333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
Size

65KB
MD5

52d8201a238c77c64d11cba3777aa960
SHA1

944f334de509f682a5afa483275ddfea1ddd9319
SHA256

333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961
SHA512

13864b55dac155221f5bd33914cee2748b1095a42b8031946db0a8aa36994cd90e17086da7f023ad840a759dd81caa8f3fb75979ade149dd7a0e1c5084fe6a38
SSDEEP

768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xD:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJw

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

Processes:

AE 0124 BE.exe333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

1044 winlogon.exe
824 AE 0124 BE.exe
616 winlogon.exe
1124 winlogon.exe

pid	process
1044	winlogon.exe
824	AE 0124 BE.exe
616	winlogon.exe
1124	winlogon.exe

Loads dropped DLL 9 IoCs

Processes:

333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exewinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exeiexplore.exe

pid	process
1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
1044	winlogon.exe
1044	winlogon.exe
824	AE 0124 BE.exe
824	AE 0124 BE.exe
616	winlogon.exe
1124	winlogon.exe
1836	iexplore.exe

Drops desktop.ini file(s) 35 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

winlogon.exeAE 0124 BE.exe

description	ioc	process
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\rstrtmgr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ubpm.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netvfx64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrParwdm.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfBidi.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NGJ8C.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAPE-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnca00f.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnsv003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\net8187se64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7PII02.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C1.log	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\clusapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\netcorehc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\d3d8.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vcamp110.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnbr006.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ak.bcm	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\taskmgr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\bth.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrEvIF.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wlgpclnt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\agp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\BRMF67CD.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp309apm.icc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1332E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\termdd.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS50006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\browseui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\esentprf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\imapi2.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\authui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\mdmags64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\prnep00l.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\OK9IBRES.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Vault.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfstw73.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\prnkm003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\imapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrBidiIf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1UR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\hdaudio.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\mdmgl004.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\PortableDeviceTypes.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_74_for_KB2731771~31bf3856ad364e35~amd64~~6.1.1.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\Cursors\busy_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\ehui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data\1.0.0.0__89845dcd8080cc91	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\005810b5e7d8802575d07878997d434d\ehiVidCtl.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\megasr.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\37ddd.msi	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ITCBLKAD.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\BITS\0410	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Printing\836fe321118ff3c6c51adccf758d138b\System.Printing.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Windows Battery Low.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cf61e09c5#\3c3f44d41ceb01ea13849ef84db1a9c7	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderSchema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\ServiceModelEvents.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0411\rsop.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.tlb	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\medexp.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC\0410\msdtcprf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.CompilerServices.VisualC.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1036\cscompui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.default	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Configuration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Filters\AudioDepthConverter.ax	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.targets	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\seccntr.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es-ES\ServiceModelInstallRC.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\beam_m.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\67215fe430cb12f890a7dc19fd53aa55\Microsoft.Build.Utilities.v4.0.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\76d37f23cee2b392f7fdbd7ad95bc8b2	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SBEServerPS.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\v4.0_4.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\f971acbc25b64dfe4d70e5b25837c780\Microsoft.VisualBasic.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\PERI____.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\machine.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\DISM	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.default	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU\bootmgr.exe.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2f71ff9c1208428778fe5f0d452f440000000002000000000010660000000100002000000091058a610ba4efacb013e0b475fe31f5645e76f869ee341adeba0b46657ab58c000000000e8000000002000020000000bdcd032d1c918a9e75e28e6a5a9a473c0ac7314b434efe6a411d5870be1610d620000000a0b54a25c835f445f00620ba0b8ddda7872daaa815ddc3b936dbad6ffd5bef7f4000000003b7cdc1bce553c3c3e3a597ca8d68b687c1f169c19915f785af55997372ec735ea71dc6cb98b7112e6572abdc1e4c65ccf04b99542ea17b7a6dea883326cae9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2f71ff9c1208428778fe5f0d452f4400000000020000000000106600000001000020000000a40c41d05dd86ea3e410b9196c3962233159467953209ed64fd27dfc02daadf4000000000e8000000002000020000000a0266d4f7ce29d22e387f4dd47e9e7bb4ab54255aa35a9c2d11fc6b3b6aa0e6290000000f4bec6a4dd8a09a89a73ca451dd64fd9d486631c7a0d72945f06ab0f30ff40e81af9c103eb8dd6a9d0598f1d0bab8ace08b8e9efbee866298948dd88b67cde13b4c27fd5e776322201a96727858aca69b112a167e6c386ab59388935a3f377140647a1659ae8bd89fbc658327623f82d41a437314cdb1053f43b653a680d81f66ea5848f15c1021ceaba9cd4448d4d2e40000000b9add300137ead019fe10486aac82e08cf3aa7d9b316e7642fd8e42317b49f29c4d5c856bb25845ece00b11f51001fa95ffba600d951088f75ca5be25750ffc1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376007088"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b095bf098affd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{334F81B1-6B7D-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1836 iexplore.exe

pid	process
1836	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exeiexplore.exeIEXPLORE.EXEwinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid	process
1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
1836	iexplore.exe
1836	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
1044	winlogon.exe
824	AE 0124 BE.exe
1124	winlogon.exe
616	winlogon.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exeiexplore.exewinlogon.exeAE 0124 BE.exe

description	pid	process	target process
PID 1980 wrote to memory of 1836	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	iexplore.exe
PID 1980 wrote to memory of 1836	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	iexplore.exe
PID 1980 wrote to memory of 1836	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	iexplore.exe
PID 1980 wrote to memory of 1836	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	iexplore.exe
PID 1836 wrote to memory of 2040	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 2040	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 2040	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 2040	1836	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1044	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	winlogon.exe
PID 1980 wrote to memory of 1044	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	winlogon.exe
PID 1980 wrote to memory of 1044	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	winlogon.exe
PID 1980 wrote to memory of 1044	1980	333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe	winlogon.exe
PID 1044 wrote to memory of 824	1044	winlogon.exe	AE 0124 BE.exe
PID 1044 wrote to memory of 824	1044	winlogon.exe	AE 0124 BE.exe
PID 1044 wrote to memory of 824	1044	winlogon.exe	AE 0124 BE.exe
PID 1044 wrote to memory of 824	1044	winlogon.exe	AE 0124 BE.exe
PID 1044 wrote to memory of 616	1044	winlogon.exe	winlogon.exe
PID 1044 wrote to memory of 616	1044	winlogon.exe	winlogon.exe
PID 1044 wrote to memory of 616	1044	winlogon.exe	winlogon.exe
PID 1044 wrote to memory of 616	1044	winlogon.exe	winlogon.exe
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	winlogon.exe
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	winlogon.exe
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	winlogon.exe
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe
"C:\Users\Admin\AppData\Local\Temp\333194cfa62775ba7721a1a327f270c9fea9302ce575f3affc49098a0da0f961.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DAHDLURP.txt
Filesize
603B

MD5
ec5589ca0899dff49e65f361e9a248e8

SHA1
2b89eccb0c87240c170aa6a8b3266bf7a965eb9c

SHA256
93227f4580d95a7e0bf1f00444a7c085f20c7c5264a4dd1a3911ec435fec9f83

SHA512
66c39b3d85567da156de6728c2031d0f3b5dbb24742afd6e4218e53af6e40cd6eb07b9d8de3f59b6588d70fc1441459d57950a0fe4a9d1107dd2ae5759c45ba1

Download Submit
C:\Windows\AE 0124 BE.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
C:\Windows\AE 0124 BE.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
C:\Windows\AE 0124 BE.gif
Filesize
65KB

MD5
2ca37bef72e5f44ea6c30dd2e17edb6f

SHA1
2a32d3e87ccf682e927ac429c508449a8620c0fc

SHA256
3c5d191f508d067d98074d848cdcae8c9c82d284241496bacd31a4131fe979ad

SHA512
74e99254da9b90fd08c2a47535424881a47e5fc02d680281d58bb977d1056decf527cc005e89e2d975c5816599e1f910051ab0ac1957a3f12e84ab94f363d426

Download Submit
C:\Windows\AE 0124 BE.gif
Filesize
130KB

MD5
1d5a9a45500483e64c379994b8409e2a

SHA1
3c8cde1f1df609747c8c459555dcf97fa810019a

SHA256
ef77fcd2bf62e21807be49f6dcda0aecd611f1b728cdf06fef87459e8393d722

SHA512
1554bad1b3420bf444f5e49269cf7c8ca6616dd62d2ba7ebf84b2b1a128d8e47f8a72a21721149a32ae0148965e71dac73fbc7ffee1fbb16ded5ce66cc4ccfc5

Download Submit
C:\Windows\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\??\c:\B1uv3nth3x1.diz
Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz
Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
d6b12929a06e14684711881bc0f5b3b4

SHA1
1ec2919c0c5e08420251251264a64a4aebd81ce2

SHA256
a27e8211f8b90a853264621ed322ecfe4544f99c118e99ec22d9691eeb2a561b

SHA512
54363a4b1f3b5336a924fa831b5eabb02fbee05ecb2936ba6959fceb09faaa0852355de8c9b9b19ec2522971e3f9938cbda6f6ad9fa9f587f1ce0f79b2a3b96e

Download Submit
memory/616-75-0x0000000000000000-mapping.dmp

Download
memory/824-66-0x0000000000000000-mapping.dmp

Download
memory/1044-60-0x0000000000000000-mapping.dmp

Download
memory/1124-78-0x0000000000000000-mapping.dmp

Download
memory/1980-56-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download