01cf121efbb7ffd5b0a1519a7399a17bd30ebff6783dbb3511cc5bd83329cacb

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

details.txt .exe
Size

28KB
MD5

3018e99857f31a59e0777396ae634a8f
SHA1

7031cfe76ee7b2c925f2c00372fb9ef7f983f60c
SHA256

c8fffb2e737514c551b2d7bcaf8baa459564b059cab1a35a3cec4b3c270d4525
SHA512

4604c98f765be26d4a0a33f54cc777810cae7fab5153ee637b4fc8057492fd40de6fdf9d88dc4f7f34f45dd174bae54a2b39e0f0e5f1f5997820b9bccf47686a
SSDEEP

768:vWkliAnUQYkYKzqbjC5RqHjrYReyZx+l0oKriCPRDL:+ySsz6jGeyZx+l0TR

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000233f5-3.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3972	details.txt .exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "C:\\Windows\\FVProtect.exe"	details.txt .exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	details.txt .exe
File opened (read-only)	\??\k:	details.txt .exe
File opened (read-only)	\??\n:	details.txt .exe
File opened (read-only)	\??\t:	details.txt .exe
File opened (read-only)	\??\v:	details.txt .exe
File opened (read-only)	\??\p:	details.txt .exe
File opened (read-only)	\??\r:	details.txt .exe
File opened (read-only)	\??\w:	details.txt .exe
File opened (read-only)	\??\u:	details.txt .exe
File opened (read-only)	\??\y:	details.txt .exe
File opened (read-only)	\??\g:	details.txt .exe
File opened (read-only)	\??\h:	details.txt .exe
File opened (read-only)	\??\j:	details.txt .exe
File opened (read-only)	\??\l:	details.txt .exe
File opened (read-only)	\??\q:	details.txt .exe
File opened (read-only)	\??\s:	details.txt .exe
File opened (read-only)	\??\z:	details.txt .exe
File opened (read-only)	\??\i:	details.txt .exe
File opened (read-only)	\??\m:	details.txt .exe
File opened (read-only)	\??\o:	details.txt .exe
File opened (read-only)	\??\x:	details.txt .exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears and Eminem porn.jpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Eminem Sexy archive.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\3D Studio Max 6 3dsmax.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\The Sims 4 beta.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\ACDSee 10.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Visual Studio Net Crack all.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Partitionsmagic 10 beta.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\MS Service Pack 6.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Cloning.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\MS Service Pack 6.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\XXX hardcore pics.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Norton Antivirus 2005 beta.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Star Office 9.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Magix Video Deluxe 5 beta.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Eminem Song text archive.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\netsky source code.scr	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Visual Studio Net Crack all.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Arnold Schwarzenegger.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Full album all.mp3.pif	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Saddam Hussein.jpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Win Longhorn re.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Magix Video Deluxe 5 beta.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Internet Explorer 9 setup.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Harry Potter.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Gimp 1.8 Full with Key.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\How to hack new.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\WinXP eBook newest.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Adobe Photoshop 10 full.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Internet Explorer 9 setup.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Harry Potter 5.mpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Best Matrix Screensaver new.scr	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Windows 2000 Sourcecode.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Eminem sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Microsoft WinXP Crack full.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\3D Studio Max 6 3dsmax.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears porn.jpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Ahead Nero 8.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Windows XP crack.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Altkins Diet.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\1001 Sex and more.rtf.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears Song text archive.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Eminem.mp3.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Harry Potter game.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears.mp3.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Arnold Schwarzenegger.jpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Best Matrix Screensaver new.scr	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\RFC compilation.doc.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Teen Porn 15.jpg.pif	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Adobe Premiere 10.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Adobe Photoshop 10 full.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\E-Book Archive2.rtf.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Cracks & Warez Archiv.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Eminem Spears porn.jpg.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Kazaa new.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Dictionary English 2004 - France.doc.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Harry Potter 1-6 book.txt.exe	details.txt .exe
File created	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Britney Spears.mp3.exe	details.txt .exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\webdownloadmanager\Porno Screensaver britney.scr	details.txt .exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\Ahead Nero 8.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\Britney Spears Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\microsoft.analysisservices.spclient.interfaces\13.0.0.0__89845dcd8080cc91\Adobe Photoshop 10 crack.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\Eminem Song text archive.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\Teen Porn 15.jpg.pif	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\Britney Spears cumshot.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Ringtones.doc.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\1.3.195.15\Harry Potter.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\microsoft.analysisservices.spclient.interfaces\13.0.0.0__89845dcd8080cc91\Britney sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\WinAmp 13 full.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Best Matrix Screensaver new.scr	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\Internet Explorer 9 setup.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\Win Longhorn re.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\American Idol.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ACDSee 10.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Windows 2000 Sourcecode.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Microsoft Office 2003 Crack best.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\Ringtones.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\Eminem.mp3.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\Harry Potter e book.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\netsky source code.scr	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Gimp 1.8 Full with Key.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Britney Spears blowjob.jpg.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\How to hack new.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\Ringtones.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Britney Spears Song text archive.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Harry Potter e book.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\How to hack new.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Lightwave 9 Update.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\The Sims 4 beta.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\The Sims 4 beta.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\1.3.195.15\Harry Potter all e.book.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Ulead Keygen 2004.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\Microsoft WinXP Crack full.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\Dark Angels new.pif	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\Britney Spears Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\Britney Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Learn Programming 2004.doc.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\123.0.6312.123\Altkins Diet.doc.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\Serials edition.txt.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\Keygen 4 all new.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\123.0.6312.123\E-Book Archive2.rtf.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\1.3.195.15\Adobe Premiere 10.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\Win Longhorn re.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Opera 11.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\Lightwave 9 Update.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Britney Spears full album.mp3.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Britney Spears fuck.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\WinXP eBook newest.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\program files (x86)\microsoft\edgeupdate_bk\download\{f3c4fe00-efd5-403b-9569-398a20f1ba4a}\MS Service Pack 6.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\windows\assembly\gac_msil\microsoft.analysisservices.spclient.interfaces\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\root\vfs\Britney Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Cloning.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\E-Book Archive2.rtf.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Cracks & Warez Archiv.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Eminem blowjob.jpg.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\0855871b-a2c6-4f79-ba33-4be43a9b6a02\Cloning.doc.exe	details.txt .exe
File created	\??\c:\program files\microsoft office\updates\download\packagefiles\Ahead Nero 8.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Porno Screensaver britney.scr	details.txt .exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.964_none_5be37f6307bc73fb\f\Britney Spears fuck.jpg.exe	details.txt .exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\Harry Potter game.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-web-http_31bf3856ad364e35_10.0.19041.746_none_d856fa240ef8de72\r\Opera 11.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.web.ftpserver-nonmsil_31bf3856ad364e35_10.0.19041.1_none_b8ca67b1d5afab42\Star Office 9.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-msieftp_31bf3856ad364e35_10.0.19041.1_none_d69a7c46219fe06a\XXX hardcore pics.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_10.0.19041.1_none_320aa056d3dbe6a7\Saddam Hussein.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.webrequest.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_3836d7ee464fc17d\Eminem blowjob.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-msieftp_31bf3856ad364e35_10.0.19041.1_none_d69a7c46219fe06a\Gimp 1.8 Full with Key.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.964_none_5be37f6307bc73fb\Gimp 1.8 Full with Key.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-httpproxyhelper_31bf3856ad364e35_10.0.19041.746_none_eac0e620e65e67d3\How to hack new.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft.windows.winhttpcom_31bf3856ad364e35_5.1.19041.1151_none_90fbce7e9cbb300b\Porno Screensaver britney.scr	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http_31bf3856ad364e35_10.0.19041.1288_none_2188a2d2ce0aa931\f\Adobe Photoshop 10 crack.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-msieftp_31bf3856ad364e35_10.0.19041.1_none_cc45d1f3ed3f1e6f\Harry Potter.doc.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\3D Studio Max 6 3dsmax.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-iis-httpcachebinaries_31bf3856ad364e35_10.0.19041.1_none_511649a6932fde88\Adobe Premiere 10.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-web-http_31bf3856ad364e35_10.0.19041.746_none_d856fa240ef8de72\ACDSee 10.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_10.0.19041.1_es-es_3d78152e3cf4dd6f\Adobe Premiere 10.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Harry Potter.doc.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.webrequest.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\Best Matrix Screensaver new.scr	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_d57e154a0a8460d3\Britney sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\downloaded program files\Kazaa new.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.resources_b03f5f7f11d50a3a_4.0.15805.0_de-de_e72c8ccd343bd3b1\Adobe Premiere 10.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_10.0.19041.1_it-it_55912f733fce0ab3\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.1_none_299e346813d7f434\Win Longhorn re.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf046d40ef67a236\WinAmp 13 full.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_10.0.19041.1_it-it_54ba9abb0972d973\Cloning.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1110_none_6a7867af5278fb92\f\Kazaa Lite 4.0 new.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-httpproxyhelper_31bf3856ad364e35_10.0.19041.746_none_eac0e620e65e67d3\Dictionary English 2004 - France.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-ftp_31bf3856ad364e35_10.0.19041.1_none_6d3115c62c48462c\Windows 2003 crack.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-web-http_31bf3856ad364e35_10.0.19041.746_none_e2aba4764359a06d\f\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft.windows.winhttpcom_31bf3856ad364e35_5.1.19041.1_none_2fd8a12a70432370\Britney Spears cumshot.jpg.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Windows XP crack.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1110_none_74cd120186d9bd8d\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-rpc-http_31bf3856ad364e35_10.0.19041.1_none_603ea4c613123224\Norton Antivirus 2005 beta.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_d57e154a0a8460d3\Ringtones.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.resources_b03f5f7f11d50a3a_4.0.15805.0_de-de_e72c8ccd343bd3b1\WinAmp 13 full.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_fr-fr_0867a4a1a6cb0176\Britney Spears Song text archive.doc.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.resources\Learn Programming 2004.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_10.0.19041.1_none_320aa056d3dbe6a7\Eminem Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft.windows.winhttpcom_31bf3856ad364e35_5.1.19041.1151_none_90fbce7e9cbb300b\f\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\981b8642758ae60742542a145db9e64b\Eminem Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.resources_b03f5f7f11d50a3a_4.0.15805.0_fr-fr_4182af4770794345\Gimp 1.8 Full with Key.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_10.0.19041.1_none_3c5f4aa9083ca8a2\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.264_none_7f6ca9c048dc8aa4\r\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.264_none_7517ff6e147bc8a9\f\E-Book Archive2.rtf.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1_none_b5f1f4d5710a2249\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_10.0.19041.1_none_3c5f4aa9083ca8a2\Matrix.mpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_8390c4650d908e6a\ACDSee 10.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.1_none_33f2deba4838b62f\Eminem blowjob.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_10.0.19041.1_en-us_3dacb84a3ccdebca\Lightwave 9 Update.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-i..httptracingbinaries_31bf3856ad364e35_10.0.19041.1_none_e577f60cba4f4132\Adobe Photoshop 10 full.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_10.0.19041.1_es-es_152faf25d711a2c8\Internet Explorer 9 setup.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.964_none_518ed510d35bb200\r\Visual Studio Net Crack all.exe	details.txt .exe
File created	\??\c:\windows\serviceprofiles\localservice\downloads\Magix Video Deluxe 5 beta.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.resources_b03f5f7f11d50a3a_4.0.15805.0_es-es_140e08cb52909b17\Opera 11.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1110_none_74cd120186d9bd8d\Harry Potter all e.book.doc.exe	details.txt .exe
File created	\??\c:\windows\softwaredistribution\download\sharedfilecache\Dictionary English 2004 - France.doc.exe	details.txt .exe
File created	\??\c:\windows\servicestate\winhttpautoproxysvc\data\Keygen 4 all new.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_10.0.19041.1_es-es_152faf25d711a2c8\Star Office 9.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.web.ftpserver-nonmsil_31bf3856ad364e35_10.0.19041.1_none_b8ca67b1d5afab42\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_system.net.http.webrequest.resources_b03f5f7f11d50a3a_4.0.15805.0_fr-fr_8286e197ce91324e\Matrix.mpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6c7d0080fa13eb2a\Saddam Hussein.jpg.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Britney Spears full album.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.1_none_299e346813d7f434\Matrix.mpg.exe	details.txt .exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	details.txt .exe

C:\Users\Admin\AppData\Local\Temp\details.txt .exe
"C:\Users\Admin\AppData\Local\Temp\details.txt .exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0855871B-A2C6-4F79-BA33-4BE43A9B6A02\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Britney Spears porn.jpg.exe

Filesize
28KB

MD5
3018e99857f31a59e0777396ae634a8f

SHA1
7031cfe76ee7b2c925f2c00372fb9ef7f983f60c

SHA256
c8fffb2e737514c551b2d7bcaf8baa459564b059cab1a35a3cec4b3c270d4525

SHA512
4604c98f765be26d4a0a33f54cc777810cae7fab5153ee637b4fc8057492fd40de6fdf9d88dc4f7f34f45dd174bae54a2b39e0f0e5f1f5997820b9bccf47686a

Download Submit
C:\Windows\userconfig9x.dll

Filesize
26KB

MD5
0a9ffa57d65083c92e0d3d69b00f2f0d

SHA1
ec88c8cf7b666e63cd800d869e56510e099b2943

SHA256
9bfaf2f0b53f87d1452d4c2aa75027ffb8e66aee1462c3d9eb7a6e55bcac55c8

SHA512
fa10ece8826badbbe1f572bfd9f4202b36dc499bca58a9d2e17ceb931b237f69867618fb2e7da732c5598cf24ad31008ebbf459380abbf071b849178eb193ae2

Download Submit
memory/3972-5764-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5772-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-2559-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3972-2700-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-2702-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5762-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3972-5768-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5770-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-4-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5774-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5776-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5778-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5780-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5782-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5784-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3972-5786-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads