Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 02:14
Static task
static1
Behavioral task
behavioral1
Sample
6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Resource
win10v2004-20220901-en
General
-
Target
6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
-
Size
20KB
-
MD5
15a07b5cf414586ecee046a8894540a0
-
SHA1
5b3cf96dac2178d333ad8ff0482119ffd6e970a6
-
SHA256
6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27
-
SHA512
22ed644161c2f6a17fa51caf2dc91f8e16a2d6dd8c68284756fe6de6d04dc1c3f6f9cc782043e06bec60835e62e0aa05ad781a445ed130496a3fb31a51908bcb
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBi8Eq/7d:1M3PnQoHDCpHf4I4Qwdc0G5KDJvE2h
Malware Config
Signatures
-
Drops file in Drivers directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 1876 winlogon.exe 3596 AE 0124 BE.exe 4200 winlogon.exe 1056 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 3 IoCs
pid Process 3596 AE 0124 BE.exe 4200 winlogon.exe 1056 winlogon.exe -
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 27 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\wlanutil.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\pnrmc.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc.bin AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\BthMtpEnum.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDGKL.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\idtsec.inf_amd64_9321d33f1997dbfd\idtsec.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_46dd0342577f43cd\mdmtdkj2.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\olecli32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\cewmdm.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\directmanipulation.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\perfos.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\pots.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmsupra.inf_amd64_ed209c9a3da66777\mdmsupra.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\whhelper.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\xboxgipsynthetic.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_cfd501781ae941c0 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\scrptadm.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\compact.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\instnm.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Server-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\networklist\icons\StockIcons\bench_24.bin AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\usbvideo.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.psm1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\MSWB7.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgocl64.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdateLog.psm1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_Net6to4Configuration.types.ps1xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\delegatorprovider.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDYBA.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_f5594a2af66d11ab\mdmcodex.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\cmcfg32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms002.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_L_LE_1.bin AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterStatistics.Format.ps1xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\cngprovider.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0021\_setup.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msasn1.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\scecli.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\rdpbus.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.config AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\winsrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\Repository AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dui70.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServer-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1081.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_floppydisk.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_0406b31e81bea0d1 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\itsas35i.inf_amd64_4f5850c71046b0cb\ItSas35i.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_a19f675674962ae4\usbcir.sys AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell.resources_31bf3856ad364e35_10.0.19041.1_en-us_6642fffc29d98ad7 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ig-registrar-wizard_31bf3856ad364e35_10.0.19041.746_none_1b2c02c95e316350 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.19041.1165_none_3e0b1e846a203ebe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_47a6d07813fa8c1d AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..defaultassociations_31bf3856ad364e35_10.0.19041.964_none_983b357fe6dfa2bf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\AccountLogo.png AE 0124 BE.exe File opened for modification C:\Windows\Cursors\up_rm.cur AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe.config AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deviceux.resources_31bf3856ad364e35_10.0.19041.1_en-us_256d21174c83b289 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..ilterservice-client_31bf3856ad364e35_10.0.19041.964_none_a7d860f2823e1040 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\UIAutomationTypes AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Images AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..smsrouter.resources_31bf3856ad364e35_10.0.19041.1_en-us_13304de5d0823d65 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\localNgc.js AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.19041.746_none_42b611bc30df49f4 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-xbox-auth..er-client-component_31bf3856ad364e35_10.0.19041.1_none_b4df41d0baa7021b AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..necoreuap.resources_31bf3856ad364e35_10.0.19041.117_en-us_0f4e5cc52b2ff016\r\AcRes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Entity.Design.dll AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobenetworklossaversion-main.html AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscovery.html AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iorate_31bf3856ad364e35_10.0.19041.1_none_deab411b743de049 AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Handwriting~eu-es~1.0.mum AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-400.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-propsheet_31bf3856ad364e35_10.0.19041.746_none_fbd1acf77c7e8ac8\r\console.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Splashscreen.scale-400.png AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Containers-ApplicationGuard-Shared-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-HyperV-Integration-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms005.inf_31bf3856ad364e35_10.0.19041.1_none_1eab1be1d38e5678\Amd64\MSxpsPCL6.gpd AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wmiv2-miutils-dll_31bf3856ad364e35_10.0.19041.546_none_5392c362b0eebdea AE 0124 BE.exe File opened for modification C:\Windows\INF\tsgenericusbdriver.PNF AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\blackberry.browser AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-black_scale-150.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.423_none_2cade1bc915dca0d\r\Microsoft.AsyncTextService.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\r\AppVStrm.sys AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-credui-onecore_31bf3856ad364e35_10.0.19041.1_none_3146ea64c3238619 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_0bff5a051c4a690a AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_b59136bc7aa040e6 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-datastore.resources_31bf3856ad364e35_10.0.19041.1_en-us_86be62f074e84417 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.906_sl-si_b068fa9d1555b8df AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-directshow-dmo_31bf3856ad364e35_10.0.19041.1_none_d0874ed19e069aca AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-analog-h2-physicsplugin-baked_31bf3856ad364e35_10.0.19041.1_none_5fb69e670630e91d\presetmotionpropertiesdynamic.hbakedmotionproperties AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Speech\Engines\SR\en-US\l1033.cw AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..r-library.resources_31bf3856ad364e35_10.0.19041.1_en-us_23c4f86809aaa34b AE 0124 BE.exe File opened for modification C:\Windows\Fonts\j8514sys.fon AE 0124 BE.exe File opened for modification C:\Windows\Globalization\ELS AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\cscui.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.264.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_iscsi.inf_31bf3856ad364e35_10.0.19041.1151_none_2548defe90359599\r\msiscsi.sys AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmsynthstor_31bf3856ad364e35_10.0.19041.153_none_93179d83c79f443c\f\vmsynthstor.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-worker-events_31bf3856ad364e35_10.0.19041.488_none_fde4c1454c01ca46\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-system_ni_b03f5f7f11d50a3a_4.0.15805.0_none_ea837eff9d95cc9e AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-networkprofile_31bf3856ad364e35_10.0.19041.746_none_60e946790955ce95 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_c_media.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_64e5ca1dfef06e34\c_media.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxSignature.p7x AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\pris AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cabview.resources_31bf3856ad364e35_10.0.19041.1_en-us_96fffa5c72762a53 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_10.0.19200.110_none_e5fd5bf631610b7e AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms004.inf_31bf3856ad364e35_10.0.19041.1_none_f59945c05aa85d79\Amd64 AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995104" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2644830998" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374587411" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0588aa0a0f2d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2657331072" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000ee7d354beb0d1e17e9f27d79321d736d8e4da8e88d1a05a66d5c215c60557714000000000e8000000002000020000000f0356ed2334b2377931015b7b96862ed83a5994d949ffa587c46f991dfee6969200000007665506ee9a4a27ca3613bf4de8093bec50feb757d34729f64ee29e91442279d40000000e31f5fb65127edfab6f33269001d60f03dbed71cc6b1b849c40b572ae941a258ca70c32b7eb32abac04cb390c6080455497233a69f4ebe2b23e6d6356f4b9419 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002ecda0a0f2d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9048BE4-5E93-11ED-A0EE-62142853BA25} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995104" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995104" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2644830998" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000006f56caddc3b13af5b1d0f0edbdd0780b714dd17f0524228b554cda5694fe9dff000000000e800000000200002000000060ecc979c76d9ec610041dbc7cec48d7e90f62c0fa218e0a4f5e684c1ff25d9720000000e0a31cd35c3409a8abff98b0b03998ba6f6e44169051fd743ed8588d00106fad40000000ac6b53f0b732673b43cd9c2e29bd92a0a8d2dc003adaf0eedc84daa73d2390cb1ee7d856c90ba778faf5f836103694ce8fc4603015ba9d7225a80bf4f02a6241 iexplore.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1204 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 1204 iexplore.exe 1204 iexplore.exe 1876 winlogon.exe 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 3596 AE 0124 BE.exe 4200 winlogon.exe 1056 winlogon.exe 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 632 wrote to memory of 1204 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 82 PID 632 wrote to memory of 1204 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 82 PID 1204 wrote to memory of 1520 1204 iexplore.exe 83 PID 1204 wrote to memory of 1520 1204 iexplore.exe 83 PID 1204 wrote to memory of 1520 1204 iexplore.exe 83 PID 632 wrote to memory of 1876 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 84 PID 632 wrote to memory of 1876 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 84 PID 632 wrote to memory of 1876 632 6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe 84 PID 1876 wrote to memory of 3596 1876 winlogon.exe 85 PID 1876 wrote to memory of 3596 1876 winlogon.exe 85 PID 1876 wrote to memory of 3596 1876 winlogon.exe 85 PID 1876 wrote to memory of 4200 1876 winlogon.exe 86 PID 1876 wrote to memory of 4200 1876 winlogon.exe 86 PID 1876 wrote to memory of 4200 1876 winlogon.exe 86 PID 3596 wrote to memory of 1056 3596 AE 0124 BE.exe 87 PID 3596 wrote to memory of 1056 3596 AE 0124 BE.exe 87 PID 3596 wrote to memory of 1056 3596 AE 0124 BE.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe"C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD55f49b65bdc1713b58ed97d0e9625a968
SHA184b74e55478c9abb163aa6629e3fd3b91bed4806
SHA256a681ab9abc281fd12a7bd06f56e36a21e8ee28b5294815c5e07b781e324a32f9
SHA5124b502288bef324db8ad33e63c7b6f242ef7954a6fbec3ed012530044c82fee3ad1158febe088bc0deea67ac35646a0a1bd6d961c0f67b11fee584e4f1abd753a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD51cf5b4caf6527fb70da8f7e356ed55db
SHA1c8edeffa52eb5237b7238062bf2e38ceb3541fa4
SHA2569be1c7f69ae78f94819db57eddaaf2e1efb35545b0e0eefe59dbd85536e1aa12
SHA512a9541870b5bb7ddc74f77f7a8378a61c21b8b4a688e6312ee655a8ee29ff74c8d6ab1bb2e87e2f8491a3dd947bfded94bcad45b647da0e90bc3e18cd2a413325
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
20KB
MD5afad62372305cffc494c9c93a372c853
SHA17309a1d0fe833c63fc2b2de6d87c24ea4a022252
SHA2568299908170b69bcee7dc7a1627dea885613f21aea4aaa52622d08a579339ea6b
SHA51260230129dc3469257aa7236cb4dae6402f22eaa822cbe790227dfa3a9437daeb8b56687200e1b2dbe007e78c1a832e1a145da8d7a5166f1ffb63e89665fb3206
-
Filesize
40KB
MD5a618653903c8b98efe9d67b8a35917aa
SHA121522a39bc77748e2098d0e36e32bf27308817e5
SHA2562de593fcea4623886dcd29dbf9c6bd9040990d0b758d11bdab69cf9ddd62ffc7
SHA5128ad60850f4e67596aa2f39805f980b7a3a4ecf9f6794754b21f3f2b45b7568e73df4e29e3a903a938d91274f66abb392417733aca368022cf854a9f3dc560da6
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
40KB
MD5196e8b30d00705ff163e015314b72511
SHA19ff25b19041fff181dd16685919e3506b1fb07f8
SHA256f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565
SHA512649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb