Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
Resource
win10v2004-20221111-en
General
-
Target
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
-
Size
65KB
-
MD5
52d8201a238c77c64d11cba3777aa960
-
SHA1
944f334de509f682a5afa483275ddfea1ddd9319
-
SHA256
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961
-
SHA512
13864b55dac155221f5bd33914cee2748b1095a42b8031946db0a8aa36994cd90e17086da7f023ad840a759dd81caa8f3fb75979ade149dd7a0e1c5084fe6a38
-
SSDEEP
768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xD:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJw
Malware Config
Signatures
-
Drops file in Drivers directory 60 IoCs
Processes:
AE 0124 BE.exe333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exewinlogon.exewinlogon.exewinlogon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
Processes:
winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exepid process 1044 winlogon.exe 824 AE 0124 BE.exe 616 winlogon.exe 1124 winlogon.exe -
Loads dropped DLL 9 IoCs
Processes:
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exewinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exeiexplore.exepid process 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe 1044 winlogon.exe 1044 winlogon.exe 824 AE 0124 BE.exe 824 AE 0124 BE.exe 616 winlogon.exe 1124 winlogon.exe 1836 iexplore.exe -
Drops desktop.ini file(s) 35 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 25 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
winlogon.exeAE 0124 BE.exedescription ioc process File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\rstrtmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\ubpm.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netvfx64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrParwdm.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1.INI AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfBidi.ini AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NGJ8C.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAPE-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnca00f.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnsv003.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\net8187se64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7PII02.INI AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot2\edb006C1.log AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\clusapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\netcorehc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\d3d8.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\vcamp110.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\prnbr006.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ak.bcm AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\taskmgr.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\bth.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrEvIF.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wlgpclnt.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\agp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\BRMF67CD.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp309apm.icc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1332E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\termdd.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS50006.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\browseui.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\esentprf.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\imapi2.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\authui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\mdmags64.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\prnep00l.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\OK9IBRES.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Vault.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfstw73.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\prnkm003.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\imapi.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrBidiIf.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1UR.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\hdaudio.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\mdmgl004.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\PortableDeviceTypes.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sechost.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_74_for_KB2731771~31bf3856ad364e35~amd64~~6.1.1.1.cat AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\Cursors\busy_rm.cur AE 0124 BE.exe File opened for modification C:\Windows\ehome\ehui.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.config AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data\1.0.0.0__89845dcd8080cc91 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\005810b5e7d8802575d07878997d434d\ehiVidCtl.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\inf\megasr.inf AE 0124 BE.exe File opened for modification C:\Windows\Installer\37ddd.msi AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum AE 0124 BE.exe File opened for modification C:\Windows\Fonts\ITCBLKAD.TTF AE 0124 BE.exe File opened for modification C:\Windows\inf\BITS\0410 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common\v4.0_4.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.de.resx AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Printing\836fe321118ff3c6c51adccf758d138b\System.Printing.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Windows Battery Low.wav AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cf61e09c5#\3c3f44d41ceb01ea13849ef84db1a9c7 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderSchema.sql AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\System.EnterpriseServices AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat AE 0124 BE.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\ServiceModelEvents.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Help\mui\0411\rsop.CHM AE 0124 BE.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001} AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.tlb AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files AE 0124 BE.exe File opened for modification C:\Windows\Help\Windows\ja-JP\medexp.h1s AE 0124 BE.exe File opened for modification C:\Windows\inf\MSDTC\0410\msdtcprf.ini AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.CompilerServices.VisualC.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\1036\cscompui.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.default AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Configuration.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\ehome\CreateDisc\Filters\AudioDepthConverter.ax AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.targets AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.mum AE 0124 BE.exe File opened for modification C:\Windows\Help\Windows\en-US\seccntr.h1s AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es-ES\ServiceModelInstallRC.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Cursors\beam_m.cur AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\67215fe430cb12f890a7dc19fd53aa55\Microsoft.Build.Utilities.v4.0.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\76d37f23cee2b392f7fdbd7ad95bc8b2 AE 0124 BE.exe File opened for modification C:\Windows\ehome\CreateDisc\SBEServerPS.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\v4.0_4.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\f971acbc25b64dfe4d70e5b25837c780\Microsoft.VisualBasic.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Fonts\PERI____.TTF AE 0124 BE.exe File opened for modification C:\Windows\inf\machine.PNF AE 0124 BE.exe File opened for modification C:\Windows\Logs\DISM AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.default AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_it_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\ru-RU\bootmgr.exe.mui AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2f71ff9c1208428778fe5f0d452f440000000002000000000010660000000100002000000091058a610ba4efacb013e0b475fe31f5645e76f869ee341adeba0b46657ab58c000000000e8000000002000020000000bdcd032d1c918a9e75e28e6a5a9a473c0ac7314b434efe6a411d5870be1610d620000000a0b54a25c835f445f00620ba0b8ddda7872daaa815ddc3b936dbad6ffd5bef7f4000000003b7cdc1bce553c3c3e3a597ca8d68b687c1f169c19915f785af55997372ec735ea71dc6cb98b7112e6572abdc1e4c65ccf04b99542ea17b7a6dea883326cae9 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2f71ff9c1208428778fe5f0d452f4400000000020000000000106600000001000020000000a40c41d05dd86ea3e410b9196c3962233159467953209ed64fd27dfc02daadf4000000000e8000000002000020000000a0266d4f7ce29d22e387f4dd47e9e7bb4ab54255aa35a9c2d11fc6b3b6aa0e6290000000f4bec6a4dd8a09a89a73ca451dd64fd9d486631c7a0d72945f06ab0f30ff40e81af9c103eb8dd6a9d0598f1d0bab8ace08b8e9efbee866298948dd88b67cde13b4c27fd5e776322201a96727858aca69b112a167e6c386ab59388935a3f377140647a1659ae8bd89fbc658327623f82d41a437314cdb1053f43b653a680d81f66ea5848f15c1021ceaba9cd4448d4d2e40000000b9add300137ead019fe10486aac82e08cf3aa7d9b316e7642fd8e42317b49f29c4d5c856bb25845ece00b11f51001fa95ffba600d951088f75ca5be25750ffc1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376007088" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b095bf098affd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{334F81B1-6B7D-11ED-808D-42A98B637845} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1836 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exeiexplore.exeIEXPLORE.EXEwinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exepid process 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe 1836 iexplore.exe 1836 iexplore.exe 2040 IEXPLORE.EXE 2040 IEXPLORE.EXE 1044 winlogon.exe 824 AE 0124 BE.exe 1124 winlogon.exe 616 winlogon.exe 2040 IEXPLORE.EXE 2040 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exeiexplore.exewinlogon.exeAE 0124 BE.exedescription pid process target process PID 1980 wrote to memory of 1836 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe iexplore.exe PID 1980 wrote to memory of 1836 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe iexplore.exe PID 1980 wrote to memory of 1836 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe iexplore.exe PID 1980 wrote to memory of 1836 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe iexplore.exe PID 1836 wrote to memory of 2040 1836 iexplore.exe IEXPLORE.EXE PID 1836 wrote to memory of 2040 1836 iexplore.exe IEXPLORE.EXE PID 1836 wrote to memory of 2040 1836 iexplore.exe IEXPLORE.EXE PID 1836 wrote to memory of 2040 1836 iexplore.exe IEXPLORE.EXE PID 1980 wrote to memory of 1044 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe winlogon.exe PID 1980 wrote to memory of 1044 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe winlogon.exe PID 1980 wrote to memory of 1044 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe winlogon.exe PID 1980 wrote to memory of 1044 1980 333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe winlogon.exe PID 1044 wrote to memory of 824 1044 winlogon.exe AE 0124 BE.exe PID 1044 wrote to memory of 824 1044 winlogon.exe AE 0124 BE.exe PID 1044 wrote to memory of 824 1044 winlogon.exe AE 0124 BE.exe PID 1044 wrote to memory of 824 1044 winlogon.exe AE 0124 BE.exe PID 1044 wrote to memory of 616 1044 winlogon.exe winlogon.exe PID 1044 wrote to memory of 616 1044 winlogon.exe winlogon.exe PID 1044 wrote to memory of 616 1044 winlogon.exe winlogon.exe PID 1044 wrote to memory of 616 1044 winlogon.exe winlogon.exe PID 824 wrote to memory of 1124 824 AE 0124 BE.exe winlogon.exe PID 824 wrote to memory of 1124 824 AE 0124 BE.exe winlogon.exe PID 824 wrote to memory of 1124 824 AE 0124 BE.exe winlogon.exe PID 824 wrote to memory of 1124 824 AE 0124 BE.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe"C:\Users\Admin\AppData\Local\Temp\333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DAHDLURP.txtFilesize
603B
MD5ec5589ca0899dff49e65f361e9a248e8
SHA12b89eccb0c87240c170aa6a8b3266bf7a965eb9c
SHA25693227f4580d95a7e0bf1f00444a7c085f20c7c5264a4dd1a3911ec435fec9f83
SHA51266c39b3d85567da156de6728c2031d0f3b5dbb24742afd6e4218e53af6e40cd6eb07b9d8de3f59b6588d70fc1441459d57950a0fe4a9d1107dd2ae5759c45ba1
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
C:\Windows\AE 0124 BE.gifFilesize
65KB
MD52ca37bef72e5f44ea6c30dd2e17edb6f
SHA12a32d3e87ccf682e927ac429c508449a8620c0fc
SHA2563c5d191f508d067d98074d848cdcae8c9c82d284241496bacd31a4131fe979ad
SHA51274e99254da9b90fd08c2a47535424881a47e5fc02d680281d58bb977d1056decf527cc005e89e2d975c5816599e1f910051ab0ac1957a3f12e84ab94f363d426
-
C:\Windows\AE 0124 BE.gifFilesize
130KB
MD51d5a9a45500483e64c379994b8409e2a
SHA13c8cde1f1df609747c8c459555dcf97fa810019a
SHA256ef77fcd2bf62e21807be49f6dcda0aecd611f1b728cdf06fef87459e8393d722
SHA5121554bad1b3420bf444f5e49269cf7c8ca6616dd62d2ba7ebf84b2b1a128d8e47f8a72a21721149a32ae0148965e71dac73fbc7ffee1fbb16ded5ce66cc4ccfc5
-
C:\Windows\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\drivers\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dllFilesize
615KB
MD57b2a54732d38cd19c79c8184d6932f6f
SHA16d42bd8fe510e9a4ed6c13409daf4c7a49e7db04
SHA25676fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d
SHA512acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0
-
\Windows\SysWOW64\drivers\Msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\drivers\Msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD5d6b12929a06e14684711881bc0f5b3b4
SHA11ec2919c0c5e08420251251264a64a4aebd81ce2
SHA256a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b
SHA51254363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e
-
memory/616-75-0x0000000000000000-mapping.dmp
-
memory/824-66-0x0000000000000000-mapping.dmp
-
memory/1044-60-0x0000000000000000-mapping.dmp
-
memory/1124-78-0x0000000000000000-mapping.dmp
-
memory/1980-56-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB