bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9

Analysis

max time kernel
69s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
Size

1.3MB
MD5

715dcee80f0031c0bc83e57c116bbab1
SHA1

286e5fc369a97b5f294155b914d9889608e5d679
SHA256

bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9
SHA512

a07c4e420df009314edf7cc8c666d9f9c82a9199b5a0d9912c96857ab9d8618988df8397a44e49a75304e80fe9ff94a0ead32b15912878063cfdd62e02afb5d1
SSDEEP

12288:4swGFtMCVAJv5/EuT0EWFOaiv5z21fx9bSjk6CUbSjXUnY7iUnY7W96IMf:hnFtBVAxPZWFOaau29kCYGCYK96Nf

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1776-54-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RFKMXIX = "C:\\Windows\\RFKMXIXNQ.COM"	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ja-JP\CSRSS.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\FORFILES.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\GETMAC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\CTTUNESVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\CHOICE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\TRACERPT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\WEVTUTIL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\CLIP.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\NOTEPAD.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\CREDWIZ.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\MSINFO32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\NSLOOKUP.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\WAITFOR.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\de-DE\XPSVIEWER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AUTOCONV.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\CMD.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WECUTIL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DPISCALING.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ATBROKER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\TZUTIL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\EVENTCREATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\OCSETUP.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\UTILMAN.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\NTKRNLPA.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\COMP.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\RELOG.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\LABEL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\MIGAUTOPLAY.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\TSTHEME.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AUTOFMT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\GPUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\NAPSTAT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\UI0DETECT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CTFMON.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\WININIT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\COLORCPL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\RMCLIENT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\RUNLEGACYCPLELEVATED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DXDIAG.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WMIC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\TPMINIT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\WUSA.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\DCCW.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\COLORCPL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\RMACTIVATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ATBROKER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DISKPART.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\ISCSICLI.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ISCSICLI.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DPLAYSVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\EXTRAC32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\WPDSHEXTAUTOPLAY.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\HWRCOMP.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\CACLS.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SETUPSNK.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\com\de-DE\MIGREGDB.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\REGSVR32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\INFDEFAULTINSTALL.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\LOGMAN.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\MSTSC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\REPLACE.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\DISKPART.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\SysWOW64\en-US\VDS.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\MEDIACENTERWEBLAUNCHER.EXE.MANIFEST	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\es-ES\HELPPANE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Panther\SETUP.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Speech\Common\SAPISVR.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\es-ES\MEMTEST.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-FR\MEMTEST.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\sv-SE\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\es-ES\EHRECVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\it-IT\HELPPANE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\it-IT\EHMSAS.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\wow\EHEXTHOST32.EXE.CONFIG	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\MEMTEST.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\nb-NO\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\de-DE\FVEUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\de-DE\REGEDIT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\fr-FR\EHSCHED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\it-IT\WINHLP32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Speech\Common\ja-JP\SAPISVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ja-JP\WINHLP32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File created	C:\Windows\RFKMXIXNQ.COM	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\en-US\MEMTEST.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\HH.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\it-IT\REGEDIT.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\tr-TR\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\EHSCHED.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\it-IT\EHSCHED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\MCGLIDHOST.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-FR\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\de-DE\MCUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\en-US\HH.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\servicing\ja-JP\TRUSTEDINSTALLER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\fi-FI\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\ja-JP\EHSCHED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ja-JP\BFSVC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Speech\Common\it-IT\SAPISVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\servicing\TRUSTEDINSTALLER.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\pl-PL\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\ja-JP\EHREC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\MCX2PROV.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\it-IT\NOTEPAD.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\es-ES\FVEUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\EXPLORER.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\servicing\GC64\TZUPD.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SBESERVER.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\es-ES\EHREC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\MCSPAD.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\en-US\BFSVC.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\es-ES\EHPRIVJOB.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\ja-JP\WTVCONVERTER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\fr-FR\FVEUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\de-DE\MEMTEST.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\EHEXTHOST.EXE.CONFIG	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\EHTRAY.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\en-US\EHSCHED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\it-IT\EHPRIVJOB.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\ja-JP\EHRECVR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\MCRMGR.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\en-US\FVEUPDATE.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU\BOOTMGR.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\EHPRIVJOB.EXE	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\es-ES\EHSCHED.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\ehome\fr-FR\EHPRIVJOB.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\es-ES\EXPLORER.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
File opened for modification	C:\Windows\fr-FR\WINHLP32.EXE.MUI	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	1776	WerFault.exe	19

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1032	1776	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe	28
PID 1776 wrote to memory of 1032	1776	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe	28
PID 1776 wrote to memory of 1032	1776	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe	28
PID 1776 wrote to memory of 1032	1776	bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe	28

C:\Users\Admin\AppData\Local\Temp\bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe
"C:\Users\Admin\AppData\Local\Temp\bfe0dca3e3670e7392b1be84f95af8c00caee7ba8749e1ff67c478c4d0c88be9.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 120
  2⤵
  - Program crash
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download