Malware Analysis Report

2025-08-05 09:42

Sample ID 240611-bjszesyemj
Target 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99
SHA256 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99

Threat Level: Known bad

The file 9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99 was found to be: Known bad.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Manipulates Digital Signatures

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks computer location settings

Blocklisted process makes network request

Drops desktop.ini file(s)

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:10

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:10

Reported

2024-06-11 01:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\AE 0124 BE.exe N/A
File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui C:\Windows\AE 0124 BE.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\AE 0124 BE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Characters\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Heritage\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Savanna\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Festival\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Quirky\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Sonata\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Delta\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini C:\Windows\AE 0124 BE.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\e1e6032e.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\napipsec.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\packager.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\WMALFXGFXDSP.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\MSVidCtl.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF6980T.XML C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\INISC253.PPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LRC1500.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\sti.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\mdmbr006.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\onexui.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\getmac.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-EnterpriseEdition-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\NcdProp.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja\AuthFWSnapIn.Resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\Bubbles.scr C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7ULAA.ICM C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\azroles.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\oledlg.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\msorc32r.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\msprivs.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\prnca003.PNF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SVC240D.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\bitsadmin.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\TRAPI.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRM867DN.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\auditpol.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\sppcc.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\authui-migration-replacement.man C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\eventvwr.msc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\PeerToPeerGrouping-DL.man C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WfHC.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\oleaut32.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\arcsas.PNF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\LocationNotifications.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\neth.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXL.INI C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\powershell_ise.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbr00a.inf_amd64_neutral_aa4f0850ff03674e\mdmbr00a.PNF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\irclass.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\fsutil.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\EventCreate.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\hu-HU\mlang.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\NetworkExplorer.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\shwebsvc.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ddrawex.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GSC7526D.GPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1321E3.PPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\dsprop.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseN C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\multiprt.inf_loc C:\Windows\AE 0124 BE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.1.7600.16385_none_73373b169fcf68cb C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4809f54ad4f6614d.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-sysinfo.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_06b08462763a4a1c.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-i..hinese-imepadapplet_31bf3856ad364e35_6.1.7600.16385_none_faff6acb5cd29b45\MSHWCHTRIME.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-u..re-atmini.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_206fe7a92ead27ab\unimdmat.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Cursors\arrow_r.cur C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\AppCompat.admx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_99dd4dbb750b71c2 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_94d8c43d28c969df\icardie.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_nete1g3e.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_abfb90964f382f32.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_ehstorpwddrv.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_580b66583d093b6e.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_mdmminij.inf_31bf3856ad364e35_6.1.7600.16385_none_45ce09cc47709c2b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf077f9c01bf086f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\190c40c1f98dddf624b7e442286d76d4\System.Runtime.Serialization.ni.dll.aux C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnca00h.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4ee05ae5684cbb1\prnca00h.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_it-it_5f6e83504ee8d5f5.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-charmap.resources_31bf3856ad364e35_6.1.7600.16385_it-it_73c013b7234bde63.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng# C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..re-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_de4f4a8629efa9ea.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7e05482e7498fc3 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ponent-sku-ultimate_31bf3856ad364e35_6.1.7601.17514_none_f7e6a2aa970662b7\Security-SPP-Component-SKU-Ultimate-OEM-SLPCOA1-ul-oob.xrm-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-mapi_31bf3856ad364e35_6.1.7601.17514_none_ad54ab3a7801c830.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\settings.css C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae_msimsg.dll.mui_72e8994f C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_mdmcm28.inf_31bf3856ad364e35_6.1.7600.16385_none_d130a4ccfd6ae450.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mrc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7e0c8b1a4387b648.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_c30c9017ee72aff3\WebAdminHelp_Application.aspx.de.resx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Fonts\times.ttf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shdocvw_31bf3856ad364e35_6.1.7601.17514_none_459af2f42285b811 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft.windows.c..ration.online.setup_31bf3856ad364e35_6.1.7600.16385_none_0dbedb7c5ac04a7d C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc53e808eda33786\rwinsta.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..ification.resources_31bf3856ad364e35_6.1.7600.16385_it-it_870e2d2ecfceb6f2.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_ba9e94bf275d71ed C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68750ba1329f3c6f C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d60e0225bb629349 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\1px.gif C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_45549abb8ab456cb\WsatConfig.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_412b6c615d92cd59 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_server-help-chm.comexp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7c2bc1948a9f5086 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_82ceb5cdc1645de3 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Notes_loop_PAL.wmv C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\inf\mdmcxhv6.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_prnep00l.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_f05b7df13002cc8b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-driverquery.resources_31bf3856ad364e35_6.1.7600.16385_es-es_58d29339dc26477b C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\setting_back.png C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_ff2b8a4884ab92de\msimsg.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_es-es_912246ee1073420f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_cs-cz_2b0fc458c6c7dba5.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Handles\v4.0_4.0.0.0__b03f5f7f11d50a3a C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c4b9ba2a3ac12f32_msorcl32.chm_650a727b C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ribbons.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae6e8472b208da12.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1927f185bf597f41\mstsc.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnrc005.inf_31bf3856ad364e35_6.1.7600.16385_none_227092d2a7af4a58\prnrc005.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee9d0e0c5a29e375 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmictimeprovider.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_c1d89f450753fc21\cdosys.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-shell32-license_31bf3856ad364e35_6.1.7600.16385_none_70de2556f6dfadae\shell32-license-ppdlic.xrm-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a8f8db81d52af370\wcncsvc.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_8.0.7601.17514_none_27126e7394676c4a\ieakui.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\Amd64\SV1392E3.PPD C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-msmq-runtime_31bf3856ad364e35_6.1.7601.17514_none_ff07d9eb4cd00172.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\security C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.de.resx C:\Windows\AE 0124 BE.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 2224 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2224 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2224 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2224 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2340 wrote to memory of 2536 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2340 wrote to memory of 2536 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2340 wrote to memory of 2536 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2340 wrote to memory of 2536 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 2536 wrote to memory of 1676 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2536 wrote to memory of 1676 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2536 wrote to memory of 1676 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2536 wrote to memory of 1676 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2340 wrote to memory of 2668 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2340 wrote to memory of 2668 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2340 wrote to memory of 2668 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 2340 wrote to memory of 2668 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe

"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\AE 0124 BE.exe

"C:\Windows\AE 0124 BE.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000005B0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
SE 2.21.97.24:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp

Files

memory/2224-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\AE 0124 BE.msi

MD5 5509e489819927ce83d9cdb410aa17dc
SHA1 87dab44eb3da7d0b538593b1ca854712f41d6b8e
SHA256 2a033498341bf9e3db3df3f46cf183c6fb5a9d86313cefb39271bfdd8b7dd834
SHA512 d82198c6667522cbd3789ff7f723c5a0c708a161443692ba6f3662aae77a64ca7fbbe802a1690c555444d3e7a1e0bab9d75f1b0a139be7dd14e71c18d4a38c50

C:\Users\Admin\AppData\Local\Temp\Tar14ED.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab14DA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2224-13-0x0000000003AE0000-0x000000000459A000-memory.dmp

\Windows\SysWOW64\drivers\winlogon.exe

MD5 833e9f4555d6dd92739f161eab2516a3
SHA1 f946f93117471d4fff1350a8b024f03b46de4ccd
SHA256 786d08a766f02b62f6a5886238867b73e0bb5fe28cf0c0bf31ed9c820444dbeb
SHA512 618f0ba39f7e5b251fac5c135bdf182dfadbb086d63983ddbaf1726c02a19d562c5504bacf042dcd72a982257a2af958257b1ab9b82f7f19b41f094e0f84df0a

C:\Windows\Msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2224-52-0x0000000004680000-0x000000000468B000-memory.dmp

memory/2224-53-0x0000000004680000-0x000000000468B000-memory.dmp

memory/2340-69-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2340-67-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2536-71-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2340-75-0x0000000003490000-0x0000000003F4A000-memory.dmp

memory/2536-76-0x0000000003300000-0x0000000003DBA000-memory.dmp

memory/2536-103-0x0000000004540000-0x000000000454B000-memory.dmp

\??\c:\B1uv3nth3x1.diz

MD5 9cceaa243c5d161e1ce41c7dad1903dd
SHA1 e3da72675df53fffa781d4377d1d62116eafb35b
SHA256 814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512 af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

memory/2536-102-0x0000000004540000-0x000000000454B000-memory.dmp

memory/2224-116-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1676-119-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2668-142-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar18AE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll

MD5 e1eeb7e26ab04075eecc7275239b20b3
SHA1 ba62b37d4233b88948fdc2ffed08f3c82e8627f1
SHA256 d6cdf961c6d2712fe1958815e51a30960d79fff1e97788b7741627dba972e8f7
SHA512 dd64909c983794c8ac6c33b74711a89b3b33e4429bb5a3a2a2b4e38f5d74902b1589a97014a35fbaf97b469fa57a11314c02d68e1db0934de5244308699fc262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35459eda750ee5ce6b9f99fc5b56f519
SHA1 999f0f37ff67c731c9fa1c7ef5df0cba57b370fa
SHA256 c2ac1469638581ae41b78f13d5dd6d508f471ac0ecacadc9302d85a120e48097
SHA512 afd0836f6a79b1f19d76b1a898f2ec673ee11820c592eaf06a84d8951f8cb9b8b26f22cb5bc50e278717926335da4529bb3fb6411385313ff8becca3ae36710f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 b8a58cd133572987e15e802c42d02f39
SHA1 074ac74fef858a7a7aa5d827e61772fcb704845a
SHA256 df018540d799eb444ea8d4067e916662f901ac5163af3cb0e3a6e1012987c7e7
SHA512 08fcc89ecacc1eccbbdffe7c1f1f1bc2be745bfb81b98a350d6525207c4c4611d3f5f390b20139e80fed8ca0a914c2786b2d6825c745779dac094a1c638f48be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 ba73765ee919ddd61052f416cab82eff
SHA1 c7f513591f11a4225a8a87ea4556c3ebf7beb4b8
SHA256 3a664179a435ead5165cbfa77acb3081619a0d3cc61a95dcdb6fe4beed7c68ad
SHA512 bc67614375414cde7cccf12f0c911d068b843d3e17beb28441420ded7b5060d6f48932f890b059a7765a3882b7d01b48f620eeb4015bc3a3b1c3517eb6acd94f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

memory/2536-376-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2340-536-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2340-546-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2340-547-0x00000000003E0000-0x00000000003EB000-memory.dmp

memory/2536-548-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2536-550-0x0000000004540000-0x000000000454B000-memory.dmp

memory/2536-569-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2536-568-0x0000000072940000-0x0000000072A93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:10

Reported

2024-06-11 01:13

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Windows\AE 0124 BE.exe N/A
File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Windows\AE 0124 BE.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\AE 0124 BE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\AE 0124 BE.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\AE 0124 BE.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\KBDHE319.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\rtvdevx64.INF_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\SmartSAMD.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\cht4nulx64.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\AppResolver.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\msrating.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\mdmmot64.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\c_cdrom.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\comres.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.928.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\MTConfig.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\virtualdisplayadapter.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort_v1.0.cdxml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\MSFT_WindowsOptionalFeature.schema.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HvSocket-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Windows.Internal.SecurityMitigationsBroker.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\mfvfw.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\odpdx32.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\oobe\en-US\SetupCleanupTask.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\msgpiowin32.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\uk-UA\msfeedsbs.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\HalExtIntcLpioDma.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package-onecoreuap-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\prnms011.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\pdm.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDFR.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-MFPMP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_1e78e192efc26192\mdmdf56f.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\es C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\dskquota.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_SS_S.bin C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\netvf63a.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\vsswmi.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDLV.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\wlangpui.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.cdxml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\wvmic.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_cc4dba2066ccf53c\disk.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\wvmic_heartbeat.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netvf63a.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_583bd0f3892e01df C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp.inf_amd64_614ec8e6e63777b7\BthA2dp.sys C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\wvmic_ext.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\pl-PL\quickassist.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\MSFT_DAConnectionStatus.types.ps1xml C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\licmgr10.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgu1164.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\gpprefcl.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\gpedit.msc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDCZ2.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\cht4sx64.inf_loc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\storfwupdate.inf_loc C:\Windows\AE 0124 BE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataintegrityscan_31bf3856ad364e35_10.0.19041.746_none_20e28a7a89b6cbe9 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-regini_31bf3856ad364e35_10.0.19041.1_none_c24749f2592e69f9\regini.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\11.txt C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..licensing.resources_31bf3856ad364e35_10.0.19041.1_en-us_08d1b5059efefa1c\tlsbln.exe.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.default C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars49.contrast-black_scale-200.png C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\msil_system.web.routing.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a3bedc3cdc0ea1f5.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-fsrm-common_31bf3856ad364e35_10.0.19041.1_none_23811da747d0002d\srmtrace.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ffd7fb326c498cc8\chooseProviderManagement.aspx.fr.resx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\13c05011af74e0c3a6303b3a20f755ba\Microsoft.WindowsSearch.Commands.ni.dll.aux C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..mdeserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a5ffb9627f62abc C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_128e4258ecee1abd C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-photoacquire.resources_31bf3856ad364e35_10.0.19041.1_en-us_982a6f54a69e582e.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..onents-mdac-ado15-r_31bf3856ad364e35_10.0.19041.1_none_aacde2a5dd33a735 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_netathr10x.inf_31bf3856ad364e35_10.0.19041.1_none_045e44cd3c4b69ac\qca9377_2_0.bin C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\r\SearchProtocolHost.exe C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-enterprise-license_31bf3856ad364e35_10.0.19041.1266_none_b587b6bda28cdd81\Enterprise-Volume-CSVLK-2-pl-rtm.xrm-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-netevent.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f88b4d96c16d246.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fsrm-common.resources_31bf3856ad364e35_10.0.19041.1_en-us_c14fb51a252137ac\adrclient.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_2c2b0820313203ea.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000480_31bf3856ad364e35_10.0.19041.1_none_a7159eb3383fca81\KBDUGHR.DLL C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-a..sibility-experience_31bf3856ad364e35_10.0.19041.1_none_41b27ed425707c3a\wait.svg C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\defaultbrowser.htm C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.19041.1_none_d9cbd0b162967138 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_45af61c3a054fbd2\wer.dll.mui C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc\r\wship6.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_10.0.19041.746_none_334ebb647f39f6ed\r\PortableDeviceConnectApi.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..-credentialprovider_31bf3856ad364e35_10.0.19041.1_none_a35cb4f08ef13c35 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\msil_presentationframework.aero_31bf3856ad364e35_10.0.19041.1_none_731a85025699c484.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\INF\netrndis.inf C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ndu.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf45ca1a88faa860 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx-dfshim_dll_31bf3856ad364e35_10.0.19041.1_none_2e7103f3fc577168\dfshim.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-emergencyupdate_31bf3856ad364e35_10.19044.19041.1288_none_2b17246f67b2088f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..ercommon-deployment_31bf3856ad364e35_10.0.19041.264_none_fa1e8b7ac919ab96.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapcontrol_31bf3856ad364e35_10.0.19041.1202_none_9269f331f42a1765\r\MapConfiguration.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\SkyDrive.admx C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1_none_0e98e5367a9d834f\SFCN.dat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ccess-userdatautils_31bf3856ad364e35_10.0.19041.1081_none_53d3b598562c1dfe\UserDataPlatformHelperUtil.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_0756b50d659bccdf_cryptsp.dll_ae5341e1 C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.data.services_v4.0_4.0.0.0_b77a5c561934e089_c976ac7cb252a1b9.cdf-ms C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mfmp4srcsnk_31bf3856ad364e35_10.0.19041.1202_none_7b7023e9634bba65\f C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.19041.1_none_3b544d0451866b3d\winbioext.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.visualbas..activities.compiler_b03f5f7f11d50a3a_4.0.15805.0_none_8e81f622b328ec49\Microsoft.VisualBasic.Activities.Compiler.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nl-nl_1a5094bef23c919f.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\95286fe1d6e83a498798f27bd01cfe5620f7688a170348fbcc0e32fc5a069204.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-energy-winrt_31bf3856ad364e35_10.0.19041.264_none_f5ea8a4757ab344a\Windows.Energy.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ing-lpdprintservice_31bf3856ad364e35_10.0.19041.1288_none_006587932675423b\lpdsvc.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_1913b24a44b591ab\_DataOracleClientPerfCounters_shared12_neutral_d.ini C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\37e2075905f28373c4c7cf1fafea25fa6968a085cd075cfade4e67f295b3d7d7.cat C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_a3b1ffa40600e979.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-magnification_31bf3856ad364e35_10.0.19041.1_none_ad79cbaa25408b6c.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-shmig_31bf3856ad364e35_10.0.19041.1_none_1fe431714add4546.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ppolicy-policymaker_31bf3856ad364e35_10.0.19041.388_none_1519390ba7e9e67d\gpprefcl.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.264_none_693d5f2f14da2062\r C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..owershell.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cff29ade12ecb5f1\PrintManagementProvider.mfl C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winocr-tifffilter_31bf3856ad364e35_10.0.19041.746_none_111c42f94a71c06b\r C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_5adbfdeb4fff612b.manifest C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4aa999c32b0031f4\windowsperformancerecordercontrol.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\f5852c82815dea15df3feb0b6a3dfec0\Microsoft.PowerShell.ISECommon.ni.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CustomMarshalers.dll C:\Windows\AE 0124 BE.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rdbss_31bf3856ad364e35_10.0.19041.1_none_0fc5e55000c6f60f C:\Windows\AE 0124 BE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\AE 0124 BE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\drivers\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 1852 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 1852 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\msiexec.exe
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 4192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 4192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\AE 0124 BE.exe
PID 4192 wrote to memory of 2300 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4192 wrote to memory of 2300 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 4192 wrote to memory of 2300 N/A C:\Windows\SysWOW64\drivers\winlogon.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3392 wrote to memory of 968 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3392 wrote to memory of 968 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 3392 wrote to memory of 968 N/A C:\Windows\AE 0124 BE.exe C:\Windows\SysWOW64\drivers\winlogon.exe
PID 1560 wrote to memory of 4248 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1560 wrote to memory of 4248 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe

"C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\AE 0124 BE.exe

"C:\Windows\AE 0124 BE.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\SysWOW64\drivers\winlogon.exe

"C:\Windows\System32\drivers\winlogon.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\AE 0124 BE.msi

MD5 5509e489819927ce83d9cdb410aa17dc
SHA1 87dab44eb3da7d0b538593b1ca854712f41d6b8e
SHA256 2a033498341bf9e3db3df3f46cf183c6fb5a9d86313cefb39271bfdd8b7dd834
SHA512 d82198c6667522cbd3789ff7f723c5a0c708a161443692ba6f3662aae77a64ca7fbbe802a1690c555444d3e7a1e0bab9d75f1b0a139be7dd14e71c18d4a38c50

C:\Windows\SysWOW64\drivers\winlogon.exe

MD5 833e9f4555d6dd92739f161eab2516a3
SHA1 f946f93117471d4fff1350a8b024f03b46de4ccd
SHA256 786d08a766f02b62f6a5886238867b73e0bb5fe28cf0c0bf31ed9c820444dbeb
SHA512 618f0ba39f7e5b251fac5c135bdf182dfadbb086d63983ddbaf1726c02a19d562c5504bacf042dcd72a982257a2af958257b1ab9b82f7f19b41f094e0f84df0a

C:\Windows\Msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/4192-55-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1852-63-0x0000000000400000-0x000000000040B000-memory.dmp

\??\c:\B1uv3nth3x1.diz

MD5 9cceaa243c5d161e1ce41c7dad1903dd
SHA1 e3da72675df53fffa781d4377d1d62116eafb35b
SHA256 814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512 af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

memory/2300-84-0x0000000000400000-0x000000000040B000-memory.dmp

memory/968-90-0x0000000000400000-0x000000000040B000-memory.dmp

memory/968-92-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4192-451-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3392-452-0x0000000000400000-0x000000000040B000-memory.dmp

\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f73a5f3c-3a0a-4ff7-b790-72ae5d809bdc}_OnDiskSnapshotProp

MD5 324a3418cb1dd4edf787a6b0b05d976c
SHA1 10428bcbf410dfe8169a1de6cde843dc8a8de4e6
SHA256 c8026051ccba231bf1c1c841a08a68850eeed47f2b0c1c943776af71184ece5a
SHA512 74f76ebe0cf0d802447a5de484e6841c88f819b45531ef673adf1478f95f068d11648959478c104e0cefa455eadda3e682cad46bab7288a3640750c80a5c3cd4

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 2440b992447fa1306bac42b144a83f64
SHA1 9e4ea56056af053b8bdaf07eb6e37687f814ca1f
SHA256 7420a6bbd7397feed1d32183dbc7372fa6c76bfb0f4d4f12b8b00c4a6842f2ac
SHA512 94fecddab8e6eba72ade1ff9b3b0aa2354d62a3096e939ba95c5ed7c1529d20609abd17e9ddecec624de525a9fa950d3b5536605f6b074234274539b18a57734

memory/3392-473-0x0000000000400000-0x000000000040B000-memory.dmp