863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
Size

20KB
MD5

2cf43ad8c96711f7f08cf3e9db900840
SHA1

03c4692a882a7aa6ff3b36f8f79fdec5fb642f68
SHA256

863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093
SHA512

6d80b66babe83a649a6ca313e92e4d89dceec2fd88b77dc57b38b370a8f99a9813a308caacce46c79b116c9566a1eef48f61e434ff332644727a253f87df2923
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBl:1M3PnQoHDCpHf4I4Qwdc0G5KDJH

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
364	winlogon.exe
1436	AE 0124 BE.exe
3628	winlogon.exe
3172	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe

Loads dropped DLL 3 IoCs

pid	Process
1436	AE 0124 BE.exe
3628	winlogon.exe
3172	winlogon.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShellExperienceHost-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cmbatt.inf_amd64_554d46f6008bc631\CmBatt.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\legacy\rac-generic-public.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc100enu.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_BLP.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MapsBtSvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\gpedit.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfnetcore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\xinputhid.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drprov.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\iscsiwmiv2.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Shared-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0414~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\cliegaliases.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DiagSvcs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AzureSettingSyncProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCTP.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\MSFT_DAClientExperienceConfiguration.format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp.inf_amd64_9effd93a75bc489e	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-Interop-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\WimProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_avc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ntprint4.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_cnl.inf_amd64_a60833fda31e9831\iaLPSS2i_GPIO2_CNL.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\serwvdrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rasmontr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\iscsidsc.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServerClient-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.System.UserProfile.DiagnosticsSettings.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms002.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\NdisVirtualBus.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DolbyDecMFT.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Enterprise-Desktop-Shared-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterAdvancedProperty.Format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmUiDevices-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\NetSwitchTeam.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\RunAsHelper.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p0_NFA435_olpc_LE_2.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicyUsers	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Product-Data-EKB-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mapistub.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Kds	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ITPro.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\CoreMessaging.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package001020~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rasman.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wbemsvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WinMetadata\Windows.Web.winmd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DeviceDisplayStatusManager.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_avc.inf_amd64_8ee511eb19322856\c_avc.inf	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-aspnet_perf_ini_b03f5f7f11d50a3a_4.0.15805.0_none_207fddeead1ca79d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_10.0.19041.1_none_d3322d5fbf0f0fff	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-u..s-callhistoryclient_31bf3856ad364e35_10.0.19041.746_none_9d7c86f124eaa907	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..bility-assistant-ui_31bf3856ad364e35_10.0.19041.546_none_26bf757a1d9def6c\pcaui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\srmlib	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ShellExperienceHost-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000045c_31bf3856ad364e35_10.0.19041.1_none_b35f26e2f554a288	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..rface-ldap-provider_31bf3856ad364e35_10.0.19041.1081_none_910b623cb0085b53\adsldp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\f\AppxBlockMap.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1266_none_fc46bc5d51913141\f\boot.stl	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Storage-QoS-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_unknown.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_feb9fba146835368	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_wvms_mp_windows.inf_31bf3856ad364e35_10.0.19041.1_none_b3c08f49461b9e34	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-KeyboardFilter-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.928.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-SCSI-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_11.0.19041.746_none_27981f6928632ae2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\miguiresource.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..t-resources-mrmcore_31bf3856ad364e35_10.0.19041.1266_none_60447dc1171640ec\MrmCoreR.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.19041.207_none_47f05d449c8dfad1\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-n..ontroller.resources_31bf3856ad364e35_10.0.19041.1_en-us_28174ad74355b667	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..lays-classextension_31bf3856ad364e35_10.0.19041.1_none_2b015b7b1054dfc6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.1_none_4030851754b3e0fb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_10.0.19041.1_en-us_59de00b1fbf73113	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-inputprocessors_31bf3856ad364e35_10.0.19041.746_none_783ec1d1dc7110ea	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..mitymessaging-rtapi_31bf3856ad364e35_10.0.19041.746_none_33d5b78c9348a0c5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wincal-adm_31bf3856ad364e35_10.0.19041.1_none_d33b467d6873b8bc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_he-il_b203a7874c9318ce	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\SystemSettings	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\rescache\_merged\24768367\3374421605.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.contrast-white_scale-100.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.data.datasetextensions_b77a5c561934e089_4.0.15805.0_none_c4ae57e51345a832	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.264_none_31474dbf12ce5adc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_netvwifimp.inf_31bf3856ad364e35_10.0.19041.1_none_40b6493242d19500\netvwifimp.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\r\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}1046.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Handwriting~rm-ch~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ftp_31bf3856ad364e35_10.0.19041.1_none_62dc6b73f7e78431	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-n..rity-domain-clients_31bf3856ad364e35_10.0.19041.746_none_032870f78565c3a7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalngc-page.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devicecenterdiagnostic_31bf3856ad364e35_10.0.19041.1_none_c2a7679e74f61c19	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-winusb_31bf3856ad364e35_10.0.19041.1_none_6c5ccc383bc00ccb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_bcmdhd64.inf_31bf3856ad364e35_10.0.19041.1_none_bc4ccf38b07f09e7\43241b4rtecdc.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_pt-br_17d80ef3ce018d1e\cdosys.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\FileSys.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoMsa.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_usb.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_2078850c976d2d44	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-o..re-security-webauth_31bf3856ad364e35_10.0.19041.264_none_4014104f46c9a846	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.19041.746_none_a263f0a6cfec11bd\r\hgclientservice.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVShNotify.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.19041.1_nb-no_9f09a3ef163654c1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_15e5bfcd83a1911a\AssignedAccessLockApp.exe	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4440	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4440	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2292	AUDIODG.EXE
Token: 33	4440	vlc.exe
Token: SeIncBasePriorityPrivilege	4440	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe
4440	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
4440	vlc.exe
364	winlogon.exe
1436	AE 0124 BE.exe
3628	winlogon.exe
3172	winlogon.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4440	4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe	82
PID 4956 wrote to memory of 4440	4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe	82
PID 4956 wrote to memory of 364	4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe	83
PID 4956 wrote to memory of 364	4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe	83
PID 4956 wrote to memory of 364	4956	863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe	83
PID 364 wrote to memory of 1436	364	winlogon.exe	84
PID 364 wrote to memory of 1436	364	winlogon.exe	84
PID 364 wrote to memory of 1436	364	winlogon.exe	84
PID 364 wrote to memory of 3628	364	winlogon.exe	86
PID 364 wrote to memory of 3628	364	winlogon.exe	86
PID 364 wrote to memory of 3628	364	winlogon.exe	86
PID 1436 wrote to memory of 3172	1436	AE 0124 BE.exe	87
PID 1436 wrote to memory of 3172	1436	AE 0124 BE.exe	87
PID 1436 wrote to memory of 3172	1436	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe
"C:\Users\Admin\AppData\Local\Temp\863620b853965c943aefbc327c33f6d3f0e86f9991468b7786317f8fc8df7093.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\AE 0124 BE.wav"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3172
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
C:\Windows\AE 0124 BE.wav

Filesize
20KB

MD5
4964c47d082ae4c8513a1c98e3e068bf

SHA1
17eacc0e9e242d2f3c3e2038f0386486a70c1cc1

SHA256
a59026dd12fd8fdd986ede2478207ad35350b228657079bc11178cff60ae2576

SHA512
c73312a2dea18ca6f30232e51ae98f8321d391f1c1da4560683ea3269538c6a02b64779b2cbb6f9f3911d9304874a2d9db84e5f0d9644674d2e327dc5c3a7c90

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
9d1c5169476e6be7bb046eab56999425

SHA1
e7b09787094f9278fedd3f3c032802a230aae70a

SHA256
b01bdbf6cc839b409a592dc9c7d618b9bd1383c7640850d2379d9c34c0bdfe03

SHA512
9edfdd77c379ed47431a91a1821645f866f80c78f12bfe7d0ecbb4b0dd5e660fa345f70326c9103c41660ed637685f521437c9d48c4f14c5c3774a48021f9251

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
memory/364-136-0x0000000000000000-mapping.dmp

Download
memory/1436-141-0x0000000000000000-mapping.dmp

Download
memory/3172-155-0x0000000000000000-mapping.dmp

Download
memory/3628-148-0x0000000000000000-mapping.dmp

Download
memory/4440-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads