dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
Size

24KB
MD5

5514470f8edb4733f119fbb6d441e002
SHA1

406eb68234149df1aac1c9d611f3bf14231f0e5f
SHA256

dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0
SHA512

84df5103f760a317d8c5de0527e65cab673fcae9ec1f03977ab1f772895fb761c54e9b04c07d82c3a9011fc3867ba975a1bf7f3cef17c72ae9eab615e4e6cb65
SSDEEP

384:CxL+q5r+PpHfXhUkKvI4QwjQ/vFJhheJ06oZrj/vBKDJZ4:ua4r+PpHfXGLOnNh8noR+K

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2832	winlogon.exe
2736	AE 0124 BE.exe
1324	winlogon.exe
2704	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
2736	AE 0124 BE.exe
2736	AE 0124 BE.exe
2832	winlogon.exe
2832	winlogon.exe
2704	winlogon.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000015d87-15.dat	upx
behavioral1/memory/2832-36-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1736-60-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1324-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2704-77-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-79.dat	upx
behavioral1/memory/2736-780-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2736-1228-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS5000B6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\Amd64\LM2581.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dvdplay.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\rdpencom.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnle004.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGJ6A.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\hcw85c64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\prnca00h.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzstw72.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\glu32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tbssvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wlgpclnt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\usb.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\cxfalpal_ibv64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\fthsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\evr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\FXUCYP04.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\regsvr32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\certcredprovider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnlx009.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WCN\fr-FR\Add_a_device_or_computer_to_a_network_usb.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairing.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WMASF.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnhp003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_command_precedence.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netmscli.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wmidx.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\Enterprise	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\accessibilitycpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.cfg	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SV9050.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dpapimig.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\TSWorkspace.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\tsprint.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nv_LH.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYEPC320.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\prnlx00z.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\puiapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\RMActivate_ssp_isv.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\SmiProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\memory.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\imapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep005.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\es-ES\TransmogProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\fltMC.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\channels\OCUR\Security-SPP-Component-SKU-OCUR-ul-oob.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\zh-HK\DWrite.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDSW.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\icmui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hpsamd.inf_amd64_neutral_84ae149ecc9f8033\HpSAMD.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\netl1e64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NH433.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ncrypt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_mdmmct.inf_31bf3856ad364e35_6.1.7600.16385_none_a7d732137db062c6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..alization.resources_31bf3856ad364e35_6.1.7600.16385_es-es_483fc31e3f05004f\IPSEventLogMsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e80c155894ca6eca.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmc26a.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b2e7f4377ced572\prndrvr.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-system.runtime.serialization_b03f5f7f11d50a3a_6.1.7601.17514_none_93efcca8c8dbf1bb\System.Runtime.Serialization.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00f.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00372118f66db241\CNBP_283.DLL.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9f7e5096e075d84b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2464e99d7bb12c98\AudioSrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\appman.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7601.17514_none_832fc1bb7d681e0d\sdclt.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_ef11131076274f6c_credui.dll.mui_34721171	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netxex64.inf.resources_31bf3856ad364e35_6.1.7601.17514_de-de_3ccfb4836d933a49.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.workflow.activities.resources\3.0.0.0_es_31bf3856ad364e35\System.Workflow.Activities.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_6.1.7600.16385_none_a72c807474764763\aero_link_xl.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a7a90ee6983e9333\afd.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp005.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b8914b23ebeeef83\hp8500gt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.data.sqlxml.resources_b77a5c561934e089_6.1.7600.16385_en-us_06fb76e933a4b3ef.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_script_blocks.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f469506f7f6f97f\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_6.1.7600.16385_none_32a9eccc4afed9ba.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-console_31bf3856ad364e35_6.1.7600.16385_none_962fb0850dca9554\console.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_744de3b61ffa50b5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_es-es_8a62d143346cdaec.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_sr-..-cs_def48d6b183741e5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_system.data.entity.resources_b77a5c561934e089_6.1.7600.16385_de-de_63a71661c3aa2503\System.Data.Entity.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00z.inf_31bf3856ad364e35_6.1.7600.16385_none_ea189c313845a10e\Amd64\CNBIC4_5.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-PremiumInboxGames-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-desk.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2d45036badab8d88	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a2f2b00be16607c3\iisext.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c48c8af135e074d7.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Help\it-IT\Help_SubjectTerm.H1K	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\FolderRedirection.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020437_31bf3856ad364e35_6.1.7600.16385_none_96712f1295b624ab	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_cb895be592db1acb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpj5700t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..c-drivermanager-dll_31bf3856ad364e35_6.1.7601.17514_none_123a1c25483b3cd9\odbc32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e11151b3fb8ff0d9\RS_ResetIdleSleepsetting.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4a38206629c26305\tracerpt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..rtup-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3dc110e71177bb97\fveapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_de-de_08afeee290367fa3\sud.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_es-es_33487e2bf50a0565.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..kexplorer.resources_31bf3856ad364e35_6.1.7601.17514_it-it_168535c45028a630\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec532e3166643ebe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e7270cfcc333bfe6\msshavmsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..nbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_63e973a046aea8e3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-r..diagnostic-settings_31bf3856ad364e35_6.1.7600.16385_none_62433344ed197c29.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-iis-httperrorsbinaries_31bf3856ad364e35_6.1.7600.16385_none_645d1c1b24ec87a4\custerr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_microsoft_games_multiplayer_spades_es-es_913296a26faa85d3.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_job_details.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbe42c602e9e85b3_tcpipcfg.dll.mui_a5479fc1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..rgrouping.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f4b073070d4766d2.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.1.7601.17514_es-es_845b441e1a006240.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-sort.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_14507056e60fab76.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_keyboard.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a69201486362cf4\kbdclass.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f06929b8f34f0467.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\BRDP163C.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ptdebugui.resources_31bf3856ad364e35_8.0.7600.16385_en-us_6898f2212af83226	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1274791-3E80-11EF-9AE5-CA26F3F7E98A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426752772"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000088b01c96f21cb980b7782ec182cd8afe4444a27c09ae029864d6f3685625569f000000000e80000000020000200000002cb2e907fd52a9aa2289c83d84f0d56d71061797de9f8afa0ed7a558eba1297120000000859f09f5a81560ba76a30c739366e6e054913e81e64e4d625a35b3e4b2216cfe40000000ba6b807ccb92f51286babece14636d218a192020944922edfbb82787912287adc68cf6acd83bf1b6e41f80be7f31581da177308b7d83169486999d2987434c86	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907407c68dd2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000004eb63169712d6961b792cf7aa68b597b05ddb8f8aef035bca967aecf46f017e9000000000e8000000002000020000000387b40c443b59aaa9a9f9a30a2039e54fa3224909c6ae2f466ec41f01ccbcdda90000000b141c5eccef5f2af59c398d84c3d41ccf8dd35b060aef5916785b05706d254a64bac0a05b5fbe391907b34239f47f55b2a5163b88fd4eae7061de1eb8b5aedd1b50587793a0431af28fc64d632b53cd5804bef6fa4af7fb3ca7a6b1cb62a6ad6f8c0e9759021809612c1384c712ec10a6c7d2787d3b8e0e592e5edfb15644498d478aa215e5c1d40b33fb22605a8c59440000000c8ef1fb102e8e989d4129563fc5e3359e0d608269fd93d045297ac2071aa93cbae10c239046cafa16fc9107a7803e8d27b786b5f38932a24f2c5e33d629e0e5a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
2148	iexplore.exe
2148	iexplore.exe
812	IEXPLORE.EXE
812	IEXPLORE.EXE
2832	winlogon.exe
2736	AE 0124 BE.exe
1324	winlogon.exe
2704	winlogon.exe
812	IEXPLORE.EXE
812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2148	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	30
PID 1736 wrote to memory of 2148	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	30
PID 1736 wrote to memory of 2148	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	30
PID 1736 wrote to memory of 2148	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	30
PID 2148 wrote to memory of 812	2148	iexplore.exe	31
PID 2148 wrote to memory of 812	2148	iexplore.exe	31
PID 2148 wrote to memory of 812	2148	iexplore.exe	31
PID 2148 wrote to memory of 812	2148	iexplore.exe	31
PID 1736 wrote to memory of 2832	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	32
PID 1736 wrote to memory of 2832	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	32
PID 1736 wrote to memory of 2832	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	32
PID 1736 wrote to memory of 2832	1736	dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe	32
PID 2832 wrote to memory of 2736	2832	winlogon.exe	33
PID 2832 wrote to memory of 2736	2832	winlogon.exe	33
PID 2832 wrote to memory of 2736	2832	winlogon.exe	33
PID 2832 wrote to memory of 2736	2832	winlogon.exe	33
PID 2736 wrote to memory of 1324	2736	AE 0124 BE.exe	34
PID 2736 wrote to memory of 1324	2736	AE 0124 BE.exe	34
PID 2736 wrote to memory of 1324	2736	AE 0124 BE.exe	34
PID 2736 wrote to memory of 1324	2736	AE 0124 BE.exe	34
PID 2832 wrote to memory of 2704	2832	winlogon.exe	35
PID 2832 wrote to memory of 2704	2832	winlogon.exe	35
PID 2832 wrote to memory of 2704	2832	winlogon.exe	35
PID 2832 wrote to memory of 2704	2832	winlogon.exe	35

C:\Users\Admin\AppData\Local\Temp\dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
"C:\Users\Admin\AppData\Local\Temp\dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:812
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1324
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b9a6685519c901780f86ce2d55f2e0

SHA1
cfecd482124d826b0175ab85c42d74e71b021ebe

SHA256
336f665ed878c31d4b5551abb297c35047835bd03d0d19324a8b2af65ec2d33e

SHA512
9a91386178519f407d6ef7f1c4bf48ade135b634f2b43bc3d891394a2df47b7226136dee26e2479f0d5a0a2cc6cb43fa707c606e9a2e5183e7f47357dd917eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
042754044a1504449326dde16761e707

SHA1
88f87387fe8cd9147c6c0ec1c81012ee54108631

SHA256
27d3d5c026dd2fde6cca182ebd1e252c10a6f7c643e80c98b501e8d769677eaf

SHA512
33cc2bb963745a991f54f3ff0eafeded334b1e1d24e380c9b18c6138f1a642ca553a1314674625c89ec1ef4b390b50198ea494e43e33c371f3d51b6f9155bc70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cff25b10758bb568b52faa12fbf2bc1

SHA1
6d9e0544759e26068eaaf72521d505c2911e9ce7

SHA256
4f1c07d5d0d53fdb74a2ceda2f26679f75664fc0bb7764e132604601514574d0

SHA512
f7a9869367567c25c9ecc89182073dd6e13eaa5ff5d5c78004b877f69595e816fc79331f86519e7100205301d74a2246ccb8ee4190c495e97790b9ce5dd69954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fef310005d3e486f1100310e9fd3629

SHA1
b261413a3b8aa0bddfd3f02d177441e4b2a904ea

SHA256
5a4ba65cf0d05ff47cfe567e01d1789fe3fcbbbef4ecb47e7b927de6aeaa9b69

SHA512
353e3ffda2df184204b9409279b3a1f12c6c55b57e461487f5dca568f6a5a73e6f4977035254d44c7b3d29bc2f442a7680cf07a866c7462534d995b03f38ce5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c0f903a481efcdf198abb69b528a252

SHA1
cae7ca96717bc8147ccf684b98c15ecba2fa4157

SHA256
0a3d067834827b65f47860f3500fcb155ebfe8653f3e1da9e6297e7ee3955ca8

SHA512
4da7fc4fbb90fc41f06b98ffbd9a484a721847ba374fbd8d3ea45564a24f05a756360231f8717458577eddab60be94e359b0113f692fcfbeaeecf0ee8a5e1b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2845b95d8f74443d9570666ef79c5a9

SHA1
2d1d39703e476cc9cb3f480629ca8d188d076852

SHA256
459f8eb33dafd66b06437aecd494bb26080211cf6e19f5d26219fd9d31ca031d

SHA512
df0ee42ad1c2cb145da1f7b72656a247435234ca026f6c571543cc7c45536f89684973c6b61cd5eea9e1338fb63a099490b204a63fbae000344a3eb7b4aac18d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
678fa3a6f170dabf27d0e87326a7d767

SHA1
38dd707cb9de74b86d26e057c2eb240ce766d2e0

SHA256
15acd67784fdbb395b828e20e46941ec1a6f38e4b6093b29f59b675155004bf6

SHA512
db317f4f637722c556a7bfd18abb3da5be82b736019522668563b8b483ec521fd45f9ddca2dd702f430fef7a7d23d4aef58fd9a15e3ed2596b815bbb27f50dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d742ae3a9df1336446c260da2fc50ca5

SHA1
59037eb3ef7bd078c5cdfd60921420e18be216e8

SHA256
efabc2139935131143b2a7d5f984e5608820bc083daa9cadbf2529313f81519e

SHA512
0ee5e2e32079098e6aaf2794ffd101cd689fb9ea8dfe9a1f2a18d08d4d9ad12c5bbd4af244c7f7c835d1f785ae18e416b53de91283f85dc93abb4fa70d15a874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8633cee9cf4af3ffb55404db8f187f66

SHA1
c16724e8707c6ca7f5bb6e00bab7357df0126eaf

SHA256
cb7ae3c30dd76f66b4522b54250700c807eef8bbb255116d065136a8482b99ee

SHA512
0f089f564e31fdd77a96b35cbb57ee4ef8728cc6f5771830c5ef1e6e411989bf286667ac095633b2794c656175372f676ec81b4d313b4a9ff29c19491757825c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51bb66f1fe45090416f0510ef5e699ed

SHA1
26ec975e42f095e36b71e8e2a61e36142ec0bb1c

SHA256
c98f6548f081c27498589120b44dc49a3edca0fb5c9f03a2320c48c5624ad516

SHA512
f1dfd5b62225a864999e1684b3873120915b1c2c6c60ea37e746840a2a100587dc092f732504c28d0e0361bbfc5cbba295327cfc095bea8a447f64d4df4da285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd810d30912a1b5bc541b94370b39cdb

SHA1
0333d763a0991b7f088a66a0f5258e75bb89e512

SHA256
6bc5fe330e7a53a309ff4e49687b946b39989067153dc0fe5e134ced1238b728

SHA512
7fd0736ff065ff804664ab24425c007f9ee14f3ffc1de8a509edbe6804351a2c4300b99274e1fcaa9b595bef0e743a17b89a90eb18ee09704b4957b1d843f37c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb1598dfe087908a95fa0c1d778ae80c

SHA1
847ce7fff596bec85641df4b264658344d0f5e34

SHA256
f72ce917ab6202abc49e5ec58186af39c9b46983884076e956a11929ff27adc1

SHA512
c2b66dc848b8d8f2bec64c25eb7b1e963cd842e248c2d68eeebeb1bdd9d3d9c44b0d6edca2f8c5547a7cdd9b0588cef68e84fea1929a602808e5dd0bb20038cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD146.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
24KB

MD5
4c420efb5050d85147cdf9e19fb09269

SHA1
1ceb3f87939ee2b7c2972b524101a64830a34040

SHA256
d2813c5770b95a90239267e472aa1f0f8274474d75b4d5f768ad6177d2c017bb

SHA512
36c5e48a2dd28742f326e72ee264f7cd6872a56e2f0d2e0459a48d95fff9d98b88e55944186433677c0f4d9e2259400dc8f0821b2116686342a3234c2b778a18

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
48KB

MD5
30fe7061613ec6b676a971ad2de288b5

SHA1
ed4ce7635cc39c790416f9f1220913cd1f41b31c

SHA256
dcff1eaa13380f4bd39088699d082f5057ef2b5f5a6482726a3c9307e27248c4

SHA512
9214d9451cc9da1137e4f93576cb843bac61bc1c21cbc7f0d8777181fe5b784a2c5bc0e69e2134b57cc35789220a31bc1b29a9b096e33a3016d13b165786cfc3

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
7dc8becf5c877be2df5b6ab3d8e06cdc

SHA1
d220501f203b654e4f72ded21997a8f0a42e4435

SHA256
4ccb4888118f2fe7b889e3c33c28f7011d6c5bfc806e5bde1b991eb16eea87b3

SHA512
4c488ead12d12c1f5ae0637aec76beb8cc64f0d4daeb18a6914236c90aef33653aa97dec0e79c7cff8abb6afd9ca6cd32c513017f5c77b27841e02e96434163b

Download Submit
memory/1324-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1736-12-0x0000000002480000-0x0000000002487000-memory.dmp

Filesize
28KB

Download
memory/1736-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1736-13-0x0000000003820000-0x0000000003C2B000-memory.dmp

Filesize
4.0MB

Download
memory/1736-18-0x0000000003DC0000-0x0000000003DCB000-memory.dmp

Filesize
44KB

Download
memory/1736-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2704-77-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-783-0x0000000003700000-0x000000000370B000-memory.dmp

Filesize
44KB

Download
memory/2736-782-0x0000000003700000-0x000000000370B000-memory.dmp

Filesize
44KB

Download
memory/2736-1228-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-57-0x0000000003700000-0x000000000370B000-memory.dmp

Filesize
44KB

Download
memory/2736-780-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-58-0x0000000003700000-0x000000000370B000-memory.dmp

Filesize
44KB

Download
memory/2736-669-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2736-1227-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2832-72-0x0000000003330000-0x000000000333B000-memory.dmp

Filesize
44KB

Download
memory/2832-785-0x0000000003330000-0x000000000333B000-memory.dmp

Filesize
44KB

Download
memory/2832-784-0x0000000003330000-0x000000000333B000-memory.dmp

Filesize
44KB

Download
memory/2832-778-0x00000000024E0000-0x00000000024EB000-memory.dmp

Filesize
44KB

Download
memory/2832-779-0x00000000024E0000-0x00000000024EB000-memory.dmp

Filesize
44KB

Download
memory/2832-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-73-0x0000000003330000-0x000000000333B000-memory.dmp

Filesize
44KB

Download
memory/2832-45-0x00000000024E0000-0x00000000024EB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads