4b2f1b01c00297147bde8e2d462e2f22a6eb8863f539af17b65cad75f22ef7b1

Analysis

max time kernel
138s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v7979.exe
Size

11.7MB
MD5

5b336f1416dd08e368bf4f7a1616e875
SHA1

f6936133e2db13d9f0c0d3412d9fc94643112f9a
SHA256

4b2f1b01c00297147bde8e2d462e2f22a6eb8863f539af17b65cad75f22ef7b1
SHA512

0097feb493725176f81586cd2eabf553c43efd432f4fefe071feb622d038d55254fa78edf4f44fb3ae526efb1ab5f62e4a8863a070817f579f96f240b08dcab7
SSDEEP

196608:Ekf1418mfEIBljvc8iYuYz1g/rY5/2VOY6/ZocJPQ/AuxQ21FnB3uIi6exTpey1o:1fa8m5ljsVYzXwVn6/hCIuxQ21ODJ/Jk

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\ezusb.sys	v7979.exe
File created	C:\Windows\SysWOW64\drivers\fsusbdrv.sys	v7979.exe

Executes dropped EXE 3 IoCs

pid	Process
4432	logoshop.exe
1680	LogoShop.exe
3416	AutoUpdate.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Wine	logoshop.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Wine	LogoShop.exe

Loads dropped DLL 11 IoCs

pid	Process
2240	v7979.exe
2240	v7979.exe
2240	v7979.exe
2240	v7979.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe
3416	AutoUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	logoshop.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LogoShop.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AutoUpdate.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Friendess\Logoshop\AutoUpdate.exe	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\gks.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\MediaAxisCmd.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\Appbase.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\MPC6536.inf	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\GMpc05ga.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\ezusb.sys	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\cfg3.template	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\fsusbdrv.sys	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\NativeXml401.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\GdiPlus.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\ga2801.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\tcfpack.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\usbpack.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\ch375dll.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\language\1028.mui	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\LogoShop.ini	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\userManual.pdf	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\DelphiX140.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\basicio.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\PltRead.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\shortcuts.rtf	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\cfgTool.exe	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\CommM05.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\language\1033.mui	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\revisions.txt	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\motion.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\Usb6536.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\GMpc05ga.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\cfgdy.template	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\fsusbdrv.inf	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\MPC6536.inf	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\vcl140.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\vclimg140.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\FileReg.exe	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\AIFiler.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\gerber.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\ezusb.sys	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\drivers\CommM05.dll	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\language\2052.mui	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\language\1110.mui	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\uninst.ico	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\rtl140.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\gcodes.bpl	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\uninstall.exe	v7979.exe
File created	C:\Program Files (x86)\Friendess\Logoshop\cfgw.template	v7979.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Inf\MPC6536.inf	v7979.exe
File created	C:\Windows\inf\fsusbdrv.inf	v7979.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602b6c162eb1d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebadd934471470438e7d54f4b866f62c000000000200000000001066000000010000200000005f679be7b2acb04e8f563143c6126fa52cbbff9f759fa3acc9f3bc011579355e000000000e8000000002000020000000db3da662309fa74837313fb41840321ce38b67df907cd4fa87b6429e07fc9deb200000001a45edacec7965d1d341d15669d43451c8d61365638c9dce5eb1953bf417146140000000e09160a64d285d8ade1a12611ae86db6a2b2f7bb9b2c504248384d0faa2debd26fcde084d3bee9b6e88c729825a1b17522568d1b7f42cad5127175e97c6f360b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebadd934471470438e7d54f4b866f62c000000000200000000001066000000010000200000000bfb1516f6ab2582bc1759598101d992e4aa0987acd538db36f00181bb35434f000000000e80000000020000200000008593c3858aa49c392a161c921da19d7e02e07e6f2de7aec643e126481e68649b2000000038eec8dc976890de2496e3acb6b01678ea2b0cf916d20534e87002fc5e1361074000000029f7c1110cb1ab18925b2eebbf5646ec1571ff308eaa4afb20760597b186c056d81cc20aad6aea2ae5a3c4dc085c907f9a6637970ed891e557d7aff384aae4c6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006f8d162eb1d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31043886"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "346364008"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "346364008"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043886"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3FE7C877-1D21-11EE-AF62-6E0CE9A2C9CA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell\Logoshop\command\ = "\"C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe\" %1"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE\DefaultIcon	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.g\ = "FSCAD.GCODE"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.mol\EditFlags = "0"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\EditFlags = "0"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell\Logoshop\command	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell\Logoshop\command\ = "\"C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe\" %1"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\DefaultIcon\ = "C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe,2"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\ = "AutoCAD DXF file"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell\Logoshop\ = "Open with Logoshop"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\Shell\Logoshop\ = "Open with Logoshop"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\BrowserFlags = "8"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lsd\ = "FSCAD.lsd"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell\ = "Logoshop"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF\EditFlags = "0"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcf	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\Shell\Logoshop	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dxf	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nc\ = "FSCAD.CNC"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tcf\ = "FSCAD.TCF"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF\ = "BC2801 Instructions"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\ = "Logoshop document"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\DefaultIcon	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\Shell	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\Shell\Logoshop\command\ = "\"C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe\" %1"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\EditFlags = "0"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\DefaultIcon	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\DefaultIcon\ = "C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe,4"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE\Shell\ = "Logoshop"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\BrowserFlags = "8"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF\DefaultIcon	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\Shell\ = "Logoshop"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\Shell\Logoshop\ = "Open with Logoshop"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lsd	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\BrowserFlags = "8"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mol\ = "FSCAD.mol"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tcf	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF\BrowserFlags = "8"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcf\ = "FSCAD.BCF"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\DefaultIcon	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell\Logoshop	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE\BrowserFlags = "8"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE\Shell\Logoshop\command\ = "\"C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe\" %1"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.g	v7979.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell\Logoshop\command	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.TCF\BrowserFlags = "8"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.BCF\DefaultIcon\ = "C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe,1"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\Shell	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.lsd\EditFlags = "0"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dxf\ = "FSCAD.dxf"	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.GCODE\Shell\Logoshop\ = "Open with Logoshop"	v7979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.mol\BrowserFlags = "8"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.mol\DefaultIcon	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\DefaultIcon\ = "C:\\Program Files (x86)\\Friendess\\Logoshop\\logoshop.exe,7"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.CNC\Shell\Logoshop	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.fsd\Shell\Logoshop\command	v7979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell\ = "Logoshop"	v7979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSCAD.dxf\Shell\Logoshop\command	v7979.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1676	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1676	vlc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3960	iexplore.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3960	iexplore.exe
3960	iexplore.exe
3952	IEXPLORE.EXE
3952	IEXPLORE.EXE
1676	vlc.exe
3416	AutoUpdate.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4432	2240	v7979.exe	90
PID 2240 wrote to memory of 4432	2240	v7979.exe	90
PID 2240 wrote to memory of 4432	2240	v7979.exe	90
PID 3960 wrote to memory of 3952	3960	iexplore.exe	96
PID 3960 wrote to memory of 3952	3960	iexplore.exe	96
PID 3960 wrote to memory of 3952	3960	iexplore.exe	96
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103
PID 1660 wrote to memory of 3380	1660	firefox.exe	103

C:\Users\Admin\AppData\Local\Temp\v7979.exe
"C:\Users\Admin\AppData\Local\Temp\v7979.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files (x86)\Friendess\Logoshop\logoshop.exe
  "C:\Program Files (x86)\Friendess\Logoshop\logoshop.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  PID:4432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TestMove.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3952

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ProtectAssert.TTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe
"C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe" \
1⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4448

C:\Program Files (x86)\Friendess\Logoshop\AutoUpdate.exe
"C:\Program Files (x86)\Friendess\Logoshop\AutoUpdate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.0.675658593\2051646900" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e9f11f-57b2-4596-951f-96394b81cfc9} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 1916 1a3db2dd358 gpu
    3⤵
    PID:2212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.1.65320126\1846670565" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60573985-a990-42f3-ab6b-d15b01ee35d3} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 2364 1a3db20c058 socket
    3⤵
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.2.412413822\457309147" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3044 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f593144-6c1a-4d8f-bd2c-4249dc11ffe2} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 3220 1a3dee9de58 tab
    3⤵
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.3.28872731\1484497588" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7704e98-3e7a-41af-bc57-1107e3a784ea} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 3492 1a3ce862558 tab
    3⤵
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.4.1221011965\789623065" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4680 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b98c24c-a8da-405f-83a5-1903c2af4b30} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 4700 1a3e10f5e58 tab
    3⤵
    PID:4980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.5.227286055\423744403" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4a90e9d-d60a-4bdf-9094-84ed38f0d713} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 5284 1a3e10f3758 tab
    3⤵
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.6.1145915388\1878809499" -childID 5 -isForBrowser -prefsHandle 4616 -prefMapHandle 4612 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c641993d-7b76-4f76-9513-cc75bb02de43} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 5596 1a3e2134558 tab
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.8.304084396\547167443" -childID 7 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb764cf-ce22-4805-91b2-7ad585f5105f} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 5876 1a3e2137b58 tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3380.7.2012426507\1508497516" -childID 6 -isForBrowser -prefsHandle 5696 -prefMapHandle 4608 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55279b85-b112-4a7d-82f5-598a1e62893c} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" 5604 1a3e2135d58 tab
    3⤵
    PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Friendess\Logoshop\Appbase.bpl

Filesize
197KB

MD5
615c19c9793ee61845d1ab57c17643a9

SHA1
aeae9e2ed78f893aa78ca871a411fcff62c63ffc

SHA256
3160432ee77f7e48a5d4d4a4f3029cb90da1db5ac5c03813a8ca0d2940b7bd20

SHA512
e53f9729dbdc20ef2cee6a6e4dfb6cb467f71ce444279e52dd2a15e59497a85b97883c92b642300f8bead53ceb6b9a52e631823cff8035a416f31ac1313a1b46

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\Appbase.bpl

Filesize
197KB

MD5
615c19c9793ee61845d1ab57c17643a9

SHA1
aeae9e2ed78f893aa78ca871a411fcff62c63ffc

SHA256
3160432ee77f7e48a5d4d4a4f3029cb90da1db5ac5c03813a8ca0d2940b7bd20

SHA512
e53f9729dbdc20ef2cee6a6e4dfb6cb467f71ce444279e52dd2a15e59497a85b97883c92b642300f8bead53ceb6b9a52e631823cff8035a416f31ac1313a1b46

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\Appbase.bpl

Filesize
197KB

MD5
615c19c9793ee61845d1ab57c17643a9

SHA1
aeae9e2ed78f893aa78ca871a411fcff62c63ffc

SHA256
3160432ee77f7e48a5d4d4a4f3029cb90da1db5ac5c03813a8ca0d2940b7bd20

SHA512
e53f9729dbdc20ef2cee6a6e4dfb6cb467f71ce444279e52dd2a15e59497a85b97883c92b642300f8bead53ceb6b9a52e631823cff8035a416f31ac1313a1b46

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\AutoUpdate.exe

Filesize
1.1MB

MD5
380f005166d942ccdd592195f9465ce8

SHA1
00df9d16edd20d8b775c815f3cace8adfb6d9929

SHA256
9760114a9578339cd17fa606972a63f2f4ab55d5b781ce69b0ed05cab9c62816

SHA512
26eeb3b21cb8f0962e4c92af796a9aa8fce7b63f4ca65814794b2421dbaa499744640074601e0ab1c0392de5e0d18acef0c929e2d60081b47293657005cbbc95

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\AutoUpdate.exe

Filesize
1.1MB

MD5
380f005166d942ccdd592195f9465ce8

SHA1
00df9d16edd20d8b775c815f3cace8adfb6d9929

SHA256
9760114a9578339cd17fa606972a63f2f4ab55d5b781ce69b0ed05cab9c62816

SHA512
26eeb3b21cb8f0962e4c92af796a9aa8fce7b63f4ca65814794b2421dbaa499744640074601e0ab1c0392de5e0d18acef0c929e2d60081b47293657005cbbc95

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe

Filesize
2.8MB

MD5
bb5c3e4b0a4447de67238093a9371325

SHA1
8a7bdf6f67c01f3c6a6629e25feffa1c0fef67ef

SHA256
dd3ccd5211fda87742525654d6d5012191f8c064cb86f80cf4698b56bec89b34

SHA512
d0b78b8e3c47ca09b3dc448e1cb3d7864d7e37babc10b8b4a5d44758fec7ba6ce2659d3e1376ef6e10128245602d25a120b534a9d458103e20e9af24a85564be

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe

Filesize
2.8MB

MD5
bb5c3e4b0a4447de67238093a9371325

SHA1
8a7bdf6f67c01f3c6a6629e25feffa1c0fef67ef

SHA256
dd3ccd5211fda87742525654d6d5012191f8c064cb86f80cf4698b56bec89b34

SHA512
d0b78b8e3c47ca09b3dc448e1cb3d7864d7e37babc10b8b4a5d44758fec7ba6ce2659d3e1376ef6e10128245602d25a120b534a9d458103e20e9af24a85564be

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\LogoShop.exe

Filesize
2.8MB

MD5
bb5c3e4b0a4447de67238093a9371325

SHA1
8a7bdf6f67c01f3c6a6629e25feffa1c0fef67ef

SHA256
dd3ccd5211fda87742525654d6d5012191f8c064cb86f80cf4698b56bec89b34

SHA512
d0b78b8e3c47ca09b3dc448e1cb3d7864d7e37babc10b8b4a5d44758fec7ba6ce2659d3e1376ef6e10128245602d25a120b534a9d458103e20e9af24a85564be

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\NativeXml401.bpl

Filesize
2.1MB

MD5
7abb86f34731d659866498ec86dbc58e

SHA1
af156736bad99e389d94aa082df4c1716a641408

SHA256
5a4cb1abc265037ea99d693fddcbbda5fdf0d60fc736bcaa6255a2cb00e71a5e

SHA512
778dd2dafadd2717765dc966668f50f9bc588e9b282ae253be5098fde9941eb43de1cfcf859b651923c8305178464e5506e85b5e15e66df46d10f1e00f41f746

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\NativeXml401.bpl

Filesize
2.1MB

MD5
7abb86f34731d659866498ec86dbc58e

SHA1
af156736bad99e389d94aa082df4c1716a641408

SHA256
5a4cb1abc265037ea99d693fddcbbda5fdf0d60fc736bcaa6255a2cb00e71a5e

SHA512
778dd2dafadd2717765dc966668f50f9bc588e9b282ae253be5098fde9941eb43de1cfcf859b651923c8305178464e5506e85b5e15e66df46d10f1e00f41f746

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\NativeXml401.bpl

Filesize
2.1MB

MD5
7abb86f34731d659866498ec86dbc58e

SHA1
af156736bad99e389d94aa082df4c1716a641408

SHA256
5a4cb1abc265037ea99d693fddcbbda5fdf0d60fc736bcaa6255a2cb00e71a5e

SHA512
778dd2dafadd2717765dc966668f50f9bc588e9b282ae253be5098fde9941eb43de1cfcf859b651923c8305178464e5506e85b5e15e66df46d10f1e00f41f746

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\NativeXml401.bpl

Filesize
2.1MB

MD5
7abb86f34731d659866498ec86dbc58e

SHA1
af156736bad99e389d94aa082df4c1716a641408

SHA256
5a4cb1abc265037ea99d693fddcbbda5fdf0d60fc736bcaa6255a2cb00e71a5e

SHA512
778dd2dafadd2717765dc966668f50f9bc588e9b282ae253be5098fde9941eb43de1cfcf859b651923c8305178464e5506e85b5e15e66df46d10f1e00f41f746

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\language\1033.mui

Filesize
136KB

MD5
c59c7f8fb32d5fb08913473ac29108e8

SHA1
eb92542e0377c1810af691a4089383163ac56f6b

SHA256
7fcd43636af9656a78ca49aa0a1a2aa52d3238693ad58078d857f0549663bdb5

SHA512
7c7b55eba221bb8c6267385b2ac5d04377d57bfe2979c200d5097902ad2502bacc42fcd77e0f5651eea1093bb5f2eac5ce9be6bc8da9b45360e105cb2ffa6f92

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\logoshop.exe

Filesize
2.8MB

MD5
bb5c3e4b0a4447de67238093a9371325

SHA1
8a7bdf6f67c01f3c6a6629e25feffa1c0fef67ef

SHA256
dd3ccd5211fda87742525654d6d5012191f8c064cb86f80cf4698b56bec89b34

SHA512
d0b78b8e3c47ca09b3dc448e1cb3d7864d7e37babc10b8b4a5d44758fec7ba6ce2659d3e1376ef6e10128245602d25a120b534a9d458103e20e9af24a85564be

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\rtl140.bpl

Filesize
1.7MB

MD5
b1085dfe49ec4ff67ea6fd575a5fdc34

SHA1
78e12a246c30d7b51159505b4e1fcb2da457985d

SHA256
b9951b8ad8d7da8cfe9617fd73d8c054a7c70e08f08ee37582b0f7a711538bd2

SHA512
8267a0f6148d77c8b2e0bfb8553f12993de700e6707373dc980f1f8d445aa4f4aa7521f20cdaf4ff8e23dbce43cb4d799c9c51f0daab8de8bd9d009bb47f93d0

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\rtl140.bpl

Filesize
1.7MB

MD5
b1085dfe49ec4ff67ea6fd575a5fdc34

SHA1
78e12a246c30d7b51159505b4e1fcb2da457985d

SHA256
b9951b8ad8d7da8cfe9617fd73d8c054a7c70e08f08ee37582b0f7a711538bd2

SHA512
8267a0f6148d77c8b2e0bfb8553f12993de700e6707373dc980f1f8d445aa4f4aa7521f20cdaf4ff8e23dbce43cb4d799c9c51f0daab8de8bd9d009bb47f93d0

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\vcl140.bpl

Filesize
2.3MB

MD5
d734dd1671dd457b931ad8af1e11d8ff

SHA1
24208365eeaa7e29f35f8cca97c4948ca8805206

SHA256
ae388b8572139f02fab2ef5c5806d4878599649a4bc6992201fe67157828594a

SHA512
7406747895b1ba89c2c71b56b209e43da9d2e495184093b887d1c774fd461bd1a747f45de85de5c40b839b9a9c6b937d3d5636d13c4d8a917c8417c0239e049c

Download Submit
C:\Program Files (x86)\Friendess\Logoshop\vcl140.bpl

Filesize
2.3MB

MD5
d734dd1671dd457b931ad8af1e11d8ff

SHA1
24208365eeaa7e29f35f8cca97c4948ca8805206

SHA256
ae388b8572139f02fab2ef5c5806d4878599649a4bc6992201fe67157828594a

SHA512
7406747895b1ba89c2c71b56b209e43da9d2e495184093b887d1c774fd461bd1a747f45de85de5c40b839b9a9c6b937d3d5636d13c4d8a917c8417c0239e049c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\activity-stream.discovery_stream.json.tmp

Filesize
154KB

MD5
c58d8f424e6e2504687f01980385ca8e

SHA1
8e974129a70819c44245dc0e061f4b10cd09a8c4

SHA256
6e78bba759880aee78435c7cec8b87a9c3b7777b9ba1081f358351bfd4996fa9

SHA512
d42f29aac2042954a17258bb591d092b82db06c49bdfc193e802c9aea0234f5aec95eddb62010e129402c7fe3ca560ce617166b0d0822858cfd7930a3e900eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\LangDLL.dll

Filesize
5KB

MD5
0720405fae191c6686a7c906492a5c94

SHA1
b076e1ad98670ba67766b9d22d68ec9f8b12f23c

SHA256
5a6d037c7c645bea754cfa85744ccbeddf781c4d073feec7beadeeaa87c15546

SHA512
b8c9d66c0269fdb3ac978456a81f74ebeaeeb33694ec18346c70adefa0bead90737caff34ef0c57f286dca4b2d2a135e39d879fa795afdc3575b43920047defb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\LangDLL.dll

Filesize
5KB

MD5
0720405fae191c6686a7c906492a5c94

SHA1
b076e1ad98670ba67766b9d22d68ec9f8b12f23c

SHA256
5a6d037c7c645bea754cfa85744ccbeddf781c4d073feec7beadeeaa87c15546

SHA512
b8c9d66c0269fdb3ac978456a81f74ebeaeeb33694ec18346c70adefa0bead90737caff34ef0c57f286dca4b2d2a135e39d879fa795afdc3575b43920047defb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\System.dll

Filesize
11KB

MD5
f55b41485cbaf292389a52f8e4f0594b

SHA1
89e9b0d1291fa78a40cab358553c447cbbeaa130

SHA256
f16bc2ceb7a6bc7df0955530e72b0aa072ce27650c5cf7b33fd4ea82dea196fc

SHA512
938e8661b8cf418608156dc813c1eb0cc3fa5efa9483061a152bb103c4d821d5c6a82d4c110729e9686f99ccd4da188aebb38a85a01d8ecadb34bb9f6ba60d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\System.dll

Filesize
11KB

MD5
f55b41485cbaf292389a52f8e4f0594b

SHA1
89e9b0d1291fa78a40cab358553c447cbbeaa130

SHA256
f16bc2ceb7a6bc7df0955530e72b0aa072ce27650c5cf7b33fd4ea82dea196fc

SHA512
938e8661b8cf418608156dc813c1eb0cc3fa5efa9483061a152bb103c4d821d5c6a82d4c110729e9686f99ccd4da188aebb38a85a01d8ecadb34bb9f6ba60d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\modern-wizard.bmp

Filesize
51KB

MD5
0c2e870dfbd5a4928f3e64fe729f1616

SHA1
0aa276c15a00ac7ab3ea6e8eacc249da46e0f9e7

SHA256
b6ff32e94df3729a0f4cdd4811fbe88153e79ddec37edeac8f68393ac1e44456

SHA512
194b239527e03749eed6c718cde92378238860b7914660242d4a6586830422383c134f903e9cc099c6bee4719f900f466fdbba7bb06dae6b65f552d8ead88826

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\nsDialogs.dll

Filesize
9KB

MD5
bb0dd6ce18000934cf2475437ffc0a6e

SHA1
1c8b460f51561129768a71bd201a2a1bdce2ee0b

SHA256
8a6bf3ca14e7faed77707a2909224563f1c3f1fdc4d5115cd6e7df728ed19f6b

SHA512
42a68cc2001ef56ce61d249a916abfaf947ae96e3b20eeb61c84daa5fe21be003bf6b27d180a318881da198c00950c2c999a4dbc40c6373ff43a10ccdb66df91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\nsDialogs.dll

Filesize
9KB

MD5
bb0dd6ce18000934cf2475437ffc0a6e

SHA1
1c8b460f51561129768a71bd201a2a1bdce2ee0b

SHA256
8a6bf3ca14e7faed77707a2909224563f1c3f1fdc4d5115cd6e7df728ed19f6b

SHA512
42a68cc2001ef56ce61d249a916abfaf947ae96e3b20eeb61c84daa5fe21be003bf6b27d180a318881da198c00950c2c999a4dbc40c6373ff43a10ccdb66df91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC67.tmp\nsDialogs.dll

Filesize
9KB

MD5
bb0dd6ce18000934cf2475437ffc0a6e

SHA1
1c8b460f51561129768a71bd201a2a1bdce2ee0b

SHA256
8a6bf3ca14e7faed77707a2909224563f1c3f1fdc4d5115cd6e7df728ed19f6b

SHA512
42a68cc2001ef56ce61d249a916abfaf947ae96e3b20eeb61c84daa5fe21be003bf6b27d180a318881da198c00950c2c999a4dbc40c6373ff43a10ccdb66df91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
6KB

MD5
cf040f04e4479f39033bce1d05fa2b79

SHA1
2a3e891e8ff74ce51db899d6ca1289b62fb22533

SHA256
8b7acbfd963fabd5046b799a49986d6ee7d385ec277ffcc07aec1bcac2d7bb6c

SHA512
cfbc9672fb304c4f3dae5ff28aa3c6960fc9228fdf12ad89ecc4b12dd0af044c7c73af18ffef3406008c5ae7e6bb3ffa626e5c265ff6a9fd896fb0e61fcbfc07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs.js

Filesize
6KB

MD5
4a5fdeb39fb17e28c872aeac477867a0

SHA1
ec0f7d73945f6a94160ef55823978908775d0c23

SHA256
d6cad44e2f7ba82f01171dc3d38144242131441136af799f4325478b074935b1

SHA512
4cb15b89ec08cebff206d64f9c0d0fadf6d3c43e3ef0a5109a0c710fbbd6358c58aa693fb30bd7b91ec4f8e18ccdaf5d36b53925c3750faf2712ab9f8ce365d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2121cae9ebd371c573232ab9a779bc81

SHA1
44a5df6e60a7fbabbaf1de12c1d9d82cc324dbe3

SHA256
32df0566b14cc13188818dd470c962f9ac86e08b96fdb2eb351779eecd377a35

SHA512
98d60da881de1747bf214c2b962aff271bc21363be7bf1fd21436fee9e685e60cc0d28d5b60854f2a469cce43a62e9bdaf1b7cf43290d8c5814e0e8c990ed344

Download Submit
memory/1676-255-0x00007FFF34060000-0x00007FFF34314000-memory.dmp

Filesize
2.7MB

Download
memory/1676-257-0x00007FFF32420000-0x00007FFF32532000-memory.dmp

Filesize
1.1MB

Download
memory/1676-256-0x00007FFF32DB0000-0x00007FFF33E5B000-memory.dmp

Filesize
16.7MB

Download
memory/1676-253-0x00007FF633B60000-0x00007FF633C58000-memory.dmp

Filesize
992KB

Download
memory/1676-254-0x00007FFF45B40000-0x00007FFF45B74000-memory.dmp

Filesize
208KB

Download
memory/1680-264-0x0000000000400000-0x0000000000AED000-memory.dmp

Filesize
6.9MB

Download
memory/1680-259-0x0000000000400000-0x0000000000AED000-memory.dmp

Filesize
6.9MB

Download
memory/3416-292-0x00000000501C0000-0x000000005041C000-memory.dmp

Filesize
2.4MB

Download
memory/3416-291-0x0000000050000000-0x00000000501C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-284-0x0000000000C10000-0x0000000000E2A000-memory.dmp

Filesize
2.1MB

Download
memory/3416-290-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3416-293-0x00000000009B0000-0x00000000009E7000-memory.dmp

Filesize
220KB

Download
memory/3416-294-0x0000000000C10000-0x0000000000E2A000-memory.dmp

Filesize
2.1MB

Download
memory/3416-296-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3416-286-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3416-282-0x00000000009B0000-0x00000000009E7000-memory.dmp

Filesize
220KB

Download
memory/4432-234-0x0000000000400000-0x0000000000AED000-memory.dmp

Filesize
6.9MB

Download
memory/4432-233-0x0000000000400000-0x0000000000AED000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads