9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd

Analysis

max time kernel
91s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Size

1.1MB
MD5

f0a6c4647312bff08c613178893702e1
SHA1

904dc8720fa1a9ed98d032d9f56ffbff6410757a
SHA256

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd
SHA512

a489b6bb24dcbdb9b1667e6af37d8df53dcc35901aa05e9c6cf43001841f158057bbdd4564c81801debb55b674864107c03f9c0e8ea99d966ebc38bde8fa4ba3
SSDEEP

24576:Chebrn/mG9Pwrn/POzMQGEvGEg5inu3i6ZTdDiUSgwt9faL+Wdi3oBMct3lVW6i8:ChArn/X9Pwrn/POzMQGEvGE0inu3i6ZH

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exesvchost.exe¡¡

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit,\"C:\\Program Files\\Windows Media Player\\a\\b\\9\\d\\b\\5\\f\\a\\1\\5\\6\\2\\e\\c\\8\\f\\5\\d\\6\\3\\2\\c\\b\\5\\c\\b\\2\\6\\9\\3\\a\\4\\autorun.inf\\svchost.exe¡¡\""	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit,\"C:\\Program Files\\Windows Media Player\\a\\b\\9\\d\\b\\5\\f\\a\\1\\5\\6\\2\\e\\c\\8\\f\\5\\d\\6\\3\\2\\c\\b\\5\\c\\b\\2\\6\\9\\3\\a\\4\\autorun.inf\\svchost.exe¡¡\""	svchost.exe¡¡

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

svchost.exe¡¡

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe¡¡

Executes dropped EXE 1 IoCs

Processes:

svchost.exe¡¡

pid process

4800 svchost.exe¡¡

pid	process
4800	svchost.exe¡¡

Loads dropped DLL 8 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exesvchost.exe¡¡

pid	process
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡

Drops desktop.ini file(s) 64 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exesvchost.exe¡¡

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe¡¡

Drops autorun.inf file 1 TTPs 35 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

Drops file in Program Files directory 64 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\a\b\9\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\svchost.exe¡¡	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\autorun.inf\ÎÄ¼þÃâÒß..\	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\autorun.inf\ÎÄ¼þÃâÒß	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File opened for modification	C:\Program Files\Windows Media Player\a\b\9\d\b\autorun.inf	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
File created	C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\autorun.inf\desktop.ini	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2816 4800 WerFault.exe svchost.exe¡¡
2252 4800 WerFault.exe svchost.exe¡¡

pid	pid_target	process	target process
2816	4800	WerFault.exe	svchost.exe¡¡
2252	4800	WerFault.exe	svchost.exe¡¡

Modifies registry class 2 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡\ = "exefile"	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

description	pid	process
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
Token: SeDebugPrivilege	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exesvchost.exe¡¡

pid	process
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡
4800	svchost.exe¡¡

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.execmd.exe

description	pid	process	target process
PID 1616 wrote to memory of 4880	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	cmd.exe
PID 1616 wrote to memory of 4880	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	cmd.exe
PID 1616 wrote to memory of 4880	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	cmd.exe
PID 1616 wrote to memory of 4800	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	svchost.exe¡¡
PID 1616 wrote to memory of 4800	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	svchost.exe¡¡
PID 1616 wrote to memory of 4800	1616	9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe	svchost.exe¡¡
PID 4880 wrote to memory of 748	4880	cmd.exe	cacls.exe
PID 4880 wrote to memory of 748	4880	cmd.exe	cacls.exe
PID 4880 wrote to memory of 748	4880	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe
"C:\Users\Admin\AppData\Local\Temp\9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Media Player\a" /d everyone /e
3⤵
PID:748

C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\svchost.exe¡¡
"C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\svchost.exe¡¡" pid 1616"C:\Users\Admin\AppData\Local\Temp\9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 636
3⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 656
3⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4800 -ip 4800
1⤵
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\svchost.exe¡¡
Filesize
1.1MB

MD5
f0a6c4647312bff08c613178893702e1

SHA1
904dc8720fa1a9ed98d032d9f56ffbff6410757a

SHA256
9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd

SHA512
a489b6bb24dcbdb9b1667e6af37d8df53dcc35901aa05e9c6cf43001841f158057bbdd4564c81801debb55b674864107c03f9c0e8ea99d966ebc38bde8fa4ba3

Download Submit
C:\Program Files\Windows Media Player\a\b\9\d\b\5\f\a\1\5\6\2\e\c\8\f\5\d\6\3\2\c\b\5\c\b\2\6\9\3\a\4\autorun.inf\svchost.exe¡¡
Filesize
1.1MB

MD5
f0a6c4647312bff08c613178893702e1

SHA1
904dc8720fa1a9ed98d032d9f56ffbff6410757a

SHA256
9f1394269d0cddb87380fa9fe88831036de458ac6fe1b3f517cb7ae60656bedd

SHA512
a489b6bb24dcbdb9b1667e6af37d8df53dcc35901aa05e9c6cf43001841f158057bbdd4564c81801debb55b674864107c03f9c0e8ea99d966ebc38bde8fa4ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
Filesize
332KB

MD5
3102c454a9543e58fe3ad5f783f5a690

SHA1
dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

SHA256
039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

SHA512
5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
Filesize
332KB

MD5
3102c454a9543e58fe3ad5f783f5a690

SHA1
dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

SHA256
039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

SHA512
5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
Filesize
332KB

MD5
3102c454a9543e58fe3ad5f783f5a690

SHA1
dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

SHA256
039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

SHA512
5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne
Filesize
192KB

MD5
c1180974dd8a7c6d9f8fcc13096b4f7a

SHA1
9d50021334248bf0c752b3ed34deed48325da05c

SHA256
5b1ff0cabb2384f4b6385c1acce1d5e3a9d7b8e0403e2224cd1ab9722a599d3d

SHA512
c8b938bf172b9d2ccfaea34ff7cfddc9eaab8a9416a07e458bd34dfed2ea18de66d23dbaa9f15c2faf1009e00a8dfca3168ab41f02ef28e97c9197c3ca6943e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
Filesize
1.0MB

MD5
4b30dbe1a79b2b7572ff637cb3765ced

SHA1
b08eba0e9bdb62d426db8d2b3d451152a56f79a1

SHA256
4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

SHA512
40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
Filesize
1.0MB

MD5
4b30dbe1a79b2b7572ff637cb3765ced

SHA1
b08eba0e9bdb62d426db8d2b3d451152a56f79a1

SHA256
4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

SHA512
40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
Filesize
1.0MB

MD5
4b30dbe1a79b2b7572ff637cb3765ced

SHA1
b08eba0e9bdb62d426db8d2b3d451152a56f79a1

SHA256
4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

SHA512
40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat
Filesize
72B

MD5
28b4bca46f12e840a196a027b05b1675

SHA1
3d1c1c0ac44bf8db45d579287dbd0ecc26ddcbfa

SHA256
aacf79a3eb763b78eccfe7ef16c9b4d80aa3bd07e70b2a87f6ba551bd78ea808

SHA512
22fe6b9a3b36b77b4ac39d2a96fd5a944bf756b885318f6410e1c57f79a27fa65aba1ec6e24fa7ab318330de24ab86b9327ed770480fe7c1188483a0033a207f

Download Submit
memory/748-145-0x0000000000000000-mapping.dmp

Download
memory/1616-150-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1616-135-0x0000000000631000-0x0000000000633000-memory.dmp

Filesize
8KB

Download
memory/4800-148-0x0000000002220000-0x0000000002283000-memory.dmp

Filesize
396KB

Download
memory/4800-151-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4800-155-0x0000000002291000-0x0000000002293000-memory.dmp

Filesize
8KB

Download
memory/4800-137-0x0000000000000000-mapping.dmp

Download
memory/4800-156-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4880-136-0x0000000000000000-mapping.dmp

Download