7abf75f85edd8e5ddf31d7f3298dab91f323b979d9e1cdd868fed7e17fc05f1c

Analysis

max time kernel
120s
max time network
67s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 07:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62875a29851dbe7d5ab2b387aa80d1c0N.exe
Size

66KB
MD5

62875a29851dbe7d5ab2b387aa80d1c0
SHA1

b020ccc5250fa0489def13370b247e9b36596e2e
SHA256

7abf75f85edd8e5ddf31d7f3298dab91f323b979d9e1cdd868fed7e17fc05f1c
SHA512

4874d926fd9ba69aadeb3e1aef34155d182c412b18de9ac9393de4c51d6cc296f5bae447948800bd9c525e14dec749891b39e86446405ffa6d89742d666e290d
SSDEEP

1536:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJkC5:sr+Fu2II+HiXMcI/AKJF5

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	62875a29851dbe7d5ab2b387aa80d1c0N.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2796	winlogon.exe
2684	AE 0124 BE.exe
2576	winlogon.exe
2000	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
540	62875a29851dbe7d5ab2b387aa80d1c0N.exe
540	62875a29851dbe7d5ab2b387aa80d1c0N.exe
2796	winlogon.exe
2796	winlogon.exe
2576	winlogon.exe
2684	AE 0124 BE.exe
2684	AE 0124 BE.exe
2000	winlogon.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\en-US\EventViewer_EventDetails.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rdvgumd32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\whhelper.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\diskpart.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\angel64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNBP_291.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netbc664.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\prnrc00c.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\taskschd.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\MFC40.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wscript.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\MsiProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl05f.icm	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFC6000.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\prnts002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnep00a.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\termmgr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ieframe.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\autochk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\cscript.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\es-ES\migwiz.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\perfnet.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dot3ui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\DWrite.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\FunDisc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\DhcpSrvMigPlugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1LM.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\smss.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYPS1300.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR6500.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1301E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mswstr10.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\comres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\FXSCOMEX.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RecDisc-SDP-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0LB03B.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\nulhpopr.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\WSDScDrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D6.log	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\colorcvt_raptor_IBV64.ax	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNHL190.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\crcdisk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmetri.inf_amd64_neutral_f89b8a357327f615\mdmmetri.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\EventCreate.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\prnlx007.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scsidev.inf_amd64_neutral_a7f5d9f34b621dca\scsidev.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\netiougc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHC370S.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\portabledevicewmdrm.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\sti.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\vds.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\OnLineIDCPL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\scecli.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\g711codc.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3050F.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ntlanman.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\xfrmx64.sys	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3672adaf7f9b591\highDpiImageSwap.js	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..store-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c7574b1ee3a15ccd\SystemRestore.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_dot4prt.inf_31bf3856ad364e35_6.1.7601.17514_none_cb6128e5835622ff.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..-ccshared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5bc7549b0e9c45fc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_020c7900b65121e2\pwrshplugin.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Web.Services.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_01b2601a3c8d3fd0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\snis-dl.man	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Services\4c68ebf1c5c63ebf75ad81a9ca3e3fd2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_61883.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0c265f1848c98b0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dea9c844f5d9e83a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00c.inf_31bf3856ad364e35_6.1.7600.16385_none_ddc7f96bf68e339f\Amd64\CNBP_317.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prngt002.inf_31bf3856ad364e35_6.1.7600.16385_none_9fa44d1fcc3d95cf\Amd64\GSC1500.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a18ee5b097220db7_consent.exe.mui_2eb3b9db	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_mmcfxcommon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f56e7e8fbf484ed1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_32fd74c7101b30c7\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Windows Hardware Insert.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_for_KB976933~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b637ee56cb9487d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..httptracingbinaries_31bf3856ad364e35_6.1.7601.17514_none_8dacedf8319144f8\iisfreb.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.targets	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62efd6227ab667ed\CNBBR290.DLL.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_755d19ed147c5d8a_imageres.dll.mui_3e41dee6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9f931fbad01004b5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mmcex-regentries_31bf3856ad364e35_6.1.7600.16385_none_4eb099682938c424.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnrc002.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_846e4fc8584269b9.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmsupr3.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_742267d524200863	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-autofmt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_86b5d2053b7f90bf\Autofmt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5935ad4b07ab1ed1\UserDataBackup.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-sysdm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c2bb2879110193d1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_keyboard.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_17488c5a503a28d4\kbdclass.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_ffe11ead2294d4de.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.backgroun..transfer.management_31bf3856ad364e35_6.1.7600.16385_none_91d0935a068ac0c8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_igdlh.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_32e62f6fb9e1644d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.h	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4d08ffffd9f8bb31.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Catalogs\2321dc2d64145f78e6c87e868e34cf100cfcebf9536f73ffbdedc2d56ffd61fc.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\back_lrg.png	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-rds-shape-dll_31bf3856ad364e35_6.1.7600.16385_none_cfe5c5221e722874	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c_ndptsp.tsp.mui_5bee9ce3	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..nese-domainlexicons_31bf3856ad364e35_6.1.7600.16385_none_4475ba47a78dc96f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-restartmanager-events_31bf3856ad364e35_6.1.7600.16385_none_cf0fdf6fa1e51b07.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\cscompui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..c-performance-layer_31bf3856ad364e35_6.1.7600.16385_none_100d67cc0062d5b0\dmime.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0\smaf1257.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wdi-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f019487827a47072\WDI.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e84325a814020a94.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_en-us_770e5d0d8236c3e3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_9c8007a6f146be83\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_edf96fb1262f5b5c\msfeedsbs.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Drawing.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..orenderer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9299b74d1807594d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3fd23ebd985895cc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ieinstal.resources_31bf3856ad364e35_8.0.7600.16385_it-it_fd37f0baad6af68f\ieinstal.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsRemoteShell.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_fa8f37cdfa266a21	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr008.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6a711bd504b47fb\prnbr008.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00g.inf_31bf3856ad364e35_6.1.7600.16385_none_dfec42405b072543\Amd64\CNBJ2820.TBL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_6.1.7601.17514_it-it_ba41266e1cbcb6ae.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_8.0.7600.16385_it-it_fc98d33eb20d4c50.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62875a29851dbe7d5ab2b387aa80d1c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE 0124 BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bda5e4fb00db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{100F4351-6CEF-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000012292607ad6d5dd3c5d0745067da8a1e774e7edc2053764be7c915fbedef6953000000000e8000000002000020000000441244117f0135cc880d0d3a9733fe75cdada40ca4ffb7e139f099c3d435c99b900000009be3e5e89205d4c1fee6ca6db304a5a7d91580859ab9b0a0982ceb62192170df4770c7d857a19e11e8671fc6cb87b7a247a85cb32a38df3136fe5cb875794da685286a38b2b20458a2dc8ccda3a17850dfc0ddb114cfe6ff7f66dd6bf7809bea1d23553ceaeefb083a6a57ce13deb6999ce5379937d0b71451071980e3f7daeba89dbf106c69fe2caa1442cd7a43d44440000000b1f45fc5efd4fff40c957b319985a06cb812957842b88bb1eaf7fbbc3850cf8bb3fe403fd05676e544a34341ff14157c5027d6ed956c0cb8a17d11db521e997a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431857816"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000008fd9bce697f0d2e50452f0d5ce2f7c23a4ce223446005e5e4ede58fc70188cc6000000000e80000000020000200000007e90ce0c49e1da59e108de19b897edb6e214e0bda071d77bc79bf5569e99766e20000000f352d118b8e75ab132a5a98a838a69dded5242e25cfa3ebef10a72355f17d0fd400000001ee4b8747fdef8f0aa2048965ea2e5e6e8770395753bce0a8e952e835c9ccb3e8cd032dc836c8f3b0a324a1eccc33d0db28da01ebb2c4c9e475256d30e5321f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2224	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
540	62875a29851dbe7d5ab2b387aa80d1c0N.exe
2224	iexplore.exe
2224	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
2796	winlogon.exe
2684	AE 0124 BE.exe
2576	winlogon.exe
2000	winlogon.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2224	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	31
PID 540 wrote to memory of 2224	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	31
PID 540 wrote to memory of 2224	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	31
PID 540 wrote to memory of 2224	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	31
PID 2224 wrote to memory of 1668	2224	iexplore.exe	32
PID 2224 wrote to memory of 1668	2224	iexplore.exe	32
PID 2224 wrote to memory of 1668	2224	iexplore.exe	32
PID 2224 wrote to memory of 1668	2224	iexplore.exe	32
PID 540 wrote to memory of 2796	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	33
PID 540 wrote to memory of 2796	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	33
PID 540 wrote to memory of 2796	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	33
PID 540 wrote to memory of 2796	540	62875a29851dbe7d5ab2b387aa80d1c0N.exe	33
PID 2796 wrote to memory of 2684	2796	winlogon.exe	34
PID 2796 wrote to memory of 2684	2796	winlogon.exe	34
PID 2796 wrote to memory of 2684	2796	winlogon.exe	34
PID 2796 wrote to memory of 2684	2796	winlogon.exe	34
PID 2796 wrote to memory of 2576	2796	winlogon.exe	35
PID 2796 wrote to memory of 2576	2796	winlogon.exe	35
PID 2796 wrote to memory of 2576	2796	winlogon.exe	35
PID 2796 wrote to memory of 2576	2796	winlogon.exe	35
PID 2684 wrote to memory of 2000	2684	AE 0124 BE.exe	36
PID 2684 wrote to memory of 2000	2684	AE 0124 BE.exe	36
PID 2684 wrote to memory of 2000	2684	AE 0124 BE.exe	36
PID 2684 wrote to memory of 2000	2684	AE 0124 BE.exe	36

C:\Users\Admin\AppData\Local\Temp\62875a29851dbe7d5ab2b387aa80d1c0N.exe
"C:\Users\Admin\AppData\Local\Temp\62875a29851dbe7d5ab2b387aa80d1c0N.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1668
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2000
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b522d6b1bac2eaa9a3acfaa9e0d8578

SHA1
a0e77e6e439c096dc9651e3a2d562bfc38bfa688

SHA256
992d284ca55ef9d6f84c064f113982f6ca6c2b21f1a172d73fa3b23fc4cced9a

SHA512
1c2a5fd70a60739359488a6c2706b1fbeb052934160630f982dbce467ea2e34d8e325c425a2e79d9ad082f60b4439b50c9febc40406fb4cf360665944ba92d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
600bcad48b844ec2aa6bc49a5c55f5c7

SHA1
ce427fc4307cd53bf0c19278a05ccd00c4e48112

SHA256
9d18536ce51fea96f8dbe55dab379fe75ec64c4307602ab85117deaba455fdc1

SHA512
8706e7df7e02eb4d56ca69af9be610a0f94a41cac9d94ed1b3d0511cdd8c58ee6cdd930ca75b81bac382d0588e26b9a2e55ee6683858b53d1a8da0957a39c825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31bd620b67322d60b6d79dad7eaba19

SHA1
0bad30a84fbf748b81ee68371a94f4c4b38b5bf9

SHA256
c19dd358dd33d42499e1e47c321a47994e2f93c39e67c62d1ce6439759de8a34

SHA512
42f7f4ab796d24d679051218f7515e99f32dc4d944947b44984e9477549a788f4fcb7af752e930d056cf68e94eb15fdcfea3ab97e8b759504c7ea5fcfb029082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c19cd2d1426667cc384c048651b20c0

SHA1
e9762b97b1d9f9991f261fa6db5dcadfb9108c85

SHA256
f3a5f7991079301567c639e17e02b672ec006b1677969a2efaab9da46f1a9e1e

SHA512
85d10225be08c46da5574a4fe9a96843c04e167199fd9202c5cfbddbd9be136cf620c148232bad248a5c19fd4dbe6b21b1a0eaf2f1788214d388638c9bfc2428

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
958c1222c549a89904b9cb139d51e0bf

SHA1
e04085737615459bad368fdd1e63a14baca79a6d

SHA256
6439f9f6f191281ae172a902b00c2366324ccd28e4463558e2d2d39abc19ce40

SHA512
98545d05ed68a7310e19bf5f888f33cd9c6eab1f3c42cf038e16ade6e42d32cf156f3f904372e139d186af152df8daf25d193baedba43cbe74e795f6b73667e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1b484c43af28d8308ae259c5c1b1c5f

SHA1
744da1acd12c36d8810cfa79bde7e1ed3f373a68

SHA256
93231d3d38f0ae1239f870e07533f7f04bb61afd57704b2fdbc8d137bcfd0c4e

SHA512
fc7ebe0c8adad0ee57050ec1c87f33b86ac431ff7228daf91b9334f073834bc3d44aeb39c34faf78c0debfb5319ca87e8bd4fe44322bd099f335fb3325f3cf38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04bacfe7048bb99441488f08b710e1c7

SHA1
9528765b5b577e52912a89fa9636868782813cb3

SHA256
0c1c79cb9c99eb2c64a295967462ea34f045bacde45f12c4d0b662e1900c5a6c

SHA512
d43873eda457c14b019a1165ab829dcaeeb92a25d733dc88b584758b424fc08841608732a648b9e9025be9c1af04fc44cee87c689b34146e0996f6c52dc0f2e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99a19e5753813b454cc52459bff78911

SHA1
ffa3a010a0341748404120e650207eb150422886

SHA256
bb3c2f2f2adf3ca78282c3b10a514245e3ea73b525b38bf599ff6afc71df252d

SHA512
5de3b9224b5ff9c07fbee7afdbd9af2f808acc5e89836b4958bce97d2f440c1cd6db176f27a9700d1efe8e979a8a762e954af7f0e1f824c7b049a7f7bf3a5667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f9b600667654eea0ef39ff149c49a7f

SHA1
a94d506db0c5d704179fee05b2a61e45607bbd26

SHA256
bb0f039382d2dfb76c632d1b4dd71db65dfca2c5cfeb58c0dfc29bf25f9d710b

SHA512
b8f0aec7106484c27bca98fe99ac54cfe6d92eb1ad41fcfcc26c68aca8105635e68ede88e55865310483dcbfb76c1081ea5b9413e10b8ff94ca2348441c94338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc5f771876742bf6cbbfae68e7f4591a

SHA1
97a61caed0f899425534689caedf2f9e40182c6e

SHA256
a764fd2b1da33c6c8f1146b937800995cd405981a268de99b3259307a6694473

SHA512
3b2bab591b48477124278a423c5897dc7fed3d633f20d8b194f3f0fdcdb6e2aa0bf9fae3c183de94c76d9f90cba77f8453d79910c719d66608a7dc1ba622d8fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64254fb852df988fa9e95b0bf2968a5b

SHA1
b0181ac35bee88275cd5e5c0ed836d41240a6824

SHA256
0f9e40be761a5c0ea666103097a3d7bd1c6ecda76e96ac704cfc8682a3853a87

SHA512
1e8a70fa4ad7c73d768305a618ae839f04e3726aad0f07b96573041644b98ce1fa46151374ea88729a179ce1c3fc539c576f4ee0c0a28f86d417bc9a7d6fbac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3666618fbb964eee6e11468bc32ec045

SHA1
3984961cb047cb6027cb4bed72b2beaecb8e4124

SHA256
95ede407738f1f4e94496565e4cd53d4892e00f2cc1b6c1efe5b01cef6c47834

SHA512
fe63519ec2285c5faa567e13a1b24ef74c04f0734e5dab2551f50013bc127a9dd42cdbd8d36d080ed814d0ba69b9e0e11a5f8c700953f439c82bd8a9f5cd14e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d17517fbb8b4e6f7628fcf55fc711946

SHA1
a27bd9a32f49a014bea0e4456d293658123530ed

SHA256
552ee6e1a4c4ee54f1625cc872e873a49b0d0da5de277f47c0b7de8cf4a6c3b5

SHA512
c0c0b9fed8eec08d47f261a1698e8c7db2465da28468e3e8ecf92efb0de721d15fb53d0592f800c13968aa4f354b9a6d5d3ee1b24ecfdf7cd8298967af5589f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
815a12effdb9d52502877edc8f78ac90

SHA1
3bfc17e0a97c24f19d5d4a3405a1323f8d63f997

SHA256
cbfe297e41489a1a973af4ea26c04cbad2baf797406b72a941869fad0b1a18a1

SHA512
9f430c03bf4b75c884731fd53e0bd3cadae4f7876a8d286e86332ba24360612356a6d6e8072adab1ce960b112f887217e3956cd35e8d73709944bf4bd6761dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c09bcdbb8663df410f4717a311c91c0d

SHA1
09de1dff7b0e160240d5b2226bcd9e3b0774e91d

SHA256
5ff74bb7135d5906146946e121a02a6152ff28a8eab9573c0ce5e13c07ba4b49

SHA512
4173933b11c5e2392f572d00c7aa959fdd90ace3b7548acacd101c6e4c3e5d513d6b0541d571a78eae239bc1ced743669ad258f13b3bc71312b9e7d0d4f24ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52d2d89f061d2da2850797b2f9828b39

SHA1
dee98cc8c0542458ed7b774af59a84b8d391613c

SHA256
8cdbea4705548449c4148f37c45ad10b736a90ed61f6e91536d82c0025aa5083

SHA512
e53ee84265a50670f3da93cb746d7fd43f67c4b360bd42b49b4071b1f9c23fa5a52a0002b67055132b08fdbd2bece0c2e0e0a1eba286caf2d7a8972466108e6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28792c94ffeaab1d3b80c8e5e73cd1e4

SHA1
441a8abc27fa3326c5e222f5ac037f7b9cf1912e

SHA256
bc71ac7bb6eea7a01e590fbd3f07ef717f30b3db69dda90e4af8a37f49b7b203

SHA512
1c975773c591ff9a6c7ca1b2567cd9f4291055faf750064a0f6100557874481135b58f3c5e40cdf7d0386aed6f896534defc65b9c4a34d10c9fa6d43e17a4c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
301aee5f1d27c1d3bdf768c2e00c8a5b

SHA1
411fbdbfe7415a9f63ccbc89c03c83fb31df8447

SHA256
13c6a42f13013fafa9d60a6807945fcd63cf5fe946f7a0adde489f0016706d84

SHA512
4a0cf745382464f37aa706325f7553afd87e8325843621838df924a0398ddd7bdec156cf8696997c1e81ca2a2028b61ac1fbe9976d6460ebe911e302b35893ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c95521d20df14a9303274c2e9a6960ed

SHA1
94c5ab35915b52d355d7070e2005662ba5075e3a

SHA256
d63f29cb050b733ed681feb7cc1840808f5189a436f4f6a85110a2f158c6cd71

SHA512
7a2d9789de1f029bac89dd828541782aa766a5b9ca9b34ae51b0910b332c2faadcb7ee01d6d2d4fa6d4fcb5cb40d0fbb4b2fdb01e3a6264290da9b1f0d2f8080

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF625.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF695.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
66KB

MD5
ad2188b9f362f756a8dad27d6c1c72e9

SHA1
c9907382ad5f50a8c1e3b6105ffde092425e06fe

SHA256
104ff040f63a77690a2eb6ea7e3f2afa6a001139021a5aee68a929a9ead286d6

SHA512
7aefb8af478e4f1d37ab6d9acaac8801be5a1e9d34c7cda32f73d25f89c0b1201f3832a208bc8b70df763d5602658e79ae2247f64efdb7251c06bc221f30cd3c

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
131KB

MD5
431f4a0b4060e6b184f957f56c4b9d98

SHA1
c75a99de26d3ac46b9feac9f7203ba02dca04dd0

SHA256
759a0c5c17e4c1317a882b56be46eedcb0a873e36bda6ca0aebd369dd5cbf526

SHA512
96fdcef415efeb9ce31d20aa2c6f01d04b21569914d2729c78146972bace5b1e00d03513e681a77ed9333fb79605d97ce002d4bd84cde5cca51675d22ad11438

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
acd62030071ff249fe404dc1dea4052e

SHA1
4f50a7b24ed43dffd98f4ad9351b6eaed928d5a6

SHA256
88308927b19d9c9d6e642c4785962190c71ecaddf2616ae0027924f1ac99afee

SHA512
b19add5e9b436868b7cfecf9369996a21829a1dc50971dced969702331466fd1577f88c3bbb9b2184371ed5b24328d25f80b585ea5185289760e1ec553a4bd2d

Download Submit
memory/2684-510-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2684-1209-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads