Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:10
Behavioral task
behavioral1
Sample
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
Resource
win10v2004-20240508-en
General
-
Target
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
-
Size
292KB
-
MD5
a273044943723ee8f98fc5212a5176b2
-
SHA1
83840f7c21ba99a59cbad0c3a80cdf4fb2d5460b
-
SHA256
9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99
-
SHA512
e3b7f6fd0a1bd922d091dafce5fa73b55a85917aa18a0067b7dc4e89501de916029c35ed46677e4bf24012c97f5347e32c119721bf866ba947bdf4a95660112e
-
SSDEEP
3072:2r+Fu6eC0VjywzvcXcSqviamCIngQMTqGMWH2EZjg1wmxNAntKHzvtCQj:E5vcXgvibeqGNWE9+7AnAHzvtB
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
resource yara_rule behavioral2/memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/files/0x0007000000023424-17.dat UPX behavioral2/memory/4192-55-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1852-63-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2300-84-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/968-90-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/968-92-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4192-451-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/3392-452-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/3392-473-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 4192 winlogon.exe 3392 AE 0124 BE.exe 2300 winlogon.exe 968 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 3392 AE 0124 BE.exe 2300 winlogon.exe 968 winlogon.exe -
resource yara_rule behavioral2/memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0007000000023424-17.dat upx behavioral2/memory/4192-55-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1852-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2300-84-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/968-90-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/968-92-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4192-451-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-452-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-473-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KBDHE319.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\rtvdevx64.INF_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\SmartSAMD.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\cht4nulx64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\AppResolver.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msrating.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\mdmmot64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\c_cdrom.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\comres.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.928.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\MTConfig.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\virtualdisplayadapter.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort_v1.0.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\MSFT_WindowsOptionalFeature.schema.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HvSocket-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\Windows.Internal.SecurityMitigationsBroker.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfvfw.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\odpdx32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\oobe\en-US\SetupCleanupTask.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\msgpiowin32.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\uk-UA\msfeedsbs.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\HalExtIntcLpioDma.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package-onecoreuap-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms011.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\F12\pdm.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDFR.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-MFPMP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_1e78e192efc26192\mdmdf56f.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\es AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dskquota.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_SS_S.bin AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\netvf63a.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\vsswmi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDLV.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wlangpui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.cdxml AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\wvmic.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_cc4dba2066ccf53c\disk.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\wvmic_heartbeat.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netvf63a.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_583bd0f3892e01df AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp.inf_amd64_614ec8e6e63777b7\BthA2dp.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\wvmic_ext.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\pl-PL\quickassist.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\MSFT_DAConnectionStatus.types.ps1xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\licmgr10.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgu1164.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\gpprefcl.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\gpedit.msc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDCZ2.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\cht4sx64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\storfwupdate.inf_loc AE 0124 BE.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataintegrityscan_31bf3856ad364e35_10.0.19041.746_none_20e28a7a89b6cbe9 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-regini_31bf3856ad364e35_10.0.19041.1_none_c24749f2592e69f9\regini.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\11.txt AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..licensing.resources_31bf3856ad364e35_10.0.19041.1_en-us_08d1b5059efefa1c\tlsbln.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.default AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars49.contrast-black_scale-200.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_system.web.routing.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a3bedc3cdc0ea1f5.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-fsrm-common_31bf3856ad364e35_10.0.19041.1_none_23811da747d0002d\srmtrace.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ffd7fb326c498cc8\chooseProviderManagement.aspx.fr.resx AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\13c05011af74e0c3a6303b3a20f755ba\Microsoft.WindowsSearch.Commands.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..mdeserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a5ffb9627f62abc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_128e4258ecee1abd AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-photoacquire.resources_31bf3856ad364e35_10.0.19041.1_en-us_982a6f54a69e582e.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..onents-mdac-ado15-r_31bf3856ad364e35_10.0.19041.1_none_aacde2a5dd33a735 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_netathr10x.inf_31bf3856ad364e35_10.0.19041.1_none_045e44cd3c4b69ac\qca9377_2_0.bin AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\r\SearchProtocolHost.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-enterprise-license_31bf3856ad364e35_10.0.19041.1266_none_b587b6bda28cdd81\Enterprise-Volume-CSVLK-2-pl-rtm.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-netevent.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f88b4d96c16d246.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fsrm-common.resources_31bf3856ad364e35_10.0.19041.1_en-us_c14fb51a252137ac\adrclient.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_2c2b0820313203ea.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000480_31bf3856ad364e35_10.0.19041.1_none_a7159eb3383fca81\KBDUGHR.DLL AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-a..sibility-experience_31bf3856ad364e35_10.0.19041.1_none_41b27ed425707c3a\wait.svg AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\defaultbrowser.htm AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.19041.1_none_d9cbd0b162967138 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_45af61c3a054fbd2\wer.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc\r\wship6.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_10.0.19041.746_none_334ebb647f39f6ed\r\PortableDeviceConnectApi.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..-credentialprovider_31bf3856ad364e35_10.0.19041.1_none_a35cb4f08ef13c35 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_presentationframework.aero_31bf3856ad364e35_10.0.19041.1_none_731a85025699c484.manifest AE 0124 BE.exe File opened for modification C:\Windows\INF\netrndis.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ndu.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf45ca1a88faa860 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-dfshim_dll_31bf3856ad364e35_10.0.19041.1_none_2e7103f3fc577168\dfshim.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-emergencyupdate_31bf3856ad364e35_10.19044.19041.1288_none_2b17246f67b2088f.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..ercommon-deployment_31bf3856ad364e35_10.0.19041.264_none_fa1e8b7ac919ab96.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapcontrol_31bf3856ad364e35_10.0.19041.1202_none_9269f331f42a1765\r\MapConfiguration.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\SkyDrive.admx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1_none_0e98e5367a9d834f\SFCN.dat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ccess-userdatautils_31bf3856ad364e35_10.0.19041.1081_none_53d3b598562c1dfe\UserDataPlatformHelperUtil.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_0756b50d659bccdf_cryptsp.dll_ae5341e1 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.data.services_v4.0_4.0.0.0_b77a5c561934e089_c976ac7cb252a1b9.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mfmp4srcsnk_31bf3856ad364e35_10.0.19041.1202_none_7b7023e9634bba65\f AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.19041.1_none_3b544d0451866b3d\winbioext.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.visualbas..activities.compiler_b03f5f7f11d50a3a_4.0.15805.0_none_8e81f622b328ec49\Microsoft.VisualBasic.Activities.Compiler.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nl-nl_1a5094bef23c919f.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Catalogs\95286fe1d6e83a498798f27bd01cfe5620f7688a170348fbcc0e32fc5a069204.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-energy-winrt_31bf3856ad364e35_10.0.19041.264_none_f5ea8a4757ab344a\Windows.Energy.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ing-lpdprintservice_31bf3856ad364e35_10.0.19041.1288_none_006587932675423b\lpdsvc.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_1913b24a44b591ab\_DataOracleClientPerfCounters_shared12_neutral_d.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Catalogs\37e2075905f28373c4c7cf1fafea25fa6968a085cd075cfade4e67f295b3d7d7.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_a3b1ffa40600e979.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-magnification_31bf3856ad364e35_10.0.19041.1_none_ad79cbaa25408b6c.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-shmig_31bf3856ad364e35_10.0.19041.1_none_1fe431714add4546.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ppolicy-policymaker_31bf3856ad364e35_10.0.19041.388_none_1519390ba7e9e67d\gpprefcl.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.264_none_693d5f2f14da2062\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..owershell.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cff29ade12ecb5f1\PrintManagementProvider.mfl AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winocr-tifffilter_31bf3856ad364e35_10.0.19041.746_none_111c42f94a71c06b\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_5adbfdeb4fff612b.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4aa999c32b0031f4\windowsperformancerecordercontrol.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\f5852c82815dea15df3feb0b6a3dfec0\Microsoft.PowerShell.ISECommon.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CustomMarshalers.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rdbss_31bf3856ad364e35_10.0.19041.1_none_0fc5e55000c6f60f AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1560 msiexec.exe 1560 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 184 msiexec.exe Token: SeIncreaseQuotaPrivilege 184 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeCreateTokenPrivilege 184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 184 msiexec.exe Token: SeLockMemoryPrivilege 184 msiexec.exe Token: SeIncreaseQuotaPrivilege 184 msiexec.exe Token: SeMachineAccountPrivilege 184 msiexec.exe Token: SeTcbPrivilege 184 msiexec.exe Token: SeSecurityPrivilege 184 msiexec.exe Token: SeTakeOwnershipPrivilege 184 msiexec.exe Token: SeLoadDriverPrivilege 184 msiexec.exe Token: SeSystemProfilePrivilege 184 msiexec.exe Token: SeSystemtimePrivilege 184 msiexec.exe Token: SeProfSingleProcessPrivilege 184 msiexec.exe Token: SeIncBasePriorityPrivilege 184 msiexec.exe Token: SeCreatePagefilePrivilege 184 msiexec.exe Token: SeCreatePermanentPrivilege 184 msiexec.exe Token: SeBackupPrivilege 184 msiexec.exe Token: SeRestorePrivilege 184 msiexec.exe Token: SeShutdownPrivilege 184 msiexec.exe Token: SeDebugPrivilege 184 msiexec.exe Token: SeAuditPrivilege 184 msiexec.exe Token: SeSystemEnvironmentPrivilege 184 msiexec.exe Token: SeChangeNotifyPrivilege 184 msiexec.exe Token: SeRemoteShutdownPrivilege 184 msiexec.exe Token: SeUndockPrivilege 184 msiexec.exe Token: SeSyncAgentPrivilege 184 msiexec.exe Token: SeEnableDelegationPrivilege 184 msiexec.exe Token: SeManageVolumePrivilege 184 msiexec.exe Token: SeImpersonatePrivilege 184 msiexec.exe Token: SeCreateGlobalPrivilege 184 msiexec.exe Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe Token: SeBackupPrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeBackupPrivilege 4248 srtasks.exe Token: SeRestorePrivilege 4248 srtasks.exe Token: SeSecurityPrivilege 4248 srtasks.exe Token: SeTakeOwnershipPrivilege 4248 srtasks.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeBackupPrivilege 4248 srtasks.exe Token: SeRestorePrivilege 4248 srtasks.exe Token: SeSecurityPrivilege 4248 srtasks.exe Token: SeTakeOwnershipPrivilege 4248 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 184 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 4192 winlogon.exe 3392 AE 0124 BE.exe 2300 winlogon.exe 968 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1852 wrote to memory of 184 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 82 PID 1852 wrote to memory of 184 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 82 PID 1852 wrote to memory of 184 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 82 PID 1852 wrote to memory of 4192 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 84 PID 1852 wrote to memory of 4192 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 84 PID 1852 wrote to memory of 4192 1852 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe 84 PID 4192 wrote to memory of 3392 4192 winlogon.exe 86 PID 4192 wrote to memory of 3392 4192 winlogon.exe 86 PID 4192 wrote to memory of 3392 4192 winlogon.exe 86 PID 4192 wrote to memory of 2300 4192 winlogon.exe 87 PID 4192 wrote to memory of 2300 4192 winlogon.exe 87 PID 4192 wrote to memory of 2300 4192 winlogon.exe 87 PID 3392 wrote to memory of 968 3392 AE 0124 BE.exe 88 PID 3392 wrote to memory of 968 3392 AE 0124 BE.exe 88 PID 3392 wrote to memory of 968 3392 AE 0124 BE.exe 88 PID 1560 wrote to memory of 4248 1560 msiexec.exe 95 PID 1560 wrote to memory of 4248 1560 msiexec.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:184
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:968
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD55509e489819927ce83d9cdb410aa17dc
SHA187dab44eb3da7d0b538593b1ca854712f41d6b8e
SHA2562a033498341bf9e3db3df3f46cf183c6fb5a9d86313cefb39271bfdd8b7dd834
SHA512d82198c6667522cbd3789ff7f723c5a0c708a161443692ba6f3662aae77a64ca7fbbe802a1690c555444d3e7a1e0bab9d75f1b0a139be7dd14e71c18d4a38c50
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
48KB
MD5833e9f4555d6dd92739f161eab2516a3
SHA1f946f93117471d4fff1350a8b024f03b46de4ccd
SHA256786d08a766f02b62f6a5886238867b73e0bb5fe28cf0c0bf31ed9c820444dbeb
SHA512618f0ba39f7e5b251fac5c135bdf182dfadbb086d63983ddbaf1726c02a19d562c5504bacf042dcd72a982257a2af958257b1ab9b82f7f19b41f094e0f84df0a
-
Filesize
23.7MB
MD52440b992447fa1306bac42b144a83f64
SHA19e4ea56056af053b8bdaf07eb6e37687f814ca1f
SHA2567420a6bbd7397feed1d32183dbc7372fa6c76bfb0f4d4f12b8b00c4a6842f2ac
SHA51294fecddab8e6eba72ade1ff9b3b0aa2354d62a3096e939ba95c5ed7c1529d20609abd17e9ddecec624de525a9fa950d3b5536605f6b074234274539b18a57734
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f73a5f3c-3a0a-4ff7-b790-72ae5d809bdc}_OnDiskSnapshotProp
Filesize6KB
MD5324a3418cb1dd4edf787a6b0b05d976c
SHA110428bcbf410dfe8169a1de6cde843dc8a8de4e6
SHA256c8026051ccba231bf1c1c841a08a68850eeed47f2b0c1c943776af71184ece5a
SHA51274f76ebe0cf0d802447a5de484e6841c88f819b45531ef673adf1478f95f068d11648959478c104e0cefa455eadda3e682cad46bab7288a3640750c80a5c3cd4
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b