1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
Size

230KB
MD5

b75651939e852ce3e2c8466f3c02aefa
SHA1

5c077c2b724b36555b738f015377463caa72225b
SHA256

1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be
SHA512

0fd11b02fdcaa6c5a535757676b3d1675d2f110bf0525b394279b3bb69d8f5cb3948ca93ad31fca75e43501b305096d415cf6633f16b6394421fe0f44946768b
SSDEEP

3072:sr+Fu2II+HiXMcI/AKJj/+rzTPe9oPxM5DNmHWVcqelSxbfS6954bpqyZALx0XN+:/MHD3/AKsP2f5hBkpq0rpS

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2476	winlogon.exe
2520	AE 0124 BE.exe
2624	winlogon.exe
1660	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
2520	AE 0124 BE.exe
2520	AE 0124 BE.exe
2476	winlogon.exe
2476	winlogon.exe
1660	winlogon.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA400B6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wsdapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\erofflps.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mtstocom.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_28598.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~sr-LATN-CS~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\smartcrd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\sppcomapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\WpdBusEnum.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Ultimate-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\qedit.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\inetcpl.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\QSVRMGMT.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\STEXSTOR.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\brmsl07a.icm	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mmci.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ndptsp.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\adsmsext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBJOP9I.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\recover.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\rshx32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\prnts003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\napipsec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA4.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IF80006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\ltotape.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wevtutil.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\chkdsk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wdc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDHEB.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wcnwiz.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\prnntfy.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\DDACLSys.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\cliegaliases.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\com\de-DE\MigRegDB.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRD9045D.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\mf.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SystemPropertiesPerformance.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tr-TR\msimsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnky003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\OfflineFilesWmiProvider.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_neutral_351e56205fd4c200	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\KYUD5015.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT640.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\mdmcxhv6.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ir50_32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0021\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterN	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\ts_wpdmtp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\thumbcache.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnts003.inf_loc	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nslookup.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_04972a114be03693	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-b..trics-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8506d75dcbaffaba.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..atibility.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f765cfc93427a13f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-e..mogrifier.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e6a3e6c5ec26acd0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx003.inf_31bf3856ad364e35_6.1.7600.16385_none_482c1e14df350b67\Amd64\LME352DN.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-netutils_31bf3856ad364e35_6.1.7601.17514_none_3220778aa85afd05.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_transactions.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Speech.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cffa1c7732c576aa\currency.css	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a0e46b641d0379\netcorehc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.1.7601.17514_none_80fea45979a5d3f2\mxdwdui.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3be396c6d1b6e7bf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a\rasdiag.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-shdocvw_31bf3856ad364e35_6.1.7601.17514_none_459af2f42285b811.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ddc37769f9c45ec5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mp4sdecd.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0140a74e3c151e87\mp4sdecd.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mp4sdecd.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4a30ff5056d9253	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e7be8f60b3366d71	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-icm-ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6b38fd80c04a1d08	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_el-gr_48c18b4486c4cfe6\comdlg32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2780f07f05867be_mfc42u.dll.mui_64d23330	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_616ae592fccf1c48.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-e..ingfaults.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cd71dff5a132d2ca\faultrep.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ng-wizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_95954cff3f008af1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-lucidasans_31bf3856ad364e35_6.1.7600.16385_none_d0e8774fa1155a53_l_10646.ttf_f757c3ca	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-msmq.resources_31bf3856ad364e35_6.1.7600.16385_de-de_19ab855b49f18777.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3122f08f9905bfb1\hpzprw71.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpzpaw72.vdf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ribbons.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae6e8472b208da12.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..pulations.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a2be92c19605ed2\rtscom.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6a837de6bd6403a7\iisui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\P2P-pnrp.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8187b56ded6d66d\WABSyncProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-v..r-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7554e1450e725513\mciavi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wdi-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f019487827a47072\WDI.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c10af1bed239c523\gpapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-cipher.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5316fe081c8eca54.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-tunnel.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f551ffa4ca67697.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_ramdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b1fd21895c5db9d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_670f5fce8faa234a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for SqlServer\_dataperfcounters_shared12_neutral.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpj4680t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_windows_sidebar_gadgets_currency.gadget_fr-fr_8184f22d2048fba1.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_fc20fc2ea15dceba\kernel32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-findstr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d318f1eb29d9f9b1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_03b2a5eef074426f\pmcsnap.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00a.inf_31bf3856ad364e35_6.1.7600.16385_none_dcb5d501c451bacd\Amd64\CNBP_326.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\cscompui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft	AE 0124 BE.exe
File opened for modification	C:\Windows\Vss\Writers\System\75DFB225-E2E4-4d39-9AC9-FFAFF65DDF06.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dskquoui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e92285b2bb7f7344	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..type-mongolianbaiti_31bf3856ad364e35_6.1.7600.16385_none_5f92b85e203b255f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9a8171aceaed6fe4\aelupsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_068a8aa70d654920\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-spp-installer_31bf3856ad364e35_6.1.7600.16385_none_12cbc2d3c1ed26ee\sppinst.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_msclmd.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6f2b379dc13dd175\msclmd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_928ddfae8716e27f\CNBP_323.DLL.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2e91fbc017fd3a00_vds.exe.mui_2268d934	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_332ee52c7283fee4.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeSecurityPrivilege	2456	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeMachineAccountPrivilege	2292	msiexec.exe
Token: SeTcbPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeLoadDriverPrivilege	2292	msiexec.exe
Token: SeSystemProfilePrivilege	2292	msiexec.exe
Token: SeSystemtimePrivilege	2292	msiexec.exe
Token: SeProfSingleProcessPrivilege	2292	msiexec.exe
Token: SeIncBasePriorityPrivilege	2292	msiexec.exe
Token: SeCreatePagefilePrivilege	2292	msiexec.exe
Token: SeCreatePermanentPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeDebugPrivilege	2292	msiexec.exe
Token: SeAuditPrivilege	2292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2292	msiexec.exe
Token: SeChangeNotifyPrivilege	2292	msiexec.exe
Token: SeRemoteShutdownPrivilege	2292	msiexec.exe
Token: SeUndockPrivilege	2292	msiexec.exe
Token: SeSyncAgentPrivilege	2292	msiexec.exe
Token: SeEnableDelegationPrivilege	2292	msiexec.exe
Token: SeManageVolumePrivilege	2292	msiexec.exe
Token: SeImpersonatePrivilege	2292	msiexec.exe
Token: SeCreateGlobalPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2132	vssvc.exe
Token: SeRestorePrivilege	2132	vssvc.exe
Token: SeAuditPrivilege	2132	vssvc.exe
Token: SeBackupPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2112	DrvInst.exe
Token: SeLoadDriverPrivilege	2112	DrvInst.exe
Token: SeLoadDriverPrivilege	2112	DrvInst.exe
Token: SeLoadDriverPrivilege	2112	DrvInst.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	msiexec.exe
2292	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
2476	winlogon.exe
2520	AE 0124 BE.exe
2624	winlogon.exe
1660	winlogon.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2292	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	28
PID 2056 wrote to memory of 2476	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	30
PID 2056 wrote to memory of 2476	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	30
PID 2056 wrote to memory of 2476	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	30
PID 2056 wrote to memory of 2476	2056	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	30
PID 2476 wrote to memory of 2520	2476	winlogon.exe	31
PID 2476 wrote to memory of 2520	2476	winlogon.exe	31
PID 2476 wrote to memory of 2520	2476	winlogon.exe	31
PID 2476 wrote to memory of 2520	2476	winlogon.exe	31
PID 2520 wrote to memory of 2624	2520	AE 0124 BE.exe	33
PID 2520 wrote to memory of 2624	2520	AE 0124 BE.exe	33
PID 2520 wrote to memory of 2624	2520	AE 0124 BE.exe	33
PID 2520 wrote to memory of 2624	2520	AE 0124 BE.exe	33
PID 2476 wrote to memory of 1660	2476	winlogon.exe	34
PID 2476 wrote to memory of 1660	2476	winlogon.exe	34
PID 2476 wrote to memory of 1660	2476	winlogon.exe	34
PID 2476 wrote to memory of 1660	2476	winlogon.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
"C:\Users\Admin\AppData\Local\Temp\1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2292
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2624
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A0" "00000000000005A0"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
923af0e1128bc53be07c278a2ee9d36a

SHA1
a657905981decdf5a9d9b57bc89be98f9259f530

SHA256
f28ec4a0b63847db376c8b32c40ac6204fc8ca3b4c971913a2a5ef8cf3859fa0

SHA512
4a1f0f3466711478d8d487e2085bbed24e8f16c4e12fa73341c02e76e0cc165fc9b3fe793d62eadba4062d050f4fbce81755d8a4585e54f06f5796f59ce2a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5763.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
230KB

MD5
80d6e84f1670c18ecbe7b1c4d14035c0

SHA1
a1966fb520e12ec6697c2a902bde48415ec1fc91

SHA256
d3c2829b303b5783a84632e43c7d63c0ab8316d4d7779678f4ffcdc6bed9ed02

SHA512
2421c48b3841eb8b5258b99b87412ca11d6bff6618c6aa178e0038f9026c32c2912ad14b00a407fa8b2bf766953fce73fe6a53a18c89e607db1425f98866bdaa

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
3c9b1eaec6c0553ec55cc981859ad52d

SHA1
dc1b89778d23517677327fc7265419f507ce5f60

SHA256
bb42a5c15238d5b38ec51c0d7069d35a62e84c058c0c3d995a934e8dfba3a728

SHA512
8caccc427dda37b1b40e32eea0523d67dc7391bd6ca1d3c570fed86d50a5b3e80b48395d022407049c23e82e3f9a41d3323fbab94ac7520887d6f82df358caa5

Download Submit
memory/2056-12-0x0000000003C30000-0x00000000046EA000-memory.dmp

Filesize
10.7MB

Download
memory/2476-55-0x0000000003550000-0x000000000400A000-memory.dmp

Filesize
10.7MB

Download
memory/2520-56-0x00000000033A0000-0x0000000003E5A000-memory.dmp

Filesize
10.7MB

Download
memory/2520-182-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2520-382-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads