a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be98ac6412a72807cd8720c197c12b3b.exe
Size

130KB
MD5

be98ac6412a72807cd8720c197c12b3b
SHA1

2dfb4254593f93f0b1212eb445d1394929ff3e8f
SHA256

a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695
SHA512

689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833
SSDEEP

3072:sr+Fu2II+HiXMcI/AKJZ7vV9d300JKML5pbHRHKr+FuqII+H3:/MHD3/AKz7vV9zJKML5pbHPMH3

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	be98ac6412a72807cd8720c197c12b3b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1716	AE 0124 BE.exe
2644	winlogon.exe
2592	winlogon.exe
2336	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
2364	be98ac6412a72807cd8720c197c12b3b.exe
1716	AE 0124 BE.exe
1716	AE 0124 BE.exe
2364	be98ac6412a72807cd8720c197c12b3b.exe
2644	winlogon.exe
2644	winlogon.exe
2336	winlogon.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Heritage\Windows Hardware Insert.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.es.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Common.Tasks	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\cross_r.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\001F\aspnet_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_ja_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemDrawing	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Exclamation.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.vrg	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\9a1018e24d2b2591b8403dabde6df8ce\System.ServiceModel.Discovery.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Windows Hardware Remove.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Tasks.Parallel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\GroupPolicy.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.dtc.resources\3.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1041\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\netloop.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.ja.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Conversion.v4.0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\b2a2c534c407bbe46e8536445d0ada50\System.Workflow.Activities.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\pt-BR	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_IndexingServiceCrashing.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0C0A\devmgr.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Ding.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0409\authfw.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0410	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\iismmc.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\rawsilo.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\53cf54ff35686c4044952a8cf8b8021e\System.Web.ApplicationServices.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt93d54979#\da2c6b516aa1681ed943b187b9c36c05\System.Runtime.DurableInstancing.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Web.Mobile.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.AppContext.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\smdiagnostics.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\iisbasic.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Configuration.Install.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.NetTrace.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\gautami.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\hcw85b64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cscomp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\Setup.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate10.ico	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ja-JP\notepad.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\DigitalLocker.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\c285072157ebf5c07677e9d813ba45d4\Microsoft.ApplicationId.RuleWizard.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_it_b77a5c561934e089	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2364	be98ac6412a72807cd8720c197c12b3b.exe
1716	AE 0124 BE.exe
2644	winlogon.exe
2592	winlogon.exe
2336	winlogon.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1716	2364	be98ac6412a72807cd8720c197c12b3b.exe	28
PID 2364 wrote to memory of 1716	2364	be98ac6412a72807cd8720c197c12b3b.exe	28
PID 2364 wrote to memory of 1716	2364	be98ac6412a72807cd8720c197c12b3b.exe	28
PID 2364 wrote to memory of 1716	2364	be98ac6412a72807cd8720c197c12b3b.exe	28
PID 1716 wrote to memory of 2644	1716	AE 0124 BE.exe	30
PID 1716 wrote to memory of 2644	1716	AE 0124 BE.exe	30
PID 1716 wrote to memory of 2644	1716	AE 0124 BE.exe	30
PID 1716 wrote to memory of 2644	1716	AE 0124 BE.exe	30
PID 2364 wrote to memory of 2592	2364	be98ac6412a72807cd8720c197c12b3b.exe	29
PID 2364 wrote to memory of 2592	2364	be98ac6412a72807cd8720c197c12b3b.exe	29
PID 2364 wrote to memory of 2592	2364	be98ac6412a72807cd8720c197c12b3b.exe	29
PID 2364 wrote to memory of 2592	2364	be98ac6412a72807cd8720c197c12b3b.exe	29
PID 2644 wrote to memory of 2336	2644	winlogon.exe	31
PID 2644 wrote to memory of 2336	2644	winlogon.exe	31
PID 2644 wrote to memory of 2336	2644	winlogon.exe	31
PID 2644 wrote to memory of 2336	2644	winlogon.exe	31

C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe
"C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\AE 0124 BE.exe
  "C:\Windows\AE 0124 BE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops autorun.inf file
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2336
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
be98ac6412a72807cd8720c197c12b3b

SHA1
2dfb4254593f93f0b1212eb445d1394929ff3e8f

SHA256
a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695

SHA512
689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
9694b9967f06f05125e6b254498be684

SHA1
020db87d38703703026ed978e147d1f6718c31ac

SHA256
273dbb6fbf2012f34b75040527b2a205dd063acddc5e302feaf809f6b0760b59

SHA512
59d80a55e55bda476292cdf55048b65b07df0595a52720e266636bced4c4a5d7b9b5dbc18d8a938cc96a1e5dd3c74fd1adea769d78298e3f0cbe7c9edcc5455a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads