aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
Size

355KB
MD5

ff481f4c8fccf03ef83a7e7f54f6385d
SHA1

09d2797be0059562804469d5277f87475bec1470
SHA256

aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b
SHA512

93b189df6f875a50de5675609c1da9c9e397e9f383d080fd2ea8e8597bae79e25d53fdcbf5116fec75aae01d2127b57a655a64f80166782319e96aff7b7e6b66
SSDEEP

6144:A2gbSUjtb9CCIXI7V7Ub/ZY0dTmQcG9u5IJLD+SmwNDJf2gcPJkX5Fl:KbAZZNJmGfJLCkN9f2nPJkXrl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1420	winlogon.exe
1828	AE 0124 BE.exe
1076	winlogon.exe
568	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
1420	winlogon.exe
1420	winlogon.exe
1828	AE 0124 BE.exe
1828	AE 0124 BE.exe
568	winlogon.exe
1076	winlogon.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnlx00d.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnlx00y.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\Ph6xIB64MV.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\prnca003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBP_309.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dmband.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL17.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIC420D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dtsh.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\connect.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\gameport.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBIC4_6.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc110chs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_neutral_83cc415156be45c8\mdmcommu.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_300.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\acledit.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\mf.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CertEnrollCtrl.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnrc002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7TMAA.ICM	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sbe.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa710t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\iTVData.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BD.log	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wiabr007.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_9_for_KB2639308~31bf3856ad364e35~amd64~~6.1.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\osk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\machine.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBBR274.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IFC60006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cabview.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vbisurf.ax	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYKC4000.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1U.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBJ3000.TBL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR8000.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\kbdnecat.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mmc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\iastorv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\brmfcmdm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnep00g.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKSIDM9.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUSR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mydocs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0045.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NOJ7E.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\LME230.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\c4f5b7665e854d2459cb1340bc88fde9\System.AddIn.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnky003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ProfessionalEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\policy.3.5.System.Data.SqlServerCe.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Configuration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b883b83d1f72f1fcaf4acdef3c9c381f\Microsoft.MediaCenter.Bml.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\Fonts\GlobalUserInterface.CompositeFont	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\caspol.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\fthsvc.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_es_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\unknown.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreSchema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_ns_xl.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmsun1.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.Encoding.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Mobile.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\auxdisp.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGT.IMD	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\net1yx64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnge001.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\Microsoft.CSharp.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\adp94xx.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnlx00v.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\System.Windows.Presentation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\040C\regedit32.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmgl007.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1041\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\PenTraining.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.iTv.Hosting\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.iTv.Hosting.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmhayes.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.identitymodel.resources\3.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\journal.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-LocalPack-GB-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.servicemodel.install.resources\3.0.0.0_ja_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\blutooth.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\diskmgt.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Management.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Common.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~zh-HK~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_fr_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0410\authm.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\TermService\0410\tslabels.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\ir_end.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.resx	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1748	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1748	vlc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
1748	vlc.exe
1420	winlogon.exe
1828	AE 0124 BE.exe
568	winlogon.exe
1076	winlogon.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1748	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	27
PID 1376 wrote to memory of 1748	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	27
PID 1376 wrote to memory of 1748	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	27
PID 1376 wrote to memory of 1748	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	27
PID 1376 wrote to memory of 1420	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	28
PID 1376 wrote to memory of 1420	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	28
PID 1376 wrote to memory of 1420	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	28
PID 1376 wrote to memory of 1420	1376	aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe	28
PID 1420 wrote to memory of 1828	1420	winlogon.exe	29
PID 1420 wrote to memory of 1828	1420	winlogon.exe	29
PID 1420 wrote to memory of 1828	1420	winlogon.exe	29
PID 1420 wrote to memory of 1828	1420	winlogon.exe	29
PID 1420 wrote to memory of 1076	1420	winlogon.exe	30
PID 1420 wrote to memory of 1076	1420	winlogon.exe	30
PID 1420 wrote to memory of 1076	1420	winlogon.exe	30
PID 1420 wrote to memory of 1076	1420	winlogon.exe	30
PID 1828 wrote to memory of 568	1828	AE 0124 BE.exe	31
PID 1828 wrote to memory of 568	1828	AE 0124 BE.exe	31
PID 1828 wrote to memory of 568	1828	AE 0124 BE.exe	31
PID 1828 wrote to memory of 568	1828	AE 0124 BE.exe	31

C:\Users\Admin\AppData\Local\Temp\aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe
"C:\Users\Admin\AppData\Local\Temp\aac79cbe3e30a4bc699a25ab330d951d6ad7b42b25c66a77ff1b7676b738356b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\AE 0124 BE.wav"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:568
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
C:\Windows\AE 0124 BE.wav

Filesize
355KB

MD5
70c41972b7f370ece3b8254343514155

SHA1
88150c277f71a0f36db7bcbb341c88f908774296

SHA256
0863d8e63c325faaabf16262bed2c52b1747a95c5dd8ab7920e238e64972656f

SHA512
4b6a84bf2b85a43c1393cc95bd4c32b73931ef5aa0628c412c2ad43c25eca1787f8a135ad8c6834c60685b8f49c907f80fd43365a7234708b23827bfd0aa938f

Download Submit
C:\Windows\AE 0124 BE.wav

Filesize
375KB

MD5
8199d0d2ab6f3cde7b8e9fc8a3eeb338

SHA1
8b8bdf42f630918508785547f5bffe6678c697a7

SHA256
f63aa8affc400a9b0246040722ed8ef8161689f2016377c285729f77d9043adc

SHA512
a71767bb6e98872b70eafb21ce600d48df2618d2b7631102d8344b9c15832d62ec13f7378b3a5be4619e5e428acac506dca60cda2283416eb43586a5aed74369

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
c97ea6b6a25d712db885370a3e349024

SHA1
d9ba66d79d76ea15feb68c72e9a8efec0fa3029c

SHA256
5f485bef324b34a9d3dec0f969919b5586bcf5dc5ce1426adc3e8f73f1fc3b35

SHA512
cac63e9ba0007dae7358a0755c6421174af92e079d4b79a1808e6983fd0ca3b11ddb6aeae91f1c5ef33aef9ba8e39e9174890c86b90a907b0c231d48af7c0ada

Download Submit
memory/1376-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1748-59-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads