338601d9a29abd65d6aa

SHA512
dfeae6dc49ce9943842867263a878e66bc706a26b54fffc4d42b1fb5ac8ee53b683b28f54ca970a7920fbea198252757d983588fc99ee247a8f0ad028dc6fca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
8KB

MD5
440d6cfbb88a85f9375069b035192604

SHA1
3f6b3a8d647d9ef0ca43d2c5b681e91c8b2c607f

SHA256
d6b08de87965018e77b4be2d156c36f44dfe320842a96f28e1688ebf6d8f9ea7

SHA512
91ff3a9962632ff50d65b9cbb2cab995bf3688f7e5e119f2295a04c7c82d9c6d41509a5fd3e58683db1d54c8123f46307cc8b30d31eea2a4d57dc9978485af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EVOJI7B6.txt

Filesize
608B

MD5
8e8544a9914667564110fe7bb86ad9e0

SHA1
ed7efd7088a5ec6cf34dc382e3b0c47dd020d99f

SHA256
7f178dfeac62a940875aadebe1df02dcb518b8ae90177f5d9c3fa04120a65de7

SHA512
f51e9df21d1d7fe5f00021b0360cb3ab6241ebf0bacecb0da64c03a8d876969e79dbf5222023f2cdf3ced38d7b3dea72eab5cecf16e2f06c7710986e0cfb0293

Download Submit
C:\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
C:\windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
C:\windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FULLHA~1.EXE

Filesize
1.3MB

MD5
2e95b3dfacf8450e01da3adbf670cd17

SHA1
6f4a04756206a031df6128d409904a58510c5b8c

SHA256
9b5f79dbe2f0babda391e6a49b6660ef6255c25801b57d9996f00d49047f6fac

SHA512
39fc703c8d776b59d582c44aeb6209c48df860b91fe9c5a9ad0016f71f45f4fbcf4cfe8860a0d3be527b6a8b1ff425eb1cb300f24fea189f681d2ee1b1f6e2a2

Download Submit
\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
\Windows\SysWOW64\bootc0g.exe

Filesize
359KB

MD5
f782d7f76ad1c7f7c90dde21a6ee7668

SHA1
bbcbfc19575a1678a7a806a308c36b783e9b5bbd

SHA256
d9979dbb45f425549b8e7d2397de591db3c21d7a09c25c0eaf4df9496c19386d

SHA512
b75a9196993095e43757b0315de6403cd868a4eff91b7694b579ecd84ad943ab79f0f63f59313331afbb383ba74813cf62a7d40c5b052945801ed64c93b1ec4b

Download Submit
memory/1300-82-0x0000000005150000-0x00000000052EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-80-0x0000000004C70000-0x0000000004C89000-memory.dmp

Filesize
100KB

Download
memory/1300-88-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/1300-89-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/1300-90-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/1300-91-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/1300-92-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-93-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-94-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-95-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-86-0x00000000040C0000-0x00000000040CA000-memory.dmp

Filesize
40KB

Download
memory/1300-87-0x00000000040C0000-0x00000000040CA000-memory.dmp

Filesize
40KB

Download
memory/1300-100-0x00000000040D0000-0x00000000040DA000-memory.dmp

Filesize
40KB

Download
memory/1300-99-0x00000000040C0000-0x00000000040CA000-memory.dmp

Filesize
40KB

Download
memory/1300-98-0x00000000040C0000-0x00000000040CA000-memory.dmp

Filesize
40KB

Download
memory/1300-81-0x0000000005110000-0x0000000005124000-memory.dmp

Filesize
80KB

Download
memory/1300-102-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-103-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-104-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-105-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-106-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1300-96-0x0000000004230000-0x000000000423A000-memory.dmp

Filesize
40KB

Download
memory/1516-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads