1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
Size

230KB
MD5

b75651939e852ce3e2c8466f3c02aefa
SHA1

5c077c2b724b36555b738f015377463caa72225b
SHA256

1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be
SHA512

0fd11b02fdcaa6c5a535757676b3d1675d2f110bf0525b394279b3bb69d8f5cb3948ca93ad31fca75e43501b305096d415cf6633f16b6394421fe0f44946768b
SSDEEP

3072:sr+Fu2II+HiXMcI/AKJj/+rzTPe9oPxM5DNmHWVcqelSxbfS6954bpqyZALx0XN+:/MHD3/AKsP2f5hBkpq0rpS

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2136	winlogon.exe
5096	AE 0124 BE.exe
3892	winlogon.exe
5008	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
5096	AE 0124 BE.exe
3892	winlogon.exe
5008	winlogon.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\tsprint.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\MSFT_PackageResource.schema.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\WindowsFeatureSet.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\BitLockerCsp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-crt-runtime-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dinput8.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_911a60fb265ff111\transfercable.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\eapphost.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\BTAGService.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ProximityCommon.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\cmbatt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\pci.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmetri.inf_amd64_50397e28bbcd6514\mdmmetri.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.Types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DisplayManager.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Guest-Shared-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSHeadless-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\certcli.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\bthspp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\ActionCenterCPL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\FolderRedirectionWMIProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\MSFT_NetQosPolicy.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvfw32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ssdpapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_19_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\storufs.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\neth.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientCore-D-Opt-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\ipmiprv.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-WOW64-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\msmpeg2enc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\winver.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\wbemcntl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sendmail.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_glk.inf_amd64_7b6c08738ca8a856	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\fixmapi.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\NcdProp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\devmgr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Setup-Shared-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX_LE_8.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\PerceptionSimulation.ProxyStubs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-DDA-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-SPP-VirtualDevice-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\vsmraid.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\helpErrorBox.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..enter-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c348c7d7f964713e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_CheckDriversOnInstall.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..onsbroker.resources_31bf3856ad364e35_10.0.19041.1_it-it_575b1f480f1679eb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_netrtwlane_13.inf_31bf3856ad364e35_10.0.19041.1_none_53b830f3b99b8540\rtwlane_13.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_windows.networking.vpn.soh_31bf3856ad364e35_10.0.19041.1_none_1c26f47a7c412fc5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-n..kexplorer.resources_31bf3856ad364e35_10.0.19041.1_en-us_4818ba84fb79e816\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_b0feb06b14107c04\wecapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_fr-fr_c7c95139b0684052\r	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_7_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..oftwareinstallation_31bf3856ad364e35_10.0.19041.1_none_37bff5e7fb6727b4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.19041.1266_none_24ff18abf021b336\r\uxtheme.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\30a0d438c652f1a396e5a8dc5dde910e6866b53efe99172d56a43c0fa3c0e81c.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_swenum.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_28cbceb12eea3392.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_vdrvroot.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_35ecf141accffabc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..asconsent.resources_31bf3856ad364e35_10.0.19041.1_es-es_5b2f2a8cfd6a78a7\easconsent.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_10.0.19041.1_none_55bb3854bad516ca\authbas.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-hololens.html	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l2gpstore.resources_31bf3856ad364e35_10.0.19041.1_it-it_6de9e20e7b472c43\l2gpstore.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_system.net.http.webrequest_b03f5f7f11d50a3a_4.0.15805.0_none_9b4825af7e378e8e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-msaatext_31bf3856ad364e35_10.0.19041.1_none_0e4767d110f87713	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_windows-id-connecte..nt-provider-wlidres_31bf3856ad364e35_10.0.19041.1_none_65adac508a479f6f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_aspnet_regbrowsers.resources_v4.0_4.0.0.0_ja_b03f5f7f11d50a3a_7c5991bf9d0bf5cb.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..structure.resources_31bf3856ad364e35_10.0.19041.1_en-us_a42b51f62f0793b0\napinsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.1288_none_cd9e84cbb15d682f\r\ntdll.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.powershel..sc.mpeval.resources_31bf3856ad364e35_10.0.19041.1_de-de_897c1617aab47f18\mpeval.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Server-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d73d8cc5242ccfe1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..freshtask.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_bc6b1ab06886c228	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mup.resources_31bf3856ad364e35_10.0.19041.1_de-de_ed5483fd87925ba9	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_fr-fr_7a9d54723d1095f0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ie-htmleditingsupport_31bf3856ad364e35_11.0.19041.1_none_dd500edcc45e0093.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-w..ileserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_eeb7ee71a0d86e32\wsp_fs_uninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_pl-pl_e24c711e0931a98b\r\windows.ui.xaml.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_diagnostics_system_audio_9d2751b7c84ca0f1.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-processmodel_31bf3856ad364e35_10.0.19041.264_none_9ef7d96338056f03.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_system.management_b03f5f7f11d50a3a_10.0.19041.1_none_e01e0f0f9d6c522e\System.Management.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_whvcrash.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc43f38e4efa60b7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3conn_31bf3856ad364e35_10.0.19041.746_none_702c3b97f5c072d5\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0\r\SCardDlg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_rdvgwddmdx11.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_38cfbb696d391989	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_002b04f15e757967.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-shcore.resources_31bf3856ad364e35_10.0.19041.1_de-de_dedb0b545f06b19d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..re-security-webauth_31bf3856ad364e35_10.0.19041.264_none_35bf65fd1268e64b\f\AuthBroker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_10.0.19041.1_en-us_a6bb102731e82b88.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mchgr.inf_31bf3856ad364e35_10.0.19041.1_none_04b6eef03111c39e\qlstrmc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rndis-usb-microport_31bf3856ad364e35_10.0.19041.1_none_7addd27bf208c224\usb8023.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mtconfig.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-dmpushproxy_31bf3856ad364e35_10.0.19041.1_none_fa8ada2a6c0711c6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-onecore-t..ngservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_94131eec85e834cd.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..-uevagent.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_84c3ba8a803930b0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft-windows-d..-repadmin.resources_31bf3856ad364e35_10.0.19041.1_es-es_776b5f38b0f3197c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\6f88124536e5d701519a00001815341f.opencl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Host-Devices-EmulatedChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ce-client.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a229a237cb9f1a2c\KeyboardFilterSvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tbs_31bf3856ad364e35_10.0.19041.906_none_ccdc633dd7031d76\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_en-us_34c90260884a74ea\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-ds-provider_31bf3856ad364e35_10.0.19041.1_none_3eda47c771af10f4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.264_none_c2ff528ca8752daf\r\Amd64\UNIDRV.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.1_none_524d53b764fb40e1\CloudNotifications.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_windows-id-connecte..nt-provider-wlidsvc_31bf3856ad364e35_10.0.19041.1_none_54400c205a77620c.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000324c0cbb4829e1b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000324c0cbb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900324c0cbb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d324c0cbb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000324c0cbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	3112	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	4292	vssvc.exe
Token: SeRestorePrivilege	4292	vssvc.exe
Token: SeAuditPrivilege	4292	vssvc.exe
Token: SeBackupPrivilege	3112	msiexec.exe
Token: SeRestorePrivilege	3112	msiexec.exe
Token: SeRestorePrivilege	3112	msiexec.exe
Token: SeTakeOwnershipPrivilege	3112	msiexec.exe
Token: SeBackupPrivilege	4444	srtasks.exe
Token: SeRestorePrivilege	4444	srtasks.exe
Token: SeSecurityPrivilege	4444	srtasks.exe
Token: SeTakeOwnershipPrivilege	4444	srtasks.exe
Token: SeBackupPrivilege	4444	srtasks.exe
Token: SeRestorePrivilege	4444	srtasks.exe
Token: SeSecurityPrivilege	4444	srtasks.exe
Token: SeTakeOwnershipPrivilege	4444	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1680	msiexec.exe
1680	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
2136	winlogon.exe
5096	AE 0124 BE.exe
3892	winlogon.exe
5008	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1680	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	84
PID 3380 wrote to memory of 1680	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	84
PID 3380 wrote to memory of 1680	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	84
PID 3380 wrote to memory of 2136	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	85
PID 3380 wrote to memory of 2136	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	85
PID 3380 wrote to memory of 2136	3380	1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe	85
PID 2136 wrote to memory of 5096	2136	winlogon.exe	86
PID 2136 wrote to memory of 5096	2136	winlogon.exe	86
PID 2136 wrote to memory of 5096	2136	winlogon.exe	86
PID 2136 wrote to memory of 3892	2136	winlogon.exe	87
PID 2136 wrote to memory of 3892	2136	winlogon.exe	87
PID 2136 wrote to memory of 3892	2136	winlogon.exe	87
PID 5096 wrote to memory of 5008	5096	AE 0124 BE.exe	88
PID 5096 wrote to memory of 5008	5096	AE 0124 BE.exe	88
PID 5096 wrote to memory of 5008	5096	AE 0124 BE.exe	88
PID 3112 wrote to memory of 4444	3112	msiexec.exe	97
PID 3112 wrote to memory of 4444	3112	msiexec.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe
"C:\Users\Admin\AppData\Local\Temp\1193403a19781c8f1da8d08a19083336f6ac3bee263d0119436a9d3dc86845be.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1680
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5008
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.msi

Filesize
230KB

MD5
80d6e84f1670c18ecbe7b1c4d14035c0

SHA1
a1966fb520e12ec6697c2a902bde48415ec1fc91

SHA256
d3c2829b303b5783a84632e43c7d63c0ab8316d4d7779678f4ffcdc6bed9ed02

SHA512
2421c48b3841eb8b5258b99b87412ca11d6bff6618c6aa178e0038f9026c32c2912ad14b00a407fa8b2bf766953fce73fe6a53a18c89e607db1425f98866bdaa

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
3c9b1eaec6c0553ec55cc981859ad52d

SHA1
dc1b89778d23517677327fc7265419f507ce5f60

SHA256
bb42a5c15238d5b38ec51c0d7069d35a62e84c058c0c3d995a934e8dfba3a728

SHA512
8caccc427dda37b1b40e32eea0523d67dc7391bd6ca1d3c570fed86d50a5b3e80b48395d022407049c23e82e3f9a41d3323fbab94ac7520887d6f82df358caa5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
d70fd5860eb9fc6979fa3954be5f097e

SHA1
feea79a10e258cdc911edf6393699f139ec5847d

SHA256
383d24c3f4840bcbd3b07b3c902e7d63ab0b6d11c102ee6663df75778ee30eb8

SHA512
118a0954c0a67bad01b5ceef8690cf07e61137af385182e32f716fcde2bf8c36109669b7911c1a3685cedaa8b00697fdb7e26f1ef1dbaf6a2c0f126309e684d2

Download Submit
\??\Volume{bb0c4c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{38dc809f-bd78-4378-b116-6d1bce61dbe6}_OnDiskSnapshotProp

Filesize
6KB

MD5
d721ad4bb9f3e13a819ffc57b18344d8

SHA1
7db861d35dc3db6e69cc2aaef1196a07ae39e6ec

SHA256
7bb1cb00762fd59969e1c4581dedd302e0792288de24c4328e673b223234dea8

SHA512
b6ebbdf29b87263b030c7db741b3060a5522ecb3322539f35c470b2e1c4379de9485f3887f6e4bac26eccfa8bb2a494efbdcd4899d7b7ca59c8d62c8bd4f03b2

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads