ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b

Analysis

max time kernel
169s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
Size

895KB
MD5

91c74045c22cda53e2c8ce28c6b0f864
SHA1

181a3fbf00c45f02c52baae80eed10419d01bb1e
SHA256

ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b
SHA512

0e1884357b4093e66fe108595b9257bbad96962133a862b4cb8c1f828e2e0c6eb4877eef3a7719caed156b71e5aa46e3c6823ac8280aebc089b42b6c79af6756
SSDEEP

12288:4swGFtMCVAJv5/EuT0EWFOaiv5z21fx9bSjk6CUbSjXUnY7iUnY7W96I/9:hnFtBVAxPZWFOaau29kCYGCYK960

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2216-132-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2216-133-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2216-134-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HLEVAOC = "C:\\Windows\\HLEVAOCBP.EXE"	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\en-US\ODBCCONF.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\RPCPING.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\WWAHOST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\WEXTRACT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\RDPSA.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\WINRTNETMUAHOSTSERVER.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CONTROL.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEMINFO.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DIALER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\WWAHOST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WMIC.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\F12\it-IT\IECHOOSER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DISM.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\GAMEPANEL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\BOOTCFG.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEMPROPERTIESCOMPUTERNAME.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\USER.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\RSTRUI.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SXSTRACE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\FIND.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SVCHOST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\IEXPRESS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\IEXPRESS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\SECEDIT.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CREDWIZ.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\en-US\EVENTVWR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SECINIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\RPCPING.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\SHRPUBW.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\TAPIUNATTEND.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CSCRIPT.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\en-US\FIXMAPI.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\POQEXEC.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\QUICKASSIST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CONVERT.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\IEUNATT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\NETSH.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CACLS.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CAMERASETTINGSUIHOST.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\RSTRUI.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SCHTASKS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\lv-LV\QUICKASSIST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CURL.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\en-US\MSPAINT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\WINVER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\MOBSYNC.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\TRACERPT.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CLIP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CMDKEY.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CLOUDNOTIFICATIONS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\REGISTER-CIMPROVIDER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\LAUNCHWINAPP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\CSRSS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\TASKLIST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\RASAUTOU.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\REGSVR32.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\TSWPFWRP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\CMMON32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\EUDCEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\PROQUOTA.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\WINRSHOST.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\HELP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\X86_MICROSOFT-WINDOWS-B..AGER-PCAT.RESOURCES_31BF3856AD364E35_10.0.19041.1_PT-PT_7BD241AC79147D55_BOOTMGR.EXE.MUI_C434701F	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\X86_MICROSOFT-WINDOWS-B..AGER-PCAT.RESOURCES_31BF3856AD364E35_10.0.19041.1_UK-UA_A35D6AD33B0C3E19_BOOTMGR.EXE.MUI_C434701F	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\fr-FR\HH.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-V..SKSERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_AF1113FD9CFE31C0_VDS.EXE.MUI_2268D934	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\HELPPANE.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Speech\Common\fr-FR\SAPISVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SystemResources\SHRPUBW.EXE.MUN	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-S..ONTROLLER.RESOURCES_31BF3856AD364E35_10.0.19041.1_EN-US_1FEE549AC552B43C_SERVICES.EXE.MUI_86EA5E71	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-V..SKSERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_86D2322D49223CE5_VDS.EXE.MUI_2268D934	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WMI-CORE.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_B988E3F5244C4507_MOFCOMP.EXE.MUI_35BADF56	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\en-US\NOTEPAD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\fr-FR\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-W..GON-TOOLS.RESOURCES_31BF3856AD364E35_10.0.19041.1_IT-IT_5848673EFB3C9CE2_WLRMDR.EXE.MUI_EE563C83	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WINLOGON_31BF3856AD364E35_10.0.19041.1266_NONE_E488D49C8A22D21E_WINLOGON.EXE_AC37D0C5	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-SETUPAPI_31BF3856AD364E35_10.0.19041.1237_NONE_B40CBFE2AFD2C015_WOWREG32.EXE_94FC2D06	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\X86_MICROSOFT-WINDOWS-B..AGER-PCAT.RESOURCES_31BF3856AD364E35_10.0.19041.1_FR-FR_1BD70E9EFFEA17E1_BOOTMGR.EXE.MUI_C434701F	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-B..OS-LOADER.RESOURCES_31BF3856AD364E35_10.0.19041.1_IT-IT_B93490B34D8C4A73_WINLOAD.EXE.MUI_3BC5B827	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-SECURITY-SPP.RESOURCES_31BF3856AD364E35_10.0.19041.1_EN-US_52B90495D63821CA_SPPSVC.EXE.MUI_40875A72	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-LUA.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_D34C1FBCC8F298B0_CONSENT.EXE.MUI_2EB3B9DB	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WINLOGON.RESOURCES_31BF3856AD364E35_10.0.19041.1151_EN-US_3FC8A69AB94012F6_WINLOGON.EXE.MUI_3280FC46	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\bg-BG\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\pt-PT\MEMTEST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\et-EE\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-APPID_31BF3856AD364E35_10.0.19041.1202_NONE_CC0C3D35675DA3A1_APPIDCERTSTORECHECK.EXE_03352F5F	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-RASAUTO-MUI.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_ABF2F270A2E2FDD5_RASAUTOU.EXE.MUI_55686A97	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-B..IAGNOSTIC.RESOURCES_31BF3856AD364E35_10.0.19041.1_CS-CZ_33D8C3DA77D0026D_MEMTEST.EXE.MUI_77B8CBCC	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\es-ES\EXPLORER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-LSA-MINWIN_31BF3856AD364E35_10.0.19041.1266_NONE_B2317523477FBD48_LSASS.EXE_682060DE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-A..LLSERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_6ACE49AC53B0C2DE_AXINSTUI.EXE.MUI_AEA34130	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-U..N-CMDLINE.RESOURCES_31BF3856AD364E35_10.0.19041.1_FR-FR_281147E45FDFF648_DSREGCMD.EXE.MUI_8CE2C638	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-U..N-CMDLINE.RESOURCES_31BF3856AD364E35_10.0.19041.1_IT-IT_12393E2B3711DBC6_DSREGCMD.EXE.MUI_8CE2C638	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-FR\MEMTEST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ja-JP\HH.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\it-IT\BFSVC.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WMI-CORE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_E1C7C5C5782839E2_WMIAPSRV.EXE.MUI_B1567840	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-WMI-CORE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_EC1C7017AC88FBDD_MOFCOMP.EXE.MUI_35BADF56	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\nb-NO\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\qps-ploc\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-S..ONTROLLER.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_4EBE9CD18298B39C_SERVICES.EXE.MUI_86EA5E71	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WPCUAPAPP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-RASAUTO-MUI.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_D431D440F6BEF2B0_RASAUTOU.EXE.MUI_55686A97	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-B..IAGNOSTIC.RESOURCES_31BF3856AD364E35_10.0.19041.1_EL-GR_76D466D05F01BB94_MEMTEST.EXE.MUI_77B8CBCC	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\MEMTEST.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-A..STRUCTURE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_0528803147204D22_SDBINST.EXE.MUI_258AD624	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-V..SKSERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_ES-ES_57CD46DA8C032F2A_VDS.EXE.MUI_2268D934	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_WINDOWS-DEFENDER-SERVICE_31BF3856AD364E35_10.0.19041.746_NONE_A39F6D9AB59BD8B7_MSMPENG.EXE_2F1C6923	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-B..IAGNOSTIC.RESOURCES_31BF3856AD364E35_10.0.19041.1_KO-KR_496934220E812541_MEMTEST.EXE.MUI_77B8CBCC	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\el-GR\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-I..R_SERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_JA-JP_9776D7F5085FE75B_ISCSICLI.EXE.MUI_64C0A23C	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-A..STRUCTURE.RESOURCES_31BF3856AD364E35_10.0.19041.1_IT-IT_3AC41F540029466C_SDBINST.EXE.MUI_258AD624	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-B..VIRONMENT-OS-LOADER_31BF3856AD364E35_10.0.19041.1266_NONE_CFEC8DB821D83671_WINLOAD.EXE_75835076	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WINLOGON.RESOURCES_31BF3856AD364E35_10.0.19041.1_IT-IT_0D9468386D9EE63A_WINLOGON.EXE.MUI_3280FC46	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\uk-UA\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Speech\Common\es-ES\SAPISVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ja-JP\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-U..N-CMDLINE.RESOURCES_31BF3856AD364E35_10.0.19041.1_DE-DE_DC9D9F087E08E27C_DSREGCMD.EXE.MUI_8CE2C638	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\WOW64_MICROSOFT-WINDOWS-SERVICES-SVCHOST_31BF3856AD364E35_10.0.19041.546_NONE_9E094AF3987DCA57_SVCHOST.EXE_4DD0F0BC	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\lv-LV\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\it-IT\EXPLORER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\servicing\ja-JP\TRUSTEDINSTALLER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-I..R_SERVICE.RESOURCES_31BF3856AD364E35_10.0.19041.1_FR-FR_0B2962A13E12F002_ISCSICLI.EXE.MUI_64C0A23C	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMD64_MICROSOFT-WINDOWS-WININIT.RESOURCES_31BF3856AD364E35_10.0.19041.1_FR-FR_9DD9712C9CDDD429_WININIT.EXE.MUI_997435F5	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\en-US\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\es-MX\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
612	2216	WerFault.exe	79

C:\Users\Admin\AppData\Local\Temp\ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
"C:\Users\Admin\AppData\Local\Temp\ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 392
  2⤵
  - Program crash
  PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2216 -ip 2216
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2216-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2216-134-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download