8fcd842d46ad70bf72148e7a5d9d587566f91164279f32ae78670199e980a5e3

Analysis

max time kernel
139s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
Size

391KB
MD5

0d5cd0cb28a6da2bf6c2de5166ee9d76
SHA1

f7008a4c1ac1b27590ee56655c18f6f3f1fc1ff2
SHA256

8fcd842d46ad70bf72148e7a5d9d587566f91164279f32ae78670199e980a5e3
SHA512

2016e5f87aa76d5aa4dedb08b10d7f3b4522612871c692697a858392d3343cb4132b8fc2f38bf78871f2f48ff032502d0aa07eb059f3ea11459277bac4c8058e
SSDEEP

6144:lqq1+wa/QKgZ+K1J/4Thmd3Wc11KxEpBnXLz+k4O7Cp/LJz8Eb:YkkQKgD1uThmdmU1KxEpRLyw7et4Eb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	MgKPyEORiQUvGj.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	MgKPyEORiQUvGj.exe

Loads dropped DLL 5 IoCs

pid	Process
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-2-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2644-7-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2356-9-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2644-10-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2644-22-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2644-28-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2644-29-0x0000000000400000-0x000000000047A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MgKPyEORiQUvGj.exe = "C:\\ProgramData\\MgKPyEORiQUvGj.exe"	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MgKPyEORiQUvGj.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MgKPyEORiQUvGj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\syncui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wlansvc.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmwhql0.inf_amd64_neutral_23613e3dd9401f10\mdmwhql0.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7TDAA.ICM	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0NB040.INI	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnky002.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ipmidrv.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\disrvpp.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa520t.xml	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBP_309.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP15.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7500t.exp	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\acppage.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\comres.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\DmiProvider.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_neutral_f9c441ed24f00358\mdmmega.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\disk.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\prnca00i.cat	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpd2600a.ini	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00b.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sppcc.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wiaaut.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\umbus.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\kscaptur.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IF4000B.GPD	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StickyNotes-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\stobject.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\mdmgen.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsi06.bin	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8100T.XML	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZPPWN7.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzuiw72.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfevw73.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismCorePS.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\BRMF549C.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBP_279.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOE9B.DXT	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1R.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\prngt002.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC60006.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7100t.exp	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LocalPack-CA-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-DVDRegistration-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	attrib.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnso002.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnge001.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\avmenum.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\netevbda.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cmstplua.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\perfdisk.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\mchgr.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnky008.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\Angel64.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\NAPCLCFG.MSC	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\sisraid2.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_neutral_857b8ff74e5a7073\mdmracal.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0NB010.INI	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1T.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnhp002.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\NV_AGP.SYS	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\TTYRES.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise\license.rtf	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7fr.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	attrib.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	attrib.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\WMPDMCCore.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00212_.WMF	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	attrib.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pt-BR.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml	attrib.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\es-ES\explorer.exe.mui	attrib.exe
File opened for modification	C:\Windows\inf\MSDTC\0000	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Graph	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationClient\ca7d0da3ed8d7aedff84b5b63dc7d35a\UIAutomationClient.ni.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\WinCal.adml	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Linq\1efa0826492fcfdac41786f53d12106e	attrib.exe
File opened for modification	C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\it\ServiceModelReg.resources.dll	attrib.exe
File opened for modification	C:\Windows\Fonts\smaf1257.fon	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Log\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~pl-PL~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_fr_b77a5c561934e089	attrib.exe
File opened for modification	C:\Windows\inf\mdmbr002.PNF	attrib.exe
File opened for modification	C:\Windows\Speech\Engines\SR\fr-FR\l1036.cw	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MUI\0409	attrib.exe
File opened for modification	C:\Windows\Speech\Engines\SR\fr-FR\AI031036.am	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Engine.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\4795e3a744b493733f9f2696a5cd8a67	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.fr.resx	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Sidebar.adml	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\ShellWelcomeCenter.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#	attrib.exe
File opened for modification	C:\Windows\inf\fr-FR\netavpna.inf_loc	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\aspnetmmcext.resources.dll	attrib.exe
File opened for modification	C:\Windows\Speech\Engines\SR\es-ES	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_de_31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\movie.H1S	attrib.exe
File opened for modification	C:\Windows\inf\prnca00h.inf	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\DeviceRedirection.admx	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	attrib.exe
File opened for modification	C:\Windows\inf\mdmgl007.PNF	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\es\Microsoft.VisualBasic.Compatibility.Data.resources.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.it.resx	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\SetupResources.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0	attrib.exe
File opened for modification	C:\Windows\inf\angelu64.PNF	attrib.exe
File opened for modification	C:\Windows\Help\mui\040C\connmgr.CHM	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\FileRecovery.admx	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions	attrib.exe
File opened for modification	C:\Windows\inf\de-DE	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\sdiageng.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\Cursors\aero_nesw.cur	attrib.exe
File opened for modification	C:\Windows\inf\ESENT\040C\esentprf.ini	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\ja\ServiceModel35.mfl.uninstall	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.RegularExpressions.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.resx	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MCESidebarCtrl\f04b0488328a68d57953149b31a85065	attrib.exe
File opened for modification	C:\Windows\schemas\TSWorkSpace	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_es_b77a5c561934e089\System.Web.Entity.Design.Resources.dll	attrib.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0010\_TransactionBridgePerfCounters.ini	attrib.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll	attrib.exe
File opened for modification	C:\Windows\schemas\EAPHost\baseeapmethodconfig.xsd	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\7f6b3266-31c5-43a8-9547-e7911ad6fb33	MgKPyEORiQUvGj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\nsreg = "1703966365"	MgKPyEORiQUvGj.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Download	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
2644	MgKPyEORiQUvGj.exe
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	MgKPyEORiQUvGj.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2644	2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe	28
PID 2356 wrote to memory of 2644	2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe	28
PID 2356 wrote to memory of 2644	2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe	28
PID 2356 wrote to memory of 2644	2356	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe	28
PID 2644 wrote to memory of 1728	2644	MgKPyEORiQUvGj.exe	34
PID 2644 wrote to memory of 1728	2644	MgKPyEORiQUvGj.exe	34
PID 2644 wrote to memory of 1728	2644	MgKPyEORiQUvGj.exe	34
PID 2644 wrote to memory of 1728	2644	MgKPyEORiQUvGj.exe	34
PID 2644 wrote to memory of 592	2644	MgKPyEORiQUvGj.exe	38
PID 2644 wrote to memory of 592	2644	MgKPyEORiQUvGj.exe	38
PID 2644 wrote to memory of 592	2644	MgKPyEORiQUvGj.exe	38
PID 2644 wrote to memory of 592	2644	MgKPyEORiQUvGj.exe	38
PID 2644 wrote to memory of 484	2644	MgKPyEORiQUvGj.exe	36
PID 2644 wrote to memory of 484	2644	MgKPyEORiQUvGj.exe	36
PID 2644 wrote to memory of 484	2644	MgKPyEORiQUvGj.exe	36
PID 2644 wrote to memory of 484	2644	MgKPyEORiQUvGj.exe	36

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1728	attrib.exe
484	attrib.exe
592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
"C:\Users\Admin\AppData\Local\Temp\0d5cd0cb28a6da2bf6c2de5166ee9d76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356
- C:\ProgramData\MgKPyEORiQUvGj.exe
  C:\ProgramData\MgKPyEORiQUvGj.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\*.*" /s /d
    3⤵
    - Views/modifies file attributes
    PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\*.*" /s /d
    3⤵
    - Drops file in Drivers directory
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:484
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.*" /s /d
    3⤵
    - Views/modifies file attributes
    PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MgKPyEORiQUvGj.exe

Filesize
391KB

MD5
0d5cd0cb28a6da2bf6c2de5166ee9d76

SHA1
f7008a4c1ac1b27590ee56655c18f6f3f1fc1ff2

SHA256
8fcd842d46ad70bf72148e7a5d9d587566f91164279f32ae78670199e980a5e3

SHA512
2016e5f87aa76d5aa4dedb08b10d7f3b4522612871c692697a858392d3343cb4132b8fc2f38bf78871f2f48ff032502d0aa07eb059f3ea11459277bac4c8058e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3X538KKZ\up[1].htm

Filesize
256B

MD5
b2b0afc3bc483f6ac9321281e55e9be9

SHA1
0ff2f44824a729afa75cae9e6a10b6df87263878

SHA256
4909b75359000afad3b883554aeecfb824ae198f5e0539762a4711e0ce16f323

SHA512
7f53a3cc91c3a64246daac4a70a3a378916112560022e71023a8e5bf14ee9e3f5e4b72688ef337087fc2658992fab45b9087c6fbe991d2f8b8f67d33fff2ae1d

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
1.3MB

MD5
51b3f21d82127b4a485d0d00ce3f715d

SHA1
934fba4e0bc27b33bfd0abf34ca054fff1e15199

SHA256
a3792def61a9d0cfb77077137c16b0f7afb4be62f7e7e77212258a9c049a29df

SHA512
e5c075237df2b14d56791e65a32ae23680dc6b0e3d66e085ac41b6a5538a38d41a37fb9c8a4f6c117f05d1b57fbe428aa1ccc975b2a8556cec14c8deee3da5f2

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
1.1MB

MD5
f4a738320ca67e846abb293110eeac6a

SHA1
2c6ae649e3faac5eef721db27bf86af93635f9e9

SHA256
55db42fa2f4c2162f786a6035f75db08ce5ab846a26cdf190d7cbdcf9cb4862b

SHA512
0d64e561c5d3fa73f39809a7fad66942a6dffaa994863299905020594ee7e5e40ca2691d88c3d444e7eafe1d32a7a4f5691e9fdacf3c5c384c040516cb0b9b60

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
385KB

MD5
931a9e4fcd50e81dca2a44f293aaa73a

SHA1
e00e00bf6426ac69807211264b96d400ec801f26

SHA256
7cbe00f24c02972b7fd3ace5d2ae39c4687a6e7a0bf91d93e86fe19a0f11c26b

SHA512
c8e2148bb05614dbe963280f78669e42d94284dc87642c381547833de4a17eadd2aba0bf72f2c818e473187b4f576b6c5656608cb3857b2ba3c37433116a25f3

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
881KB

MD5
b67239ddb67fe6155395403c0d31af5b

SHA1
669e9059f88e8b01d62cfe1138aa5856824b65a6

SHA256
da0fb3498a72026af094fd00b117d36b69d12915f2b449c11339ee6efc91a3f3

SHA512
f65303097f275c2325862e86bb0f463eac3645c5fb8e2cd8023d027ec0ab6cb9daeeb2f863f8743cc334f2b05c2d771958c2e413d7078892e283451534487a69

Download Submit
memory/2356-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2356-2-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2356-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2644-7-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2644-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2644-22-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2644-28-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2644-31-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/2644-29-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download