Malware Analysis Report

2025-08-11 06:10

Sample ID 240610-1f2jtssarn
Target 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9
SHA256 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9

Threat Level: Known bad

The file 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9 was found to be: Known bad.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Manipulates Digital Signatures

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops desktop.ini file(s)

Enumerates connected drives

Blocklisted process makes network request

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 21:36

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 21:36

Reported

2024-06-10 21:38

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US C:\Windows\AE 0124 BE.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\AE 0124 BE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Characters\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Heritage\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Raga\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Sonata\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Quirky\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Savanna\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Landscape\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfvuw73.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\xccpx64.ax C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\hnetmon.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\KYUD3050.GDL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\comdlg32.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\Rt64win7.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1341E3.PPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\syskey.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\termmgr.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBP_346.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smpsrd1.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\comctl32.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\netcorehc.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\sendmail.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrBidiIf.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\lsi_sas2.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\lsi_scsi.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\where.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\mssvp.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDINKAN.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-HomePremium-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\PolicMan.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\wshelper.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\dhcpcore.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\C_932.NLS C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\da-DK\WMPhoto.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\adpahci.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\nlsbres.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\ipconfig.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\DWWIN.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\xmlfilter.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC60006.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660.ppd C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\wlancfg.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\encapi.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\Mdmmct.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\fms.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\dialer.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\drt.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCTP.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\rdpencom.mof C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\license.rtf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\mdmmhrtz.PNF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\cipher.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\prnlx00x.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\webio.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\wbemcntl.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\ntshrui.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB9BDBA.ICM C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGEUC.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\rasauto.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\termsrv.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa430t.exp C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\scsidev.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\WindowsSideShowEnhancedDriver.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\NetworkExplorer.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\VAN.dll C:\Windows\AE 0124 BE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\x86_networking-mpssvc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_it-it_73122acb3d9fdd1e C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_4b2efb22b62d4e89_comdlg32.dll.mui_ac8e62f4 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-bubbles.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cad0442ba9d196be.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.1.7600.16385_none_bb2765e0802e6023 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\msil_eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2111e19b2846506f C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\154860df057d588035a8c66a65ea31e7 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b8fcd3ea489d40f\bthport.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1371f719024ec402\metadata.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_de5fc12ac865ab23.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_33ddcaa78e6c5a2b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_fc00d9a9415b5f6e C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\msil_microsoft.transacti..ridge.dtc.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_e8890b9f05380710 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_d3425786c0003660\comdlg32.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..onitoring.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ae8e830e791f566\esentprf.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_mf.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b9698dd58fb9507\mf.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ntfs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_40a72e2477e646bb\ntfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34bdf648c855aaab\recdisc.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_adp94xx.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d3d58761ffa4e2a.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_netb57va.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_be568ac214282cd8.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.resources\3.5.0.0_de_31bf3856ad364e35\System.ServiceModel.Web.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netrtl64.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0b9fd19a76636d6a\netrtl64.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_networking-mpssvc-rules-slsvc_31bf3856ad364e35_6.1.7600.16385_none_74f824336eb1c897.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_0e8038f3d049c3bf\manageAllRoles.aspx.fr.resx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_ja_31bf3856ad364e35\System.Web.Abstractions.Resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..tings-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e79c09909f5a995c C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\FileMaps\$$_ime_en-us_0d349188e45a5789.cdf-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_fd9ec705e687f8c2.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_server-help-chm.authm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_db7e2ee783b863a3.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-iis-cgi_31bf3856ad364e35_6.1.7600.16385_none_bcf1c0c5b0d6ab5b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7a1950c826720eee.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_77292506e0ec2410.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b4cdf6b879bc8dd.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..it-snapin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a957712fdcff0cae\gpedit.msc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_wiaca00f.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_514b2ce5cc99857c.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78e547b1e6f6c4ab\comrepl.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-dataclen_31bf3856ad364e35_6.1.7600.16385_none_f67c8b94f4c94f5f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\msil_microsoft.windows.smc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_deb6fe6a396e8374.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\msil_system.data.oracleclient.resources_b77a5c561934e089_6.1.7601.17514_fr-fr_6082fa73b98dca5a\System.Data.OracleClient.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.22091_none_6907efc6abd0db81\api-ms-win-core-delayload-l1-1-0.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-c..lus-dtc-vistasp1-mc_31bf3856ad364e35_6.1.7600.16385_none_bdeda2769fc14973.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\settings.css C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ehome\ehProxy.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-onlineidcpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81b4fa5e308aec80 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wiacn001.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1ed72f01bed5678a\CNHW760S.DLL.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-devinst-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac77d5b138db374f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0418e2ff50411f0b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d..tshow-asf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d80935f74b1c88ea\qasf.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.1.7600.16385_none_237ab8d1f339c9c5\DebugAndTrace.aspx.resx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_771a5388e183d666 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_iscsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d5f0cdf505a7cc8e\iscsi.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-n..ce_iassdo.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3f7baabfab616bf2\iassdo.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62efd6227ab667ed\prnca00d.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wiabr007.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72121bad08657463\Brmf3wia.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_zh-hk_e2d325bf9fa56995\DWrite.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-hgroupp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d38ef3294cdafa0.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fbd45b0284455882\bthprops.cpl.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Help\Windows\it-IT\iisbasic.h1s C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..ntrol-rll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8c48a0cb5e48b35e C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..ilter-rtf.resources_31bf3856ad364e35_7.0.7600.16385_en-us_e38d3c416c0de551 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_brmfcmf.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8910876519478872\brmfcmf.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_409537159e37bcf7 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_bf37bd127de6c85d_comdlg32.dll.mui_ac8e62f4 C:\Windows\AE 0124 BE.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2944 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2748 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2748 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2748 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2748 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2468 wrote to memory of 2540 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2468 wrote to memory of 2540 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2468 wrote to memory of 2540 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2468 wrote to memory of 2540 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2748 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2748 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2748 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2748 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe

"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\AE 0124 BE.exe

"C:\Windows\AE 0124 BE.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000003A8"

Network

Files

memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\AE 0124 BE.msi

MD5 486f9620b2994ba36ef9902cf9753c22
SHA1 9bc137af24575692930bc1a5072f5190471a82e8
SHA256 9c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23
SHA512 dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a

memory/2944-13-0x0000000003C40000-0x00000000046FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE19.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabE07.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

\Windows\SysWOW64\drivers\winlogon.exe

MD5 c9bbc3081799a8fecfa8360c8d0ba1a9
SHA1 956f852d525de269c36d356a73b43a42f839aba7
SHA256 1f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f
SHA512 e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522

memory/2944-45-0x0000000003400000-0x000000000340B000-memory.dmp

memory/2944-52-0x0000000003400000-0x000000000340B000-memory.dmp

C:\Windows\Msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2748-74-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2748-73-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2748-78-0x00000000034B0000-0x0000000003F6A000-memory.dmp

memory/2468-79-0x00000000030B0000-0x0000000003B6A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2748-112-0x0000000004420000-0x000000000442B000-memory.dmp

memory/2468-111-0x0000000004540000-0x000000000454B000-memory.dmp

\??\c:\B1uv3nth3x1.diz

MD5 9cceaa243c5d161e1ce41c7dad1903dd
SHA1 e3da72675df53fffa781d4377d1d62116eafb35b
SHA256 814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512 af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

C:\Users\Admin\AppData\Local\Temp\Tar115C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2944-184-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2816-183-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2468-318-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 800865fa09ef86890f878bdd0495d7ae
SHA1 6b3a9c136c54419b035f16d1f15e2cc41d9cd9ea
SHA256 da5ef5ad9c56cb2faa14a03eb1c87191ce0b1aaa4b84944d30888bfd780352c7
SHA512 82af688faaaab306c3b4e4daef6af39169c57c134af182c99a008d8480b8a43a59cdb750421ff7fceed1611d1d1206d90644de5b150b0b2e609a5db49a4161be

memory/2748-612-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2468-624-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2748-623-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2748-622-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2468-625-0x0000000004540000-0x000000000454B000-memory.dmp

memory/2468-626-0x0000000004540000-0x000000000454B000-memory.dmp

memory/2748-627-0x0000000004420000-0x000000000442B000-memory.dmp

memory/2468-646-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2468-645-0x0000000072940000-0x0000000072A93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 21:36

Reported

2024-06-10 21:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US C:\Windows\AE 0124 BE.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\AE 0124 BE.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\AE 0124 BE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini C:\Windows\AE 0124 BE.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\image.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\itSAS35i.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_21_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\de-DE\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ucmucsiacpiclient.inf_amd64_a233292790c69f03 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\adrclient.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Not-Supported-On-LTSB-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\c_fsinfrastructure.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_aa2738d63955f632\mdmmhrtz.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcTransactionsTraceSettingTask_v1.0.cdxml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\OnDemandBrokerClient.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Devices.Printers.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\microsoft_bluetooth_hfp_ag.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\DMRCDecoder.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ncryptprov.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_1daeee8f3aa30fcb\Amd64\TTYUI.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\netrass.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\wevtfwd.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WmiPerfInst.mof C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDHELA3.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\xusb22.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\wvmic.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\vhdmp.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\acppage.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Stop-DscConfiguration.cdxml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\da-DK\quickassist.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_d7b1959484ec8228\mdmgsm.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_display.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\xpsservices.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech\Common C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\dot3svc.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-runtime-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\wlansvc.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\PrintQueue.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\RADCUI.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-stepsrecorder-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.746.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\cs-CZ\comctl32.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_f2e8231e8b60f214\serenum.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja\Microsoft.Dtc.PowerShell.Resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Core-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\catsrvut.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\termkbd.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\inetsrv C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\unknown.inf_loc C:\Windows\AE 0124 BE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-cpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_40edfad252fc803f\SensorsCpl.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msauddecmft_31bf3856ad364e35_10.0.19041.1165_none_caedb67d36fe1f6c\r C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\f\WMIADAP.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_8b4593ccb753f4e5_bamsettingsclient.dll_db7ec840 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-data-pdf_31bf3856ad364e35_10.0.19041.1023_none_758123c77d34120c\f\Windows.Data.Pdf.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_es-es_b3b0ed14fe40ccd3 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~~10.0.19041.264.mum C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lock-controller_31bf3856ad364e35_10.0.19041.153_none_d7bf694ec2d9771d\LockController.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-remoteassistance_31bf3856ad364e35_10.0.19041.1110_none_97e1dbe4cf8c165b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_8252c0f136f5bd40 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\msil_policy.1.0.microsof..commands.management_31bf3856ad364e35_10.0.19041.1_none_752fd400d6b22da2 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\r\SystemUWPLauncher.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_10.0.19041.1_en-us_74034b2d69d662b4.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.19041.1_none_8544c27699e18a0d\MSFT_NetNat.cdxml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreporting-adm_31bf3856ad364e35_10.0.19041.1_none_befde081b442b102\ErrorReporting.admx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..peech-en-us-onecore_31bf3856ad364e35_10.0.19041.1_none_b1edff6d283a640a\enUS.Computer.dat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\r\WsmRes.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_a62184ec72401eb4.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msftedit.resources_31bf3856ad364e35_10.0.19041.1_de-de_f23513f85f39708a\msftedit.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.Resources\2.0.0.0_de_b77a5c561934e089 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\peverify.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..u-education-license_31bf3856ad364e35_10.0.19041.1266_none_698b5e99f49a9026\Education-Volume-CSVLK-1-ul-oob-rtm.xrm-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_system.data.entity.design_b77a5c561934e089_4.0.15805.0_none_24e767531d696c55 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_47d83bc872f1a26d C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_10.0.19041.1_es-es_c6a7fe7030c40507.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_ndiscap.inf_31bf3856ad364e35_10.0.19041.1_none_11d8e6d0f7610805\ndiscap.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..lineid-wamextension_31bf3856ad364e35_10.0.19041.264_none_dded55235e2a2dc1\r\MicrosoftAccountWAMExtension.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_8ecbbe413c24502b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NFS-Administration-D-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeEPUB.targetsize-16.png C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-id-connecte..t-provider-wlidprov_31bf3856ad364e35_10.0.19041.746_none_1d7b3edde1954a77\wlidprov.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_it-it_e01c215223d87c9c\netdacim.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\de\DropSqlPersistenceProviderLogic.sql C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\users_public_documents_70461e22eba239ef.cdf-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\INF\amdsbs.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..sumercore.resources_31bf3856ad364e35_10.0.19041.1_de-de_d6938a4c4537f017 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Rules.System.CPU.xml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ry-client.resources_31bf3856ad364e35_10.0.19041.1023_en-us_3aa7ef6cf79dca89 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_8e849708e7ef0ee7 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..nlegacyui.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_23654fd04c52b1d1\wininetlui.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a2d39364271c6214\kswdmcap.ax.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_10.0.19041.746_none_b9f682f6b5dee942\r\psisdecd.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1202_en-us_b285b6e44b513a4c\Report.System.Wireless.xml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.data.services.resources_v4.0_4.0.0.0_de_b77a5c561934e089_d29551cf160287a5.cdf-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d\dui70.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.Discovery.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..u-education-license_31bf3856ad364e35_10.0.19041.1266_none_698b5e99f49a9026\f\Education-Volume-CSVLK-4-ul-phn-rtm.xrm-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..roundprocessmanager_31bf3856ad364e35_10.0.19041.1266_none_db15e480a69981a5.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-xwizards.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_490038abe8f2bf96.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-onecore-a..nmodel-datatransfer_31bf3856ad364e35_10.0.19041.264_none_07cb61c1b01391ce\f C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_01c9581e60cbee58\MFC90DEU.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\a74a1ee5e9184c47c28a9c00e373893cc3f766e248cd278eb25d5bf689b942a3.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..bility45-deployment_31bf3856ad364e35_10.0.19041.264_none_9b31998be0afe925.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..tperrors-deployment_31bf3856ad364e35_10.0.19041.964_none_7a16b40f79b2c484.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_fr-fr_34debcb59bd900bb.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..xperience.resources_31bf3856ad364e35_10.0.19041.1_en-us_b1cd38b61e0a12ad.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-msports.resources_31bf3856ad364e35_10.0.19041.1_es-es_90bf477a7f8f5b83.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ccfa3499bf76a9a.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_10abbd920ab9ed66 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.19041.928_none_11616d60b8a0cb9a\ahcache.sys C:\Windows\AE 0124 BE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\drivers\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\AE 0124 BE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 3152 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 3152 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\msiexec.exe
PID 3152 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3152 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3152 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1576 wrote to memory of 4628 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 1576 wrote to memory of 4628 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 1576 wrote to memory of 4628 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 1576 wrote to memory of 4868 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1576 wrote to memory of 4868 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1576 wrote to memory of 4868 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4628 wrote to memory of 2052 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4628 wrote to memory of 2052 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4628 wrote to memory of 2052 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3964 wrote to memory of 1228 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3964 wrote to memory of 1228 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe

"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\AE 0124 BE.exe

"C:\Windows\AE 0124 BE.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Files

memory/3152-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\AE 0124 BE.msi

MD5 486f9620b2994ba36ef9902cf9753c22
SHA1 9bc137af24575692930bc1a5072f5190471a82e8
SHA256 9c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23
SHA512 dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a

C:\Windows\SysWOW64\drivers\winlogon.exe

MD5 c9bbc3081799a8fecfa8360c8d0ba1a9
SHA1 956f852d525de269c36d356a73b43a42f839aba7
SHA256 1f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f
SHA512 e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522

C:\Windows\Msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3152-60-0x0000000000400000-0x000000000040B000-memory.dmp

\??\c:\B1uv3nth3x1.diz

MD5 9cceaa243c5d161e1ce41c7dad1903dd
SHA1 e3da72675df53fffa781d4377d1d62116eafb35b
SHA256 814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512 af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

memory/4868-83-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4868-84-0x0000000000400000-0x000000000040B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2052-104-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2052-107-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1576-452-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4628-453-0x0000000000400000-0x000000000040B000-memory.dmp

\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d675654-594c-4590-a5ee-1d1fa03c5e38}_OnDiskSnapshotProp

MD5 87c1699893f155798530d90fa35a7226
SHA1 1d7672eeb569bc209b4614b5b77ce6977e32d226
SHA256 9fba6079a6eabbb53ee601eed3fe80ce706ab208f342d5a4764876219fa30d33
SHA512 42c8302cda5b1bc539e4767596143334e4fc127623d49ec4d767ee01725e74c43cb5a5961b0a9b501c764ef133a75369819d95b2a21d6dc9fd80598309d684bd

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 ffe8dee603e50a28f5c44e370c3100f7
SHA1 fad7e4adb7f0011f0194d8fe74ec82993b697a23
SHA256 73884642e974f4cffd2f8d2883f6bc80b5d9fd4df5b606a03d3b1598acc4f654
SHA512 c9b335bfbce35fbe1e66f0a65c511a22291baae645ea5b98a0f62522d6369eb32eac9367a734b4f75277486e3c4bf62059c24112593f85ed44e5b9a632c22cda

memory/4628-472-0x0000000000400000-0x000000000040B000-memory.dmp