d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Size

12KB
MD5

525ce41afec3272aa714e904991d49a0
SHA1

be295ae605c94042db87faec291415e46d34f2a5
SHA256

d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0
SHA512

09cfeb3628a15f7ecb410a8a554c0885c049cee464466ca866d6c2cfb1c4975e6e4bbb6aa0294935edfe99b3f3f219f54ea3b0ae36a73ddb31680cae1f9c933f
SSDEEP

96:4b6Hbg/W9mua81KzuaocoFM9er+usn5A9/T0cvpYbPbAPj:lb+W9m381muaMM9erM52b3veDAPj

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boutv.htm	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yywrfimayk.htm	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\u.exe = "C:\\Windows\\system32\\wuuyeu.exe"	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\es-ES\find.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DWWIN.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\it-IT\XPSViewer.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\com\es-ES\comrepl.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\chkdsk.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\chkdsk.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\gpresult.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sort.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Winrs.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\WerFault.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\colorcpl.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dialer.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesRemote.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\dialer.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4100t.exp	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rrinstaller.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ocsetup.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\rasdial.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmdl32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\gpupdate.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\audiodg.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\unregmp2.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\WerFault.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\logman.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\cacls.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wscript.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\tcmsetup.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\com\ja-JP\MigRegDB.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DpiScaling.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\w32tm.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPPH3300.EXP	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa320t.exp	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\attrib.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rasautou.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\drvinst.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\clip.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\hwrcomp.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\setx.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesPerformance.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Winrs.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\CertEnrollCtrl.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\unlodctr.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ntprint.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\taskmgr.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\charmap.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\diskperf.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\fltMC.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dpapimig.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dialer.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dccw.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\wordpad.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mip.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\PurblePlace.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_793d0bb8e6e170c0\tracerpt.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e121001d2df929ae\cmdl32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-r..lelevated.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cdeb78780aa4604a\RunLegacyCPLElevated.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\ehome\de-DE\ehsched.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_mcupdate_31bf3856ad364e35_6.1.7601.17514_none_26c2d72ec26de8d9\mcupdate.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c79c27afb69ccef4\unregmp2.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_en-us_529035abb5972411\netstat.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12\WmiApSrv.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e31d2d92828b5ec3\expand.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d878b193074a6a6\notepad.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9de12a1398dac338\psr.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a17bed893abd659b\relog.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\tracerpt.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\PkgMgr.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\HOSTNAME.EXE	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..roperties.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ee4f3449050bc68\DeviceProperties.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9d9754c209da150a\wecutil.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_es-es_54612fba19d3dc42\msiexec.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ls-ksetup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6bc1c3652edb1604\ksetup.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_81607de272dd2371\route.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..ienttools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_004976a3cebc9871\rasdial.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..rk-ctfmon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_497db0d760f776be\ctfmon.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\de-DE_BitLockerToGo.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\aspnetca.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_33fa4336c49b998b\rundll32.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a1d4307bca6a5149\wmlaunch.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_698ac5bc9a8c1572\rasautou.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..on0viewer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_86f4799f9ab76989\ui0detect.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-x..ocess-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_80b5153e9fe9902a\xwizard.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922\CertEnrollCtrl.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\caspol.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd\winload.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ow-gadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e45ff59acede6483\WMPSideShowGadget.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..servicing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7eeda9330046e57\bfsvc.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qappsrv.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-datasvcutil_31bf3856ad364e35_6.1.7601.17514_none_ed7ce39bb395c4e0\DataSvcUtil.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-whoami.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6dab9b521bcf66ce\whoami.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_2a716ffd9b872f68\whoami.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-addinprocess_31bf3856ad364e35_6.1.7601.17514_none_8ebd3037635a8b2f\AddInProcess.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_c2923be900f968f5\ar-SA_BitLockerToGo.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-extrac32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_961939f0c814a5e2\extrac32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e687bd72ba054f0c\msinfo32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_38f0915dd93268bf\umount.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..c-journal.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5857dc6a3ec9bf7\Journal.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ity-vault.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2136693128df197f\VaultCmd.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_950b6778f1ebf403\sdchange.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb5ec32f73606acf\drvinst.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPPH8100.EXP	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fec96b363ccb6fba\certutil.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a5176554b8bbfaf\fixmapi.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.1.7600.16385_none_0703ef18cc0efa5a\vbc.exe.config	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\appcmd.exe	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-regsvr32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a40ab2ab37f0dc92\regsvr32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nput-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_452ff2515ec29218\wisptis.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-vssadmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0db705ae579fc2e9\vssadmin.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_it-it_74dbcc4d41ee8006\tracert.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a415063899c742ab\change.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-extrac32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0af5b31a529826f1\extrac32.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_he-il_3dd459ed9f63fbca\he-IL_BitLockerToGo.exe.mui	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Enumerates system info in registry 2 TTPs 42 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe

C:\Users\Admin\AppData\Local\Temp\d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe
"C:\Users\Admin\AppData\Local\Temp\d32e408d4a112a7f5e468c6563e2f5393e970e39124a562222c3c31384c478a0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-55-0x0000000000400000-0x00000000004028DB-memory.dmp

Filesize
10KB

Download
memory/1768-56-0x0000000000400000-0x00000000004028DB-memory.dmp

Filesize
10KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads