Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 21:36
Behavioral task
behavioral1
Sample
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
Resource
win10v2004-20240508-en
General
-
Target
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
-
Size
423KB
-
MD5
ad7cf66560e0c2c57ae299f8c727bf66
-
SHA1
e160143b3037d72a551cfb02a0b98ce32f92dae4
-
SHA256
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9
-
SHA512
ec3feb22cdd7bcada254123424e402e7ddc142b48b5b1b2ee11afdb6f7cc7276787542a6f4fa7e2cb53bef7c4d13ec6cb2b5aee476a4a954748ec5b49ce0fc71
-
SSDEEP
6144:DP+PtrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcelS4:DP+Pt9sKVyY3EcmIopMbv1Ockd
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
resource yara_rule behavioral2/memory/3152-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/files/0x0007000000023406-18.dat UPX behavioral2/memory/3152-60-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4868-83-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4868-84-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2052-104-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2052-107-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1576-452-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4628-453-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4628-472-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 1576 winlogon.exe 4628 AE 0124 BE.exe 4868 winlogon.exe 2052 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 4628 AE 0124 BE.exe 4868 winlogon.exe 2052 winlogon.exe -
resource yara_rule behavioral2/memory/3152-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0007000000023406-18.dat upx behavioral2/memory/3152-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4868-83-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4868-84-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2052-104-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2052-107-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1576-452-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4628-453-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4628-472-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\image.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\itSAS35i.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_21_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\de-DE\MSFT_FileDirectoryConfiguration.Schema.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ucmucsiacpiclient.inf_amd64_a233292790c69f03 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\adrclient.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Not-Supported-On-LTSB-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\c_fsinfrastructure.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_aa2738d63955f632\mdmmhrtz.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcTransactionsTraceSettingTask_v1.0.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\OnDemandBrokerClient.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.Devices.Printers.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\microsoft_bluetooth_hfp_ag.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\DMRCDecoder.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ncryptprov.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_1daeee8f3aa30fcb\Amd64\TTYUI.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\netrass.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\wevtfwd.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPerfInst.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDHELA3.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\xusb22.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\wvmic.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\vhdmp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\acppage.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Stop-DscConfiguration.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\da-DK\quickassist.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_d7b1959484ec8228\mdmgsm.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_display.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\xpsservices.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Speech\Common AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\uk-UA\dot3svc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-runtime-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\wlansvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\PrintQueue.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\RADCUI.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-stepsrecorder-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.746.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\cs-CZ\comctl32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_f2e8231e8b60f214\serenum.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja\Microsoft.Dtc.PowerShell.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Core-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\catsrvut.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\termkbd.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\inetsrv AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\unknown.inf_loc AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-cpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_40edfad252fc803f\SensorsCpl.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msauddecmft_31bf3856ad364e35_10.0.19041.1165_none_caedb67d36fe1f6c\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\f\WMIADAP.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_8b4593ccb753f4e5_bamsettingsclient.dll_db7ec840 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-data-pdf_31bf3856ad364e35_10.0.19041.1023_none_758123c77d34120c\f\Windows.Data.Pdf.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_es-es_b3b0ed14fe40ccd3 AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~~10.0.19041.264.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lock-controller_31bf3856ad364e35_10.0.19041.153_none_d7bf694ec2d9771d\LockController.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-remoteassistance_31bf3856ad364e35_10.0.19041.1110_none_97e1dbe4cf8c165b.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_8252c0f136f5bd40 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\msil_policy.1.0.microsof..commands.management_31bf3856ad364e35_10.0.19041.1_none_752fd400d6b22da2 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\r\SystemUWPLauncher.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_10.0.19041.1_en-us_74034b2d69d662b4.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.19041.1_none_8544c27699e18a0d\MSFT_NetNat.cdxml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreporting-adm_31bf3856ad364e35_10.0.19041.1_none_befde081b442b102\ErrorReporting.admx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..peech-en-us-onecore_31bf3856ad364e35_10.0.19041.1_none_b1edff6d283a640a\enUS.Computer.dat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\r\WsmRes.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_a62184ec72401eb4.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msftedit.resources_31bf3856ad364e35_10.0.19041.1_de-de_f23513f85f39708a\msftedit.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Resources\2.0.0.0_de_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\peverify.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..u-education-license_31bf3856ad364e35_10.0.19041.1266_none_698b5e99f49a9026\Education-Volume-CSVLK-1-ul-oob-rtm.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_system.data.entity.design_b77a5c561934e089_4.0.15805.0_none_24e767531d696c55 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_47d83bc872f1a26d AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_10.0.19041.1_es-es_c6a7fe7030c40507.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_ndiscap.inf_31bf3856ad364e35_10.0.19041.1_none_11d8e6d0f7610805\ndiscap.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..lineid-wamextension_31bf3856ad364e35_10.0.19041.264_none_dded55235e2a2dc1\r\MicrosoftAccountWAMExtension.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_8ecbbe413c24502b.manifest AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NFS-Administration-D-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeEPUB.targetsize-16.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_windows-id-connecte..t-provider-wlidprov_31bf3856ad364e35_10.0.19041.746_none_1d7b3edde1954a77\wlidprov.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_it-it_e01c215223d87c9c\netdacim.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\de\DropSqlPersistenceProviderLogic.sql AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\users_public_documents_70461e22eba239ef.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\INF\amdsbs.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..sumercore.resources_31bf3856ad364e35_10.0.19041.1_de-de_d6938a4c4537f017 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Rules.System.CPU.xml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ry-client.resources_31bf3856ad364e35_10.0.19041.1023_en-us_3aa7ef6cf79dca89 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_8e849708e7ef0ee7 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..nlegacyui.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_23654fd04c52b1d1\wininetlui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a2d39364271c6214\kswdmcap.ax.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_10.0.19041.746_none_b9f682f6b5dee942\r\psisdecd.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1202_en-us_b285b6e44b513a4c\Report.System.Wireless.xml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.data.services.resources_v4.0_4.0.0.0_de_b77a5c561934e089_d29551cf160287a5.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d\dui70.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.Discovery.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..u-education-license_31bf3856ad364e35_10.0.19041.1266_none_698b5e99f49a9026\f\Education-Volume-CSVLK-4-ul-phn-rtm.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..roundprocessmanager_31bf3856ad364e35_10.0.19041.1266_none_db15e480a69981a5.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-xwizards.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_490038abe8f2bf96.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-onecore-a..nmodel-datatransfer_31bf3856ad364e35_10.0.19041.264_none_07cb61c1b01391ce\f AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_01c9581e60cbee58\MFC90DEU.DLL AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Catalogs\a74a1ee5e9184c47c28a9c00e373893cc3f766e248cd278eb25d5bf689b942a3.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..bility45-deployment_31bf3856ad364e35_10.0.19041.264_none_9b31998be0afe925.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..tperrors-deployment_31bf3856ad364e35_10.0.19041.964_none_7a16b40f79b2c484.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_fr-fr_34debcb59bd900bb.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..xperience.resources_31bf3856ad364e35_10.0.19041.1_en-us_b1cd38b61e0a12ad.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-msports.resources_31bf3856ad364e35_10.0.19041.1_es-es_90bf477a7f8f5b83.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ccfa3499bf76a9a.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_10abbd920ab9ed66 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.19041.928_none_11616d60b8a0cb9a\ahcache.sys AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3964 msiexec.exe 3964 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 3964 msiexec.exe Token: SeCreateTokenPrivilege 4500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4500 msiexec.exe Token: SeLockMemoryPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeMachineAccountPrivilege 4500 msiexec.exe Token: SeTcbPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeLoadDriverPrivilege 4500 msiexec.exe Token: SeSystemProfilePrivilege 4500 msiexec.exe Token: SeSystemtimePrivilege 4500 msiexec.exe Token: SeProfSingleProcessPrivilege 4500 msiexec.exe Token: SeIncBasePriorityPrivilege 4500 msiexec.exe Token: SeCreatePagefilePrivilege 4500 msiexec.exe Token: SeCreatePermanentPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeDebugPrivilege 4500 msiexec.exe Token: SeAuditPrivilege 4500 msiexec.exe Token: SeSystemEnvironmentPrivilege 4500 msiexec.exe Token: SeChangeNotifyPrivilege 4500 msiexec.exe Token: SeRemoteShutdownPrivilege 4500 msiexec.exe Token: SeUndockPrivilege 4500 msiexec.exe Token: SeSyncAgentPrivilege 4500 msiexec.exe Token: SeEnableDelegationPrivilege 4500 msiexec.exe Token: SeManageVolumePrivilege 4500 msiexec.exe Token: SeImpersonatePrivilege 4500 msiexec.exe Token: SeCreateGlobalPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 844 vssvc.exe Token: SeRestorePrivilege 844 vssvc.exe Token: SeAuditPrivilege 844 vssvc.exe Token: SeBackupPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeBackupPrivilege 1228 srtasks.exe Token: SeRestorePrivilege 1228 srtasks.exe Token: SeSecurityPrivilege 1228 srtasks.exe Token: SeTakeOwnershipPrivilege 1228 srtasks.exe Token: SeBackupPrivilege 1228 srtasks.exe Token: SeRestorePrivilege 1228 srtasks.exe Token: SeSecurityPrivilege 1228 srtasks.exe Token: SeTakeOwnershipPrivilege 1228 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4500 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 1576 winlogon.exe 4628 AE 0124 BE.exe 4868 winlogon.exe 2052 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3152 wrote to memory of 4500 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 81 PID 3152 wrote to memory of 4500 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 81 PID 3152 wrote to memory of 4500 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 81 PID 3152 wrote to memory of 1576 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 82 PID 3152 wrote to memory of 1576 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 82 PID 3152 wrote to memory of 1576 3152 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 82 PID 1576 wrote to memory of 4628 1576 winlogon.exe 83 PID 1576 wrote to memory of 4628 1576 winlogon.exe 83 PID 1576 wrote to memory of 4628 1576 winlogon.exe 83 PID 1576 wrote to memory of 4868 1576 winlogon.exe 84 PID 1576 wrote to memory of 4868 1576 winlogon.exe 84 PID 1576 wrote to memory of 4868 1576 winlogon.exe 84 PID 4628 wrote to memory of 2052 4628 AE 0124 BE.exe 85 PID 4628 wrote to memory of 2052 4628 AE 0124 BE.exe 85 PID 4628 wrote to memory of 2052 4628 AE 0124 BE.exe 85 PID 3964 wrote to memory of 1228 3964 msiexec.exe 91 PID 3964 wrote to memory of 1228 3964 msiexec.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4500
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5486f9620b2994ba36ef9902cf9753c22
SHA19bc137af24575692930bc1a5072f5190471a82e8
SHA2569c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23
SHA512dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
94KB
MD5c9bbc3081799a8fecfa8360c8d0ba1a9
SHA1956f852d525de269c36d356a73b43a42f839aba7
SHA2561f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f
SHA512e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522
-
Filesize
23.7MB
MD5ffe8dee603e50a28f5c44e370c3100f7
SHA1fad7e4adb7f0011f0194d8fe74ec82993b697a23
SHA25673884642e974f4cffd2f8d2883f6bc80b5d9fd4df5b606a03d3b1598acc4f654
SHA512c9b335bfbce35fbe1e66f0a65c511a22291baae645ea5b98a0f62522d6369eb32eac9367a734b4f75277486e3c4bf62059c24112593f85ed44e5b9a632c22cda
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d675654-594c-4590-a5ee-1d1fa03c5e38}_OnDiskSnapshotProp
Filesize6KB
MD587c1699893f155798530d90fa35a7226
SHA11d7672eeb569bc209b4614b5b77ce6977e32d226
SHA2569fba6079a6eabbb53ee601eed3fe80ce706ab208f342d5a4764876219fa30d33
SHA51242c8302cda5b1bc539e4767596143334e4fc127623d49ec4d767ee01725e74c43cb5a5961b0a9b501c764ef133a75369819d95b2a21d6dc9fd80598309d684bd
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b