d8873820dc6738da23942e9006b034b1fcd521f5b2230925090b9ff90f053127

Analysis

max time kernel
129s
max time network
124s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usb-autorun-creator-2-installer_8R94y-1.exe
Size

1.7MB
MD5

970fa8ed7e42fe0f567809ed98ad4f52
SHA1

0002acc8e28775bb6c934d26f78ee72beab71b15
SHA256

d8873820dc6738da23942e9006b034b1fcd521f5b2230925090b9ff90f053127
SHA512

b45de9e851608451193fc8f63dac4cfa7a7581c26908d09d0866700d80260c52f4628b0cf10b9c55d8d2caa96a16669a68b8fde441ffa3246fb422e98c01c014
SSDEEP

24576:r4nXubIQGyxbPV0db26WhEf+K421t0YKbDVfcqOlsoO0drNBuLy1zoHf2MPyY:rqe3f6J75leDlMlsRmpgtfKY

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2044	usb-autorun-creator-2-installer_8R94y-1.tmp
552	usb-autorun-creator-2-installer.exe
928	SETUP.EXE
1612	VIS32X.EXE
1000	USBsupervisor.exe
1148	USBACEditor.exe

Loads dropped DLL 31 IoCs

pid	Process
1304	usb-autorun-creator-2-installer_8R94y-1.exe
2044	usb-autorun-creator-2-installer_8R94y-1.tmp
2044	usb-autorun-creator-2-installer_8R94y-1.tmp
552	usb-autorun-creator-2-installer.exe
552	usb-autorun-creator-2-installer.exe
928	SETUP.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1092	REGSVR32.EXE
996	REGSVR32.EXE
1388	REGSVR32.EXE
1612	VIS32X.EXE
1612	VIS32X.EXE
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\USBsupervisor = "C:\\Program Files (x86)\\SamLogic\\USB Supervisor\\USBsupervisor.exe"	VIS32X.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AUTORUN.INF	USBACEditor.exe
File opened for modification	C:\AUTORUN.INF	USBACEditor.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\temp.000	VIS32X.EXE
File opened for modification	\??\c:\windows\SysWOW64\MSVBVM60.dll	VIS32X.EXE
File opened for modification	\??\c:\windows\SysWOW64\temp.000	VIS32X.EXE
File created	\??\c:\windows\SysWOW64\temp.001	VIS32X.EXE
File created	\??\c:\windows\SysWOW64\XAPI2000X.dll	VIS32X.EXE

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f13.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f4.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f6.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f8.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f1.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f9.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f1.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Information.txt	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\pad_file.xml	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f7.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f7.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f5.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f12.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f0.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f3.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f3.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditorEng-SmallOffice.chm	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f6.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f9.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f10.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f8.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f12.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f5.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f13.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB Supervisor\Information.txt	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\Overview\USBAC-SmallOffice-Overview-Eng.pdf	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Vinstall.log	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f2.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f0.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB Supervisor\Information.txt	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\Release\temp.000	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f4.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f10.fil	VIS32X.EXE
File opened for modification	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f2.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil	VIS32X.EXE
File created	C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe	VIS32X.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\VIREG32.EXE	SETUP.EXE
File created	C:\Windows\temp.000	SETUP.EXE
File created	C:\Windows\VIXUNIN.EXE.manifest	SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	usb-autorun-creator-2-installer_8R94y-1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	usb-autorun-creator-2-installer_8R94y-1.tmp

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F21CBF1-6FE8-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	REGSVR32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	USBACEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}\TypeLib\ = "{0F2772F3-A126-4D20-917C-C4B8870FAEF9}"	REGSVR32.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	USBACEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9FCB2C8-CC3E-4A35-927E-A7DA78802FFE}\Version	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	REGSVR32.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	USBACEditor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	USBACEditor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9FCB2C8-CC3E-4A35-927E-A7DA78802FFE}\ = "SamLogic XPButton Control"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	REGSVR32.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	USBACEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}\ = "_DSLXButn"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9FCB2C8-CC3E-4A35-927E-A7DA78802FFE}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	USBACEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS\ = "2"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SLXBUTN.SLXButnCtrl.1	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "c:\\windows\\SysWow64\\Comdlg32.ocx"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Print Property Page Object"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{426E17DE-E303-4D05-AA2B-19E097D16E11}\TypeLib\ = "{0F2772F3-A126-4D20-917C-C4B8870FAEF9}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	REGSVR32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	USBACEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\ = "Microsoft Common Dialog Control, version 6.0 (SP6)"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Color Property Page Object"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "c:\\windows\\SysWow64\\Comdlg32.ocx"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "c:\\windows\\SysWow64\\Comdlg32.ocx"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F2772F3-A126-4D20-917C-C4B8870FAEF9}\1.0\FLAGS	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EB78CFC-C7E9-46D4-8C09-DAC72FCAD40A}\ProxyStubClsid32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{426E17DE-E303-4D05-AA2B-19E097D16E11}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9FCB2C8-CC3E-4A35-927E-A7DA78802FFE}\MiscStatus\1\ = "135569"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "c:\\windows\\SysWow64\\Comdlg32.ocx"	REGSVR32.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	USBACEditor.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	usb-autorun-creator-2-installer_8R94y-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	usb-autorun-creator-2-installer_8R94y-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	usb-autorun-creator-2-installer_8R94y-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	usb-autorun-creator-2-installer_8R94y-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	usb-autorun-creator-2-installer_8R94y-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	usb-autorun-creator-2-installer_8R94y-1.tmp

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1812	NOTEPAD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2044	usb-autorun-creator-2-installer_8R94y-1.tmp
624	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1612	VIS32X.EXE
1612	VIS32X.EXE
1000	USBsupervisor.exe
1000	USBsupervisor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
1148	USBACEditor.exe
624	iexplore.exe
624	iexplore.exe
112	IEXPLORE.EXE
112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 1304 wrote to memory of 2044	1304	usb-autorun-creator-2-installer_8R94y-1.exe	27
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 2044 wrote to memory of 552	2044	usb-autorun-creator-2-installer_8R94y-1.tmp	28
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 552 wrote to memory of 928	552	usb-autorun-creator-2-installer.exe	29
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 928 wrote to memory of 1612	928	SETUP.EXE	30
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 1092	1612	VIS32X.EXE	31
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 996	1612	VIS32X.EXE	32
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1388	1612	VIS32X.EXE	33
PID 1612 wrote to memory of 1000	1612	VIS32X.EXE	34
PID 1612 wrote to memory of 1000	1612	VIS32X.EXE	34
PID 1612 wrote to memory of 1000	1612	VIS32X.EXE	34
PID 1612 wrote to memory of 1000	1612	VIS32X.EXE	34
PID 624 wrote to memory of 112	624	iexplore.exe	42
PID 624 wrote to memory of 112	624	iexplore.exe	42
PID 624 wrote to memory of 112	624	iexplore.exe	42
PID 624 wrote to memory of 112	624	iexplore.exe	42

C:\Users\Admin\AppData\Local\Temp\usb-autorun-creator-2-installer_8R94y-1.exe
"C:\Users\Admin\AppData\Local\Temp\usb-autorun-creator-2-installer_8R94y-1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\is-6RPV8.tmp\usb-autorun-creator-2-installer_8R94y-1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6RPV8.tmp\usb-autorun-creator-2-installer_8R94y-1.tmp" /SL5="$80022,874175,831488,C:\Users\Admin\AppData\Local\Temp\usb-autorun-creator-2-installer_8R94y-1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe
    "C:\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE
      "C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE
        
        C:\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE C:\Users\Admin\AppData\Local\Temp\VIEXPAND
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\REGSVR32.EXE
        
        C:\Windows\system32\REGSVR32.EXE "c:\windows\system32\Comdlg32.ocx" -s
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1092
      - C:\Windows\SysWOW64\REGSVR32.EXE
        
        C:\Windows\system32\REGSVR32.EXE "c:\windows\system32\SLXButn.ocx" -s
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:996
      - C:\Windows\SysWOW64\REGSVR32.EXE
        
        C:\Windows\system32\REGSVR32.EXE "c:\windows\system32\Comdlg32.ocx" -s
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1388
      - C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe
        
        "C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe
"C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\vcredist2010_x86.log.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:112

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\AUTORUN.INF
1⤵
- Opens file in notepad (likely ransom note)
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe

Filesize
606KB

MD5
a083258807bf74022d1366918c14cb8e

SHA1
3e81b89dc598bf996c3d0b6fd26c254b9d1ec456

SHA256
9eb1010d1724d8266d5c388804da51632c1bbfadd73402c4512d7625e751ea96

SHA512
8829db50ceb6f51f16e337f0701fbeee796192c0350b34ea790319788e774c4499f7883e09c43fa05be3979c3f773e2444c5f1c1e284dd8e29331609589ab48c

Download Submit
C:\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe

Filesize
606KB

MD5
a083258807bf74022d1366918c14cb8e

SHA1
3e81b89dc598bf996c3d0b6fd26c254b9d1ec456

SHA256
9eb1010d1724d8266d5c388804da51632c1bbfadd73402c4512d7625e751ea96

SHA512
8829db50ceb6f51f16e337f0701fbeee796192c0350b34ea790319788e774c4499f7883e09c43fa05be3979c3f773e2444c5f1c1e284dd8e29331609589ab48c

Download Submit
C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
C:\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\VISETUP\ENGLIS~1.LNG

Filesize
13KB

MD5
535e249fc5ba67b1d4f727bf6c440c3d

SHA1
92f077a44aa21ac5f416ec34940ea5ff4372dc27

SHA256
1740c4ba0d370f59acd114652861aab387ad0007bdfe912f18474447a8e65634

SHA512
6672b374c95dfb1b43a2dcd6f1a100be1785a9221f92718ee2210b127c83c8c8a891d419220503dda135894449fa48b34aa7ae62f443315f00b6c892b6aa3966

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\DESOBJ.DAT

Filesize
85KB

MD5
9a9f32bfffd888a803f35361a9efd2e8

SHA1
94a2b15f02c20a0cdeaf049401ae1f0d77214fff

SHA256
018daf1813ef85d7295a5395400bb801422fc10f79e9ff4a3fe6a96dee3519ee

SHA512
07ddda4b36e8b83ae5612cd49a55c85eb3b6cb5d23ff0dfe699d019516f9c1bfea88f4979d7d7a959af237441dd856af135dec3bf2841027af7115edd92de5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\DUNZIP32.DLL

Filesize
140KB

MD5
dcf35685ba2da41bb77cf322e776de99

SHA1
823086cb48e2acbe93503d73d030d4aa7d14aff4

SHA256
6a746b411b40f71f63af8fed83a0b53ca689275193064821dc192bbe9bb43692

SHA512
c82790280276baaba2ab7d20439d5151c871252a17771c630d70f82a7ac93f9541e83bde6d59be88c012474d87801cc61bad5ef471f952dc297e7b47ec445dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\ENGLISH-INTERNET-USBAC.LNG

Filesize
13KB

MD5
535e249fc5ba67b1d4f727bf6c440c3d

SHA1
92f077a44aa21ac5f416ec34940ea5ff4372dc27

SHA256
1740c4ba0d370f59acd114652861aab387ad0007bdfe912f18474447a8e65634

SHA512
6672b374c95dfb1b43a2dcd6f1a100be1785a9221f92718ee2210b127c83c8c8a891d419220503dda135894449fa48b34aa7ae62f443315f00b6c892b6aa3966

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\FILEDATA.DAT

Filesize
2.1MB

MD5
36b7dd0ee169a6694d4f8c07cff2c085

SHA1
1cba2e4848accfe043566603f59702a42bd78e59

SHA256
3c898f858f34c8e8c95ffbdc5fb07e36f9d271eea300a18bce28905f9c52ee98

SHA512
e4e8e7875cce63ff445b506495402a4bb1f304640f05fbf7d05dc0544788db951b2fe5397b17bd04d6cd182f096c006570e57d209d2c49564142859a8b2669e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\FILELIST.INF

Filesize
1KB

MD5
0b01ee4fc594f9cf98bb1af6237d7742

SHA1
060aa84344b2965759bdbcc663005c5396005cd9

SHA256
fdd96f8ef913ec13b8037efc5e11784c6a6fac459bac204b10f3bdf26c22ff4c

SHA512
fc8e9e664e3cb8e34ead6293f6d05bcfa4449e0ede07c166a460bf2e817256dd87e80bc3b6ab2253966ad220151163ccdfb4cfb1fcea86aefef032cdd1ef1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\LICENSE.RTF

Filesize
8KB

MD5
4f4cd9408664175b597d757b0806a37a

SHA1
0ce1a9bc5cfbdbda343d36287c692854db3b66ec

SHA256
21fb7227afc68792d2e9c094fcf2173b9d5f1ab592936cd78940205f26ea810d

SHA512
99ad98bc6538053ec249b41227059204db44022782fb1a4837cc7c035b65eeb6a2b6970d6a2c06777eaf80b8a65533903b067a8645ad43fbe32e1c8efe9149d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE

Filesize
68KB

MD5
62ac659f6364e50ba9770cd61182ac02

SHA1
361c6a8be09807de1b6c941e3ceead849ec0ffc7

SHA256
569f056983d5e24f5867b880678b0b0031bcd04229d4923b4498106a78ee36c7

SHA512
b8312972bd196afe50df370d6ad334588dd4f90926a81a2363594a913c1d06128e48201ea4d577773c7e8d70152f9b112911d290e20cc11a0046dce0185e0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE

Filesize
68KB

MD5
62ac659f6364e50ba9770cd61182ac02

SHA1
361c6a8be09807de1b6c941e3ceead849ec0ffc7

SHA256
569f056983d5e24f5867b880678b0b0031bcd04229d4923b4498106a78ee36c7

SHA512
b8312972bd196afe50df370d6ad334588dd4f90926a81a2363594a913c1d06128e48201ea4d577773c7e8d70152f9b112911d290e20cc11a0046dce0185e0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE.manifest

Filesize
853B

MD5
4c4a36456281ae9593f3a265b25a5dbf

SHA1
595f599430d753194f748018e76b2310fc194e23

SHA256
eec3d9db3d4231138ee1b8b77a987471d613f31972e18e2eb87a84cf72a3404f

SHA512
e9cdfcecc077f448fbf849a3fff16d33ce9c58a939539109e1d13042c823876b9fcbd5ded5c6c87337acefe25d72b4b98eec80da0c0e67c8ac12d5de4c8596eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIREG32.BIN

Filesize
36KB

MD5
9f9156bfb05f308f4b2e74ce59936d3f

SHA1
de69d18251e44b73e64cdf51a385470b3609514b

SHA256
0921c26664ea7804f7353abae76ac9e7ea70081c0a6cf7f1bd9b903598ddbff4

SHA512
865399d82bf05b7301ba5d833773db83d62a27cddfe7f6e1df91e16dbb3d1335cf01b2ef3220c2e987e35f60863776bc60143231b569cd3dc6d16361c3f46fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIS32X.BIN

Filesize
532KB

MD5
4106c7e2247695c19a2ef13c05b90670

SHA1
812bbbf0e48529944c374a9ac42880a4cbde8230

SHA256
dfbede077c02b5d65fefbea5a4a9c8b279715b96c38d2f3d4f4f9da3ded45590

SHA512
19e2f5b18f24404ae81a44ac95a60d7c3a514e145bc61773dfe1c6a1372f3e37b0721eea7d4943946f00db27cfe91f85e528aec1419912b9d2ef74b7f1bb566b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VISETUP.INF

Filesize
13KB

MD5
6c3fff3250262457bbf52f6a7c8b7a8d

SHA1
616a7754c1841b976c1e77dc8002ca2760dab35f

SHA256
a407cfb62b38b3d1e807a09ee2e6b8e2cc9843f2c5aaa9bfa01cc97689d5c996

SHA512
08a312888f31baa8c52ff182179dc6cf0003657fe0d6e51457f0b3d19fb76dc872964d9009dd48382dcd608e4fc6e922ee270e6d61cbf70818e1e87495781401

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIXREG2.BIN

Filesize
52KB

MD5
196aef67369e2060ccf4f9a3fff88424

SHA1
1cc7d6a729aeb8a45f51fe9c2dae1d89e7c64e64

SHA256
9e3ed5615948c1ee36a03e7d47a03e5c4de64a01c3f2529d5eb43813af8190eb

SHA512
2d426674121d1dad20397522e632cd0a5c083d4a3d90045cb11433f2741f548389ae20b000655aec3a8a727744d84392a91fd6e747ed1071646419079ea6ffa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIXUNIN.BIN

Filesize
224KB

MD5
d3b3e914d0ee200df820c7d770632bf0

SHA1
20187647eb58a652978a35736e9ae072f780236b

SHA256
d8941f8feedaef833bfa4d7cbcf7f190bc55b81a45a4c13eedbd2a50423cba0f

SHA512
a2db4234353a1512927b08dc219d3a20209ee620c153183d96b799213f3c92da1ec18f9392b6f2a3c1ab70e304ee0cfb09b4c06329822ffa49fb260733672b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\W5.man

Filesize
685B

MD5
305cba290fa3476af058afe122bc2ff9

SHA1
5c2102dfe7a8642d1be108fa1f39803582efad3f

SHA256
7c6a7e44150d3fd6175310c618bafc26cc2ae112bfabb55d3d5bb88cd977692b

SHA512
07959cacaea491fbebe33a88a94a8b1ecc3311dd94fda4433007bb0de0dad8364d6599016ef5afcd602fd9fc155d54fef1d9b477d91f5bf1a9893daa93df224d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\W5U.man

Filesize
681B

MD5
5186d0f494ed0cde18ad27e0a7394502

SHA1
1d8f6c1a6430e5595133f4fb2d4678e10fb0a2f2

SHA256
752adedf7763bb6969d4b9777a6291a12ed17732aff1ec8bb242e99247309a14

SHA512
0d5e78b1b7f9a758b7b541bd7943dd67e27a59c3730bb16f077fcfa8d12f5b1f1c36f2e486fbc53c285e7dd2d05cceda7312100a7871060f12c789873d3536f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\W6.man

Filesize
935B

MD5
b1d8203e9783a710157050d7ce1f4b53

SHA1
552d762d9b9674a87ff913513a45b9587a3846ec

SHA256
038744dc16dad02dd19625c4bf775f0fcd93101c6afb6ef7310240284a7bae8d

SHA512
c03c55e55a247158dd2674b392303d53e2c70bdd6e925d84ba67783f24846f910fc8c819460c7bab47179eea2bd71ca966d60fed695668066a99735722d7d122

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\W6U.man

Filesize
931B

MD5
1b0aa004a7006fb0e3825880d9901c82

SHA1
e3d313bfee147a8aa0d7454aae7922a9b1fa46f7

SHA256
d1a5ffe4e201266537d0581f1789562ffc69015bb993ee1f6fefd0a160b00369

SHA512
4a32f1d3ebeb8316647432469c7f3085f257a951e96c5a8f25f8120991431ee1d93bed55805898be44d6d5048921f854ce22a3c0f72ba1f96c15adecf6e20872

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\DESOBJ.DAT

Filesize
85KB

MD5
9a9f32bfffd888a803f35361a9efd2e8

SHA1
94a2b15f02c20a0cdeaf049401ae1f0d77214fff

SHA256
018daf1813ef85d7295a5395400bb801422fc10f79e9ff4a3fe6a96dee3519ee

SHA512
07ddda4b36e8b83ae5612cd49a55c85eb3b6cb5d23ff0dfe699d019516f9c1bfea88f4979d7d7a959af237441dd856af135dec3bf2841027af7115edd92de5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\DUNZIP32.dll

Filesize
140KB

MD5
dcf35685ba2da41bb77cf322e776de99

SHA1
823086cb48e2acbe93503d73d030d4aa7d14aff4

SHA256
6a746b411b40f71f63af8fed83a0b53ca689275193064821dc192bbe9bb43692

SHA512
c82790280276baaba2ab7d20439d5151c871252a17771c630d70f82a7ac93f9541e83bde6d59be88c012474d87801cc61bad5ef471f952dc297e7b47ec445dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\FILELIST.INF

Filesize
1KB

MD5
0b01ee4fc594f9cf98bb1af6237d7742

SHA1
060aa84344b2965759bdbcc663005c5396005cd9

SHA256
fdd96f8ef913ec13b8037efc5e11784c6a6fac459bac204b10f3bdf26c22ff4c

SHA512
fc8e9e664e3cb8e34ead6293f6d05bcfa4449e0ede07c166a460bf2e817256dd87e80bc3b6ab2253966ad220151163ccdfb4cfb1fcea86aefef032cdd1ef1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\LICENSE.RTF

Filesize
8KB

MD5
4f4cd9408664175b597d757b0806a37a

SHA1
0ce1a9bc5cfbdbda343d36287c692854db3b66ec

SHA256
21fb7227afc68792d2e9c094fcf2173b9d5f1ab592936cd78940205f26ea810d

SHA512
99ad98bc6538053ec249b41227059204db44022782fb1a4837cc7c035b65eeb6a2b6970d6a2c06777eaf80b8a65533903b067a8645ad43fbe32e1c8efe9149d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE

Filesize
532KB

MD5
4106c7e2247695c19a2ef13c05b90670

SHA1
812bbbf0e48529944c374a9ac42880a4cbde8230

SHA256
dfbede077c02b5d65fefbea5a4a9c8b279715b96c38d2f3d4f4f9da3ded45590

SHA512
19e2f5b18f24404ae81a44ac95a60d7c3a514e145bc61773dfe1c6a1372f3e37b0721eea7d4943946f00db27cfe91f85e528aec1419912b9d2ef74b7f1bb566b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\VISETUP.INF

Filesize
13KB

MD5
6c3fff3250262457bbf52f6a7c8b7a8d

SHA1
616a7754c1841b976c1e77dc8002ca2760dab35f

SHA256
a407cfb62b38b3d1e807a09ee2e6b8e2cc9843f2c5aaa9bfa01cc97689d5c996

SHA512
08a312888f31baa8c52ff182179dc6cf0003657fe0d6e51457f0b3d19fb76dc872964d9009dd48382dcd608e4fc6e922ee270e6d61cbf70818e1e87495781401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6RPV8.tmp\usb-autorun-creator-2-installer_8R94y-1.tmp

Filesize
3.0MB

MD5
0ee24b1e0f0078b25c512ec0e5c3e14d

SHA1
d292c7452b4417dfd2fc3094a58e8e9de917b513

SHA256
8288bfe42bf10dd76e709745317e4971283284e78c124d2d304543acb02a8e22

SHA512
416e50f5e2ff2cf34e7ab5cbbf7a522343b6b4669f09ea0a282e97005bdb861686bdff075ed58e27c392d4c1ff017aa67773863a4fd4981c40c7e61661d94b60

Download Submit
C:\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe

Filesize
2.6MB

MD5
ff9d76b1adcc2be727337e42c8dcacc9

SHA1
d6cf693c76eb681a66ced0b20ef2e039619d5305

SHA256
c0d32913af9b4f6cd7f6fc0b540e20c42fddaf4c48009c13530d86b4cd3d1d21

SHA512
89e3fd22da177d341a7712fc6ceb75d02b30a2218f7ec374a134e773c804ed9b4c31553460332e0fad4019a703da8494095876a64fbee663841898a2eddbdcc0

Download Submit
C:\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe

Filesize
2.6MB

MD5
ff9d76b1adcc2be727337e42c8dcacc9

SHA1
d6cf693c76eb681a66ced0b20ef2e039619d5305

SHA256
c0d32913af9b4f6cd7f6fc0b540e20c42fddaf4c48009c13530d86b4cd3d1d21

SHA512
89e3fd22da177d341a7712fc6ceb75d02b30a2218f7ec374a134e773c804ed9b4c31553460332e0fad4019a703da8494095876a64fbee663841898a2eddbdcc0

Download Submit
C:\Windows\SysWOW64\XAPI2000.DLL

Filesize
156KB

MD5
1037ba16da1fbcbc31012279cb7c4ac0

SHA1
c9156bcc6d9a3d2b45617bfdac62bc2a091fe9ff

SHA256
ac95b7eb1a335de0bf3f4102374779adf5d147325c2f6de5f2e646700226b1cb

SHA512
ed8d8d90ac9e9ec30d4de5fab3fed5eaec33ae93f8b8585c8e625f80325e2c7a70084d5f2c7a8316abc741eb0577d0d290c195df0ef4bd6147156bd580dc89d7

Download Submit
\??\c:\windows\SysWOW64\Comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\??\c:\windows\SysWOW64\SLXButn.ocx

Filesize
40KB

MD5
02552c4fd5fbe74bde48d4e2ea8a7c15

SHA1
e5c51b2abccd7d35b6dbfdf3dc0aad4180eb15f1

SHA256
57b35e59cc7d3afc1455947adcabf0c532fe13465efb8eb001c4dafa5f839f59

SHA512
c6e3d3b5b14ffab78838e8abd82149d7c341563761e0df3eef8b6f7ac21a1fb8df6320f78baec68045eaaee1bb1480a9e4699afccd0e0fee94e31d3898e9f4c3

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\Editor\USBACEditor.exe

Filesize
606KB

MD5
a083258807bf74022d1366918c14cb8e

SHA1
3e81b89dc598bf996c3d0b6fd26c254b9d1ec456

SHA256
9eb1010d1724d8266d5c388804da51632c1bbfadd73402c4512d7625e751ea96

SHA512
8829db50ceb6f51f16e337f0701fbeee796192c0350b34ea790319788e774c4499f7883e09c43fa05be3979c3f773e2444c5f1c1e284dd8e29331609589ab48c

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f0.fil

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f0.fil

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f11.fil

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f13.fil

Filesize
9KB

MD5
346fcf3cb97e523fe5ed561d2cff03a6

SHA1
3493218be61c2a2a28786fb72350c853f0d5dec4

SHA256
b989b16038bb888a235df0e298c4d5715f0691f4f1c18e36a6b91b360159b718

SHA512
f3c845c7638d7420f67741483792d567a284538874003b020ff7370f124a6393d5565193a7d74588b4b0f51d0efd4ea98e79bb712164f4e7a88483a1a578f0bd

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f13.fil

Filesize
9KB

MD5
346fcf3cb97e523fe5ed561d2cff03a6

SHA1
3493218be61c2a2a28786fb72350c853f0d5dec4

SHA256
b989b16038bb888a235df0e298c4d5715f0691f4f1c18e36a6b91b360159b718

SHA512
f3c845c7638d7420f67741483792d567a284538874003b020ff7370f124a6393d5565193a7d74588b4b0f51d0efd4ea98e79bb712164f4e7a88483a1a578f0bd

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f8.fil

Filesize
606KB

MD5
a083258807bf74022d1366918c14cb8e

SHA1
3e81b89dc598bf996c3d0b6fd26c254b9d1ec456

SHA256
9eb1010d1724d8266d5c388804da51632c1bbfadd73402c4512d7625e751ea96

SHA512
8829db50ceb6f51f16e337f0701fbeee796192c0350b34ea790319788e774c4499f7883e09c43fa05be3979c3f773e2444c5f1c1e284dd8e29331609589ab48c

Download Submit
\Program Files (x86)\SamLogic\USB AutoRun Creator\VI$TMP$Z\f8.fil

Filesize
606KB

MD5
a083258807bf74022d1366918c14cb8e

SHA1
3e81b89dc598bf996c3d0b6fd26c254b9d1ec456

SHA256
9eb1010d1724d8266d5c388804da51632c1bbfadd73402c4512d7625e751ea96

SHA512
8829db50ceb6f51f16e337f0701fbeee796192c0350b34ea790319788e774c4499f7883e09c43fa05be3979c3f773e2444c5f1c1e284dd8e29331609589ab48c

Download Submit
\Program Files (x86)\SamLogic\USB Supervisor\USBsupervisor.exe

Filesize
1.6MB

MD5
93c77cc4908874c28a60124aec842e34

SHA1
143125eb696cfffcc15cc2aa47714fb518c29aac

SHA256
d383e4fe0a39fefb2f174a1b13d1fad0bd33f086f55a1eb0244d5a964574333e

SHA512
20a3e24c66d45324385ece2b02dd627574b1f1504369d910d819c9a24df0c3f27bc0949d3a51373929883c918d8b7ddcce200714b04db3855c381b905a35239e

Download Submit
\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE

Filesize
68KB

MD5
62ac659f6364e50ba9770cd61182ac02

SHA1
361c6a8be09807de1b6c941e3ceead849ec0ffc7

SHA256
569f056983d5e24f5867b880678b0b0031bcd04229d4923b4498106a78ee36c7

SHA512
b8312972bd196afe50df370d6ad334588dd4f90926a81a2363594a913c1d06128e48201ea4d577773c7e8d70152f9b112911d290e20cc11a0046dce0185e0c9d

Download Submit
\Users\Admin\AppData\Local\Temp\VISETUP\DUNZIP32.DLL

Filesize
140KB

MD5
dcf35685ba2da41bb77cf322e776de99

SHA1
823086cb48e2acbe93503d73d030d4aa7d14aff4

SHA256
6a746b411b40f71f63af8fed83a0b53ca689275193064821dc192bbe9bb43692

SHA512
c82790280276baaba2ab7d20439d5151c871252a17771c630d70f82a7ac93f9541e83bde6d59be88c012474d87801cc61bad5ef471f952dc297e7b47ec445dfc

Download Submit
\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE

Filesize
532KB

MD5
4106c7e2247695c19a2ef13c05b90670

SHA1
812bbbf0e48529944c374a9ac42880a4cbde8230

SHA256
dfbede077c02b5d65fefbea5a4a9c8b279715b96c38d2f3d4f4f9da3ded45590

SHA512
19e2f5b18f24404ae81a44ac95a60d7c3a514e145bc61773dfe1c6a1372f3e37b0721eea7d4943946f00db27cfe91f85e528aec1419912b9d2ef74b7f1bb566b

Download Submit
\Users\Admin\AppData\Local\Temp\_adB1.dll

Filesize
76KB

MD5
350b8fa87ba295530fc18a393f13dd39

SHA1
c82cee5b17d07d45c3f1062617993e9e68cab453

SHA256
dcbbbca362638e938f26e81cd7e0b4abe152b14adc4eb95ef89d7dc7566cb015

SHA512
a88b38e157d9b1467e2f6e030551b87eef8045aa535f7a42c951b9b5c217bd145e72ca81418ffb7da24fcba2d9e79c0448fef48f0da79b3b433c27b10143bc81

Download Submit
\Users\Admin\AppData\Local\Temp\is-6RPV8.tmp\usb-autorun-creator-2-installer_8R94y-1.tmp

Filesize
3.0MB

MD5
0ee24b1e0f0078b25c512ec0e5c3e14d

SHA1
d292c7452b4417dfd2fc3094a58e8e9de917b513

SHA256
8288bfe42bf10dd76e709745317e4971283284e78c124d2d304543acb02a8e22

SHA512
416e50f5e2ff2cf34e7ab5cbbf7a522343b6b4669f09ea0a282e97005bdb861686bdff075ed58e27c392d4c1ff017aa67773863a4fd4981c40c7e61661d94b60

Download Submit
\Users\Admin\AppData\Local\Temp\is-HM015.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe

Filesize
2.6MB

MD5
ff9d76b1adcc2be727337e42c8dcacc9

SHA1
d6cf693c76eb681a66ced0b20ef2e039619d5305

SHA256
c0d32913af9b4f6cd7f6fc0b540e20c42fddaf4c48009c13530d86b4cd3d1d21

SHA512
89e3fd22da177d341a7712fc6ceb75d02b30a2218f7ec374a134e773c804ed9b4c31553460332e0fad4019a703da8494095876a64fbee663841898a2eddbdcc0

Download Submit
\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe

Filesize
2.6MB

MD5
ff9d76b1adcc2be727337e42c8dcacc9

SHA1
d6cf693c76eb681a66ced0b20ef2e039619d5305

SHA256
c0d32913af9b4f6cd7f6fc0b540e20c42fddaf4c48009c13530d86b4cd3d1d21

SHA512
89e3fd22da177d341a7712fc6ceb75d02b30a2218f7ec374a134e773c804ed9b4c31553460332e0fad4019a703da8494095876a64fbee663841898a2eddbdcc0

Download Submit
\Users\Admin\Downloads\usb-autorun-creator-2-installer.exe

Filesize
2.6MB

MD5
ff9d76b1adcc2be727337e42c8dcacc9

SHA1
d6cf693c76eb681a66ced0b20ef2e039619d5305

SHA256
c0d32913af9b4f6cd7f6fc0b540e20c42fddaf4c48009c13530d86b4cd3d1d21

SHA512
89e3fd22da177d341a7712fc6ceb75d02b30a2218f7ec374a134e773c804ed9b4c31553460332e0fad4019a703da8494095876a64fbee663841898a2eddbdcc0

Download Submit
\Windows\SysWOW64\Comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Windows\SysWOW64\Comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Windows\SysWOW64\Comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Windows\SysWOW64\SLXButn.ocx

Filesize
40KB

MD5
02552c4fd5fbe74bde48d4e2ea8a7c15

SHA1
e5c51b2abccd7d35b6dbfdf3dc0aad4180eb15f1

SHA256
57b35e59cc7d3afc1455947adcabf0c532fe13465efb8eb001c4dafa5f839f59

SHA512
c6e3d3b5b14ffab78838e8abd82149d7c341563761e0df3eef8b6f7ac21a1fb8df6320f78baec68045eaaee1bb1480a9e4699afccd0e0fee94e31d3898e9f4c3

Download Submit
\Windows\SysWOW64\SLXButn.ocx

Filesize
40KB

MD5
02552c4fd5fbe74bde48d4e2ea8a7c15

SHA1
e5c51b2abccd7d35b6dbfdf3dc0aad4180eb15f1

SHA256
57b35e59cc7d3afc1455947adcabf0c532fe13465efb8eb001c4dafa5f839f59

SHA512
c6e3d3b5b14ffab78838e8abd82149d7c341563761e0df3eef8b6f7ac21a1fb8df6320f78baec68045eaaee1bb1480a9e4699afccd0e0fee94e31d3898e9f4c3

Download Submit
\Windows\SysWOW64\XAPI2000.dll

Filesize
156KB

MD5
1037ba16da1fbcbc31012279cb7c4ac0

SHA1
c9156bcc6d9a3d2b45617bfdac62bc2a091fe9ff

SHA256
ac95b7eb1a335de0bf3f4102374779adf5d147325c2f6de5f2e646700226b1cb

SHA512
ed8d8d90ac9e9ec30d4de5fab3fed5eaec33ae93f8b8585c8e625f80325e2c7a70084d5f2c7a8316abc741eb0577d0d290c195df0ef4bd6147156bd580dc89d7

Download Submit
\Windows\SysWOW64\temp.000

Filesize
1.3MB

MD5
a6f6df7d895a313f438347d77f3a4a23

SHA1
9539268c7a42e2cb653b8386cc5f26610d70b560

SHA256
498a62121e8fd3fab20b1738274146032a92e003c324f9829664a184bba65f84

SHA512
6473a04330658bc2b6ac25fc74671c018343f795855636e7c597dafaff5c9a811ceedba11f4f8950c5f9aa22a5991e11805518cecb9ac3c1874e2da62e6ee254

Download Submit
memory/1148-145-0x0000000074701000-0x0000000074703000-memory.dmp

Filesize
8KB

Download
memory/1148-143-0x0000000000520000-0x0000000000548000-memory.dmp

Filesize
160KB

Download
memory/1304-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1304-55-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1304-65-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1304-73-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1668-133-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/2044-64-0x00000000746E1000-0x00000000746E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads