d0ba083540dacb845d43f74b494c0ee4f5b0df7424b2bdb0b7cfdd1308480adc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
Size

437KB
MD5

43ca84c6ce357df9bf4d7d0faafb1030
SHA1

7e10745402c4a037ec8aa3a83e4273531347f3b7
SHA256

d0ba083540dacb845d43f74b494c0ee4f5b0df7424b2bdb0b7cfdd1308480adc
SHA512

317787210309bd219c81e268bb39b29ada8a1bbdef263d5d9d76fc4591acba27d9bf23197e06dc85928a51329f9b87cc42875cfb7cb67491fc4217f4aae18d5a
SSDEEP

6144:/MHD3/AK2Es7eVyYr9AmEcmI5qpYDb1MV+w1ILKcrsliCC+B:/MHL/ACsKVyY3EcmIopMbv1Ocr9aB

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
4272	winlogon.exe
2896	AE 0124 BE.exe
4444	winlogon.exe
3228	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2896	AE 0124 BE.exe
4444	winlogon.exe
3228	winlogon.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1200	msiexec.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_nettrans.inf_amd64_b6d30279f382fa4b	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_bc507add47f436ae\mdmrock4.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\NdisImPlatformMp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\srumapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\glu32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\TokenBroker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pnrpnsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ntlanman.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetRoute.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Required-ShellExperiences-Desktop-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wlangpui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}3084.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\gpapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\themeui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\PrintWorkflowProxy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\MSFT_EtwTraceSession_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\StorageBusCache\StorageBusCache.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\@EnrollmentToastIcon.png	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_46dd0342577f43cd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\mdmgen.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sxproxy.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-KMCL-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\apphelp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbxhci.inf_amd64_6e228bfaadb050c6\USBXHCI.SYS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_ServicingStack~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_e2a1e49127fb17ef\amdsbs.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\hidbthle.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\UcmUcsiAcpiClient.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\ndiscap.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\uk-UA\nlmcim.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\CloudNotifications.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\gpedit.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\MSFT_UserResource.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0006\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wvmic_ext.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\Volume	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-phn-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-ServerCommon-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sppc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\1394.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\qedit.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\netdacim_uninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SystemSupportInfo.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msltus40.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Guest-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\iscsiwmiv2.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HidTelephonyDriver.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\gpedit.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wecsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WINSRPC.DLL	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_dual_c_fscompression.inf_31bf3856ad364e35_10.0.19041.1_none_ce6a2a075902ec9a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..rtmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_110316e835278a8c\rstrtmgr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..n-desktop.resources_31bf3856ad364e35_10.0.19041.610_en-us_17fd4f7135525d83\f\Windows.UI.ShellCommon.en-US.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ces-bluetooth-stubs_31bf3856ad364e35_10.0.19041.1_none_4166d66e796707a5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f6b6412976664dbc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_mtconfig.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_30aa9dc9643c7203	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-o..p-raschap.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7465c70b7044c85e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\SplashScreen.contrast-white_scale-200.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..tes-english-fluency_31bf3856ad364e35_10.0.19041.1_none_bee9a2a610bd5f07\charactermap.json	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_10.0.19041.1_en-us_47b23a716a02a755\serialui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_11.0.19041.746_none_b977adcf09e7ef15\r\dxtrans.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.153_none_dbdeec75cdd2a4d1\DataUsageHandlers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..workstation-license_31bf3856ad364e35_10.0.19041.1266_none_da3d84acc0ea10ee\f\ProfessionalWorkstation-OEM-NONSLP-1-pl-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\filemgmt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-acproxy.resources_31bf3856ad364e35_10.0.19041.1_es-es_2d3f0d388b52b147.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler\v4.0_10.0.0.0__31bf3856ad364e35\TaskScheduler.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell32-OEMDefaultAssociations-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmadc.inf_31bf3856ad364e35_10.0.19041.1_none_c1dedf25e4a048f3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_10.0.19041.1_en-us_761f89bd7d6d7bf2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe.resources_31bf3856ad364e35_10.0.19041.1_en-us_0cabc95cc0d9eab0\msinfo32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1151_none_71aa7fdbb41824a0\r\Insights.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\f132c98e4a41d50e6b8045866b66a6022aa7c5df45bc7cb881363ef040bdf94d.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_he-il_0abff6b85ea86338	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-3daudio-hrtfapo_31bf3856ad364e35_10.0.19041.84_none_8470948f7dae59d6\SpatializerApo.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\Contact.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.19041.1237_none_5f00842b9149cc7c\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_10.0.19041.1_es-es_0178261339906f2f\wsock32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_23d331484ec165c2_userdeviceregistration.ngc.dll.mui_d2c6ca95	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\v4.0_1.0.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\resources.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_basicrender.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_71551b6e1cb7b904	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ehstor-api.resources_31bf3856ad364e35_10.0.19041.1_es-es_34703e316ff460c9	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-storprop.resources_31bf3856ad364e35_10.0.19041.1_en-us_7e93e1af9be76663	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.1_none_4475a86a4f1da227	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_mrvlpcie8897.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_b3a061c0f947e6a5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..tmlrendering-legacy_31bf3856ad364e35_11.0.19041.264_none_33cbc8e23aac35d1\IndexedDbLegacy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_10.0.19041.1023_none_a465e131bcf39899\f\rdpvideominiport.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ngshandlers-flights_31bf3856ad364e35_10.0.19041.746_none_1c4fa74bb06cbe36\r\SettingsHandlers_Flights.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..r-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a42538b3cc0a2500\schedsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_bfe.dll_056865e3	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package02~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\microsoft.system.package.metadata	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..licy-admin-admfiles_31bf3856ad364e35_10.0.19041.1_none_18a8183799464d62\OSPolicy.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_msmouse.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_140b8b90ffa02a68\sermouse.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..h-library.resources_31bf3856ad364e35_10.0.19041.1_it-it_ddcc5440ffbf6307	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.contrast-white_scale-200.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d2b121b3094b24e6\virtmgmt.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.net.nameresolution_v4.0_4.0.0.0_b03f5f7f11d50a3a_363020fbb28ad5c9.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\EncryptFilesonMove.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-media-format-sqm_31bf3856ad364e35_10.0.19041.1_none_0fec9bd93e6e92d5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_megasas.inf_31bf3856ad364e35_10.0.19041.1_none_93a617c88556559e\megasas.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..framework.resources_31bf3856ad364e35_10.0.19041.1_de-de_d7a51305515f0ff5\netdiagfx.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_msports.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_bdc8d849d2bb38a3\msports.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-application..-appextension-winrt_31bf3856ad364e35_10.0.19041.746_none_f1c93f530fa21eed\AppExtension.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCore.Resources\3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\PNRPSvc\0409	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.certifica..ts.native.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a4dca91db33e6cf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_5423242a834ca42e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-o..p-raschap.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_fbec233fab66ee96	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.Windows.WindowsIoTExtensionSDKContracts.x86.10.19041\Version = "10.1.19041.685"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\ProductName = "Windows IoT Extension SDK Contracts"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.Windows.WindowsIoTExtensionSDKContracts.x86.10.19041\ = "{497B2D49-F5C2-CA3B-05FF-22ABF39F2873}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B79A61FBE69671AA6BAC83EB29E0E472	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B79A61FBE69671AA6BAC83EB29E0E472\94D2B7942C5FB3AC50FF22BA3FF98237	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\Net\1 = "C:\\Windows\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.Windows.WindowsIoTExtensionSDKContracts.x86.10.19041\DisplayName = "Windows IoT Extension SDK Contracts"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.Windows.WindowsIoTExtensionSDKContracts.x86.10.19041	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\94D2B7942C5FB3AC50FF22BA3FF98237	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\LastUsedSource = "n;1;C:\\Windows\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\PackageCode = "6730F2470F08CED44847E34A7615482C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\Version = "167856737"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\SourceList\PackageName = "AE 0124 BE.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\94D2B7942C5FB3AC50FF22BA3FF98237\fe9680b4410d2a44c29138b99240e05b56	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\94D2B7942C5FB3AC50FF22BA3FF98237	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4820	msiexec.exe
4820	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1200	msiexec.exe
Token: SeSecurityPrivilege	4820	msiexec.exe
Token: SeCreateTokenPrivilege	1200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1200	msiexec.exe
Token: SeLockMemoryPrivilege	1200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1200	msiexec.exe
Token: SeMachineAccountPrivilege	1200	msiexec.exe
Token: SeTcbPrivilege	1200	msiexec.exe
Token: SeSecurityPrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe
Token: SeLoadDriverPrivilege	1200	msiexec.exe
Token: SeSystemProfilePrivilege	1200	msiexec.exe
Token: SeSystemtimePrivilege	1200	msiexec.exe
Token: SeProfSingleProcessPrivilege	1200	msiexec.exe
Token: SeIncBasePriorityPrivilege	1200	msiexec.exe
Token: SeCreatePagefilePrivilege	1200	msiexec.exe
Token: SeCreatePermanentPrivilege	1200	msiexec.exe
Token: SeBackupPrivilege	1200	msiexec.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeShutdownPrivilege	1200	msiexec.exe
Token: SeDebugPrivilege	1200	msiexec.exe
Token: SeAuditPrivilege	1200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1200	msiexec.exe
Token: SeChangeNotifyPrivilege	1200	msiexec.exe
Token: SeRemoteShutdownPrivilege	1200	msiexec.exe
Token: SeUndockPrivilege	1200	msiexec.exe
Token: SeSyncAgentPrivilege	1200	msiexec.exe
Token: SeEnableDelegationPrivilege	1200	msiexec.exe
Token: SeManageVolumePrivilege	1200	msiexec.exe
Token: SeImpersonatePrivilege	1200	msiexec.exe
Token: SeCreateGlobalPrivilege	1200	msiexec.exe
Token: SeBackupPrivilege	2868	vssvc.exe
Token: SeRestorePrivilege	2868	vssvc.exe
Token: SeAuditPrivilege	2868	vssvc.exe
Token: SeBackupPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	msiexec.exe
1200	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
4272	winlogon.exe
2896	AE 0124 BE.exe
4444	winlogon.exe
3228	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1200	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	83
PID 3348 wrote to memory of 1200	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	83
PID 3348 wrote to memory of 1200	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	83
PID 3348 wrote to memory of 4272	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	84
PID 3348 wrote to memory of 4272	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	84
PID 3348 wrote to memory of 4272	3348	43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe	84
PID 4272 wrote to memory of 2896	4272	winlogon.exe	86
PID 4272 wrote to memory of 2896	4272	winlogon.exe	86
PID 4272 wrote to memory of 2896	4272	winlogon.exe	86
PID 4272 wrote to memory of 4444	4272	winlogon.exe	89
PID 4272 wrote to memory of 4444	4272	winlogon.exe	89
PID 4272 wrote to memory of 4444	4272	winlogon.exe	89
PID 2896 wrote to memory of 3228	2896	AE 0124 BE.exe	91
PID 2896 wrote to memory of 3228	2896	AE 0124 BE.exe	91
PID 2896 wrote to memory of 3228	2896	AE 0124 BE.exe	91
PID 4820 wrote to memory of 2160	4820	msiexec.exe	103
PID 4820 wrote to memory of 2160	4820	msiexec.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\43ca84c6ce357df9bf4d7d0faafb1030_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1200
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3228
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578e08.rbs

Filesize
7KB

MD5
e24fb6ad6ef87c19a8e1f0416c2c6486

SHA1
95ff9eea42ee126f50a44293ea74fcb0d6000c90

SHA256
9ad64bfc930641302cae42fedc3e82b01736bfb2dd344c93d6aeb6e0178155e9

SHA512
e5548fa236d53bbaabf40b8b6757ce17ec456588a166f6177a6db083d94f5128c7056c8022ee6a0521a6fd9dad040c6e0d3e8eaa18230d9fca28a1bd038fa3f7

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
437KB

MD5
5ce4e4d240dd24adfdee146cba3a938f

SHA1
5105fdf3a2bc18df9f00a314cace5ba0c21d34f8

SHA256
a4245e25ad8fdaa6383ed62bd4a78b025c60b6212e42b52cc604c0d2197fd4bc

SHA512
94411d6882cb15c8ba1ce2ad086655eabe32b1f749f75787799d0863d4bd3b9eadfb3f2aafcda3f8dacf31452fb088b8e48fff2f43d09c9d9ebeddb1d27aa0c4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
e81095df961ceadce1327d59032e5264

SHA1
4bcaeec06a62718399b163b5cd8bc0320182d414

SHA256
68c9cc1dac9f5ad472481edd2efda14b93ef6bf52126de5f510b206c270e8dca

SHA512
df3159c5b59235fe8bb91b3ac1f723a8b61a5895f8175c01192fdbe1dcf8141c2449c177a0c8d3ff2c49af7f8d9c4e3ef85d07ed01a25197f5fe54387c858690

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
3c9b1eaec6c0553ec55cc981859ad52d

SHA1
dc1b89778d23517677327fc7265419f507ce5f60

SHA256
bb42a5c15238d5b38ec51c0d7069d35a62e84c058c0c3d995a934e8dfba3a728

SHA512
8caccc427dda37b1b40e32eea0523d67dc7391bd6ca1d3c570fed86d50a5b3e80b48395d022407049c23e82e3f9a41d3323fbab94ac7520887d6f82df358caa5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
6bb2838515489540d0882e96863f11f9

SHA1
90af69bb7a9805bcbcd87c2de94470eec878c28e

SHA256
b3a7a9d2b35cc760f017bf4148904b4c3fc5c658afbcc4b98424331d6bafb80a

SHA512
8957e5d84cc681f9bdadb8c632f4483d12588525cfa53abe11775a16525090fc5c63203a2e77676b3b0fb7080919de5941e2a63d9ac6f51468b2efc5a31df3d4

Download Submit
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b487218e-9d44-4772-b785-9baade743c91}_OnDiskSnapshotProp

Filesize
6KB

MD5
cd0e0dbfad5f38a2688606580b6e367c

SHA1
a72d3ac7f2e6f4e16f99194249e5604aca17e836

SHA256
e6eb0ff4c4faa86325075fd9c6ec33bfea78f7e4c07915fba584c547d74e4281

SHA512
e36b4076fa15b6299a8a186031656c26607d8e0cd333b66de245a1c7ec170e569cbed5b8e3ad907b0a2c304dcc9a96e001a948983e33df08787d5f9a023b75e7

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit