71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
Size

567KB
MD5

737ba010037477b45644375c1801db36
SHA1

da61d66af3ef532d2007d98a8a8b54f64106e3a2
SHA256

71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace
SHA512

71fc14099d7104ed9b4041d1d78e18d6c0f42df7c1a4c415bb307f0713d3cffbf763d334f0caa8db2882c5729e90eb35c359550796ecdf632fcdc24ffd66b834
SSDEEP

12288:/MHL/AHAnkwryWWy2KKu9Bx+xidEKj6vhqO:ECAnkgyDK95+RKOqO

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2412	winlogon.exe
2644	AE 0124 BE.exe
1616	winlogon.exe
1760	winlogon.exe

Loads dropped DLL 18 IoCs

pid	Process
2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
2644	AE 0124 BE.exe
2644	AE 0124 BE.exe
2412	winlogon.exe
2412	winlogon.exe
1760	winlogon.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
2180	msiexec.exe
792	MsiExec.exe
792	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2544	msiexec.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NlsData001d.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\RasConnectionManager-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUASE-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14al.bcm	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\prnne30a.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\DigitalMediaDevice.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\timeout.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUGHR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msdt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYKC1300.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\serscan.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sscore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Rights-Management-Client-v1-API-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\wbemcore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\INETRES.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons0045.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC5200F.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N02.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmutil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\scrrun.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\shell32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cryptext.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tpmcompc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dpwsockx.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_job_details.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\sisraid2.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\circlass.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_neutral_d225e15af1a594cd\mdmgl008.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_neutral_ece4b1cc5aee6a38\mdmnttme.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO0410T.XML	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKML791.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\racpldlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\tapiui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnca00x.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\RICFG7.XML	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Vss-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\WmiPerfInst.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\MsiProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netnvma.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_neutral_0684fdc43059f486\keyboard.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\Ph3xIBC7.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN4181E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf6x5.ppd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sndvol.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\cmlua.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\powershell_ise.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\FXUCU001.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\Enterprise\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\lodctr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\DxpTaskSync.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA4300.icc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\msimtf.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_adpahci.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b77fb17df2a92002	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-bits-igdsearcher_31bf3856ad364e35_6.1.7600.16385_none_0d612eb0a8b155ff	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfcm90u.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnbr006.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_adpu320.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0cc8733d5df51280.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-c..nd-userlicenseterms_31bf3856ad364e35_6.1.7600.16385_none_a4258c42136c8deb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..-printbrm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a504fd990e85fee5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_iirsp.inf_31bf3856ad364e35_6.1.7600.16385_none_02496439a3048835\iirsp.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_input.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7d6001acd68e038f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..onal-codepage-10004_31bf3856ad364e35_6.1.7600.16385_none_8002ba5ae26e5d8e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmi-filter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75b9157edf32496d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\e72886c96b63be364c0205b6c4ff4413\Microsoft.ManagementConsole.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnbr008.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_bthmtpenum.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_43ed817136abb248\bthmtpenum.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\cic.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0000082c_31bf3856ad364e35_6.1.7600.16385_none_63bbfad8a404fd28	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e9c2f754efcb477f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx00y.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1b27c3f2fdf38d72\prnlx00y.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_c194d99e4f9ac254.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-sysclass.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcfd6ebb93c36606.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Web.Services.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..chrecognizerenu.ale_31bf3856ad364e35_6.1.7600.16385_en-us_2a26b846c28f1791\grph1033.lxa	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shmig.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0aa1bc46de7847ec\ShMig.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..rgrouping.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d133eb3cbb8bb39.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnky004.inf_31bf3856ad364e35_6.1.7600.16385_none_3dd58b93065f62f8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\localizedStrings.js	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFaultSecure.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_msmouse.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cfe7796da2c1c516	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.7601.17514_none_27126e7394676c4a\ieaksie.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6aa2e3afc3c85aa5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-healthcenter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a222165421adb16e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-printp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0990be410b2c763a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a4a6571ad2418db7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_6.1.7600.16385_none_a72c807474764763\aero_nesw_xl.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnok002.inf_31bf3856ad364e35_6.1.7600.16385_none_cd8f9cb5e2f6c390\Amd64\OKML721.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_be0701531dbe7588.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5f2f8d37499437c9\sppcommdlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Catalogs\01f0514f33415c2abfed49435dbb36f8c93969c92e3ca986d0605e0bd23a773b.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-regsvr32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a5c6981a8c785981\regsvr32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-admin_31bf3856ad364e35_6.1.7600.16385_none_395ea636467e3a48\comrepl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66dabcb28fd114ef	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-oobe-machine-ui_31bf3856ad364e35_6.1.7601.17591_none_c027b35ef893d68e\msoobeui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-gabriola_31bf3856ad364e35_6.1.7601.17514_none_e65a866e9dc81eaf.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b25735420d36e896_iscsiexe.dll.mui_7d81b1cc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..rectplay4.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d6249044aabf1c5c\dpwsockx.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_fi-fi_9da4bdbdc648dd53	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20838_31bf3856ad364e35_6.1.7600.16385_none_ae962ee8ffa4883e\C_20838.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-ppc_31bf3856ad364e35_6.1.7600.16385_none_c292158f0cc00689\ppcRsopUserSchema.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7601.17514_it-it_48e85fde966bd470\rascfg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_380ef100709641ad.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c88ac3d86d11e8b8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.1.7600.16385_none_dba90e9e11c02732	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-setup_31bf3856ad364e35_6.1.7600.16385_none_e9c098a4c7abd558\msdtcstp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_fdphost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bbfdcc637cb59110.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f64883a0d2fd4e6e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_fb26b945993b2f11.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c9c656332d47db0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d\apphelp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00b.inf_31bf3856ad364e35_6.1.7600.16385_none_ad2d68ddc89d49d5\Amd64\EP0NM4RI.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netfx-iehost_b03f5f7f11d50a3a_6.1.7600.16385_none_7dd203ef359dfcfb.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeBackupPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	344	DrvInst.exe
Token: SeLoadDriverPrivilege	344	DrvInst.exe
Token: SeLoadDriverPrivilege	344	DrvInst.exe
Token: SeLoadDriverPrivilege	344	DrvInst.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2544	msiexec.exe
2544	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
2412	winlogon.exe
2644	AE 0124 BE.exe
1616	winlogon.exe
1760	winlogon.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2544	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	28
PID 2592 wrote to memory of 2412	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	29
PID 2592 wrote to memory of 2412	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	29
PID 2592 wrote to memory of 2412	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	29
PID 2592 wrote to memory of 2412	2592	71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe	29
PID 2412 wrote to memory of 2644	2412	winlogon.exe	30
PID 2412 wrote to memory of 2644	2412	winlogon.exe	30
PID 2412 wrote to memory of 2644	2412	winlogon.exe	30
PID 2412 wrote to memory of 2644	2412	winlogon.exe	30
PID 2644 wrote to memory of 1616	2644	AE 0124 BE.exe	32
PID 2644 wrote to memory of 1616	2644	AE 0124 BE.exe	32
PID 2644 wrote to memory of 1616	2644	AE 0124 BE.exe	32
PID 2644 wrote to memory of 1616	2644	AE 0124 BE.exe	32
PID 2412 wrote to memory of 1760	2412	winlogon.exe	33
PID 2412 wrote to memory of 1760	2412	winlogon.exe	33
PID 2412 wrote to memory of 1760	2412	winlogon.exe	33
PID 2412 wrote to memory of 1760	2412	winlogon.exe	33
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37
PID 2180 wrote to memory of 792	2180	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe
"C:\Users\Admin\AppData\Local\Temp\71d8a2c25f68ef04fca6474da7afffb09475e70e6be2095e898c41b49c89cace.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2544
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1616
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7C9A30E2989B16E224EA732D05196DF
  2⤵
  - Loads dropped DLL
  PID:792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "000000000000055C"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3334925a5adea4da69a3e3e79996cdc3

SHA1
d7cedf300cc8592bac419a96ae61396405d92290

SHA256
6f3102fe927c006009e397554c01524e71eb23d825b4f70fe12aea0a6c0dbb04

SHA512
5e4bf5f3f7ee151f10df12deb9574421e4daddbebddde4147007e7e2c11231aa735d3541e6c55b46678f0725777a33e661423ac1fa72b9c081c4b89e839d35d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
234B

MD5
29e4059f269db01371467e3b8a7140b6

SHA1
7166c206099475b44c87c46db929342a9ad6149f

SHA256
4727d99335d2d30c713cbb4b95cfad357e3a0093488bcf13faa8a4381984694d

SHA512
6b45b95a19ea578e4c199f6ff71c6e8fc007d14153806088bc5b670b7afa7ad5ad817e2f47c8b840703adee90baad709ff124e5bfdb9edcdae5ed4ca180cb7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A90.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
567KB

MD5
a3747b78a4ee3abe1bd29f6a271fa812

SHA1
22d743c9c5fefae89696a0a9f14df7fa797c1fe3

SHA256
e1b1f7ad7dc718d7d57888e349c4b2564d1b34e8881688d36caaa84bb707d03e

SHA512
ea37f0552064a76dcbfe2680ad61670c9fff9a9aeb2072d1f1dcd8881aad1791ccb5cb8888277241ff6d2f901de5cc1843b9ece428dac4ce8b2a809fb1ed7c45

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\Installer\MSI3B00.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll

Filesize
9.9MB

MD5
2c72d557fa60650dc9e1b6ca8f3785b8

SHA1
2b66b06902fdf8c2876fda280febccd40ef2f38f

SHA256
a459f23f2f2921ba3fdd61ec16c04e1adaa7946adef33b7deb21bbc68ed80ce0

SHA512
9a20c9f737ccf3a80c8ea8840ec8cba54d0ee0eb5e9fae6266c22b5c72141e1a06f184820344f8972226f190d99eedfd4c6213cf4302c09c558e136cc3cbea9b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll

Filesize
109KB

MD5
473744efd008548a0074a54502a88e03

SHA1
92b9493fdf3a715ce9446448f83aef8af8addb54

SHA256
fff5f2baa59267fe88eaf9afdcf66b7ab6d6d1742bda6d8cccdc825ba2d7f50a

SHA512
27164e1a5bae679d122e0432eae0730e7ddc1336793009197e4b83e513e2020bfc06b1b83dc79b16baa408e508fffcb78c33f2a82247d861f9bbe3284d682abe

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
b75f15ce7423c5f6f4c9fd413e213487

SHA1
bad6ee47401e038e2ad644ee8d3918e712102c74

SHA256
fa0abcf42089d4b88e017885ca5d593d70a18029abe3724e08cc24b1ec573c34

SHA512
b12f54803f5e48c0bf97bee89870e81d60f685565f6add87dc912a8a4b6909ae6b764663f1efd2834fae99c44d2f0360a5fa3cc9f1e243810f12b6f6fbe8c1ee

Download Submit
memory/2412-55-0x0000000003550000-0x000000000400A000-memory.dmp

Filesize
10.7MB

Download
memory/2592-12-0x0000000003F70000-0x0000000004A2A000-memory.dmp

Filesize
10.7MB

Download
memory/2644-283-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2644-59-0x0000000003230000-0x0000000003CEA000-memory.dmp

Filesize
10.7MB

Download
memory/2644-401-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads