07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d

Analysis

max time kernel
143s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
Size

476KB
MD5

a2ea5e80c7ccffb62cd4a47da6d5d2e4
SHA1

68727d25f9925833e8b0f6ba8dacbb02ab30c45f
SHA256

07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d
SHA512

c8da230411410116de4c2504a481431230f0a875438e56f28d693775e0c0b9f167447e57e6272afde631d0496242437b6d8401a7b666e29a40f4e3674c8b39d6
SSDEEP

12288:AvMg9sKVyY3EcmIopMbv1OcHKPMsZSnMKBxh:I3930Ydbbv1BKPMs2h

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1184	winlogon.exe
1528	AE 0124 BE.exe
3640	winlogon.exe
2292	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
1528	AE 0124 BE.exe
3640	winlogon.exe
2292	winlogon.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4196-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023467-17.dat	upx
behavioral2/memory/4196-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3640-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3640-84-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2292-89-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2292-92-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1184-261-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1528-360-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	560	msiexec.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_9af3a8a63d4cb5f9\pnpmem.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp.inf_amd64_9effd93a75bc489e\BthHfAud.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-EKB-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsDolby-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netathr10x.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\prnms014.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\usbcir.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\it-IT\MSFT_GroupResource.schema.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\DevicePairingFolder.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HgsClient-Core-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Group-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ntprint.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\ntprint.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\gpscript.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\setup\pbkmigr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wsynth3dvsc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\iaLPSS2i_GPIO2_SKL.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netrtwlanu.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mmcndmgr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netnvm64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\termkbd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl006.inf_amd64_130cd40b355024c9	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\uk-UA\nlmcim.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wmitomi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\zh-TW\quickassist.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wpbcreds.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Enterprise-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wvmbushid.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001e\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\vdswmi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\fr-FR\MSFT_RegistryResource.schema.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDGAE.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-EmbeddedExp-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hidirkbd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\c_scmvolume.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_8666ee4da6ad6325	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\iaLPSS2i_I2C_CNL.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\hform.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Shared-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\MsiProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\hidserv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sysdm.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\msux64w10.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\browseui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt40.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~it-IT~11.0.19041.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_diagnostics_system_windowsmediaplayermedialibrary_ja-jp_8f542f1ce232b9b2.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_90ccf6a5aebf0946.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft.windows.p..sc.events.resources_31bf3856ad364e35_10.0.19041.1_it-it_04cfeb8eb47bc291.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-t..sframework-mscandui_31bf3856ad364e35_10.0.19041.1_none_4ae632fbb319d9a8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_es-es_d8bce9fa09d9ea7d\WindowsAnytimeUpgrade.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Net.Http.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\pris\resources.es-ES.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..xtensions.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_15ad62142a4cd06e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7\dos869.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..workstation-license_31bf3856ad364e35_10.0.19041.1266_none_da3d84acc0ea10ee\r\ProfessionalWorkstation-Volume-CSVLK-2-ul-oob-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\f	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmrock3.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_10.0.19041.1_es-es_ee98c52d39d0fcfa\CertEnrollUI.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color32.jpg	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad\vgaf874.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..tprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_49dd0cfe6593a795\iiscertprovider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0d3e9f6e82c50fea\Robocopy.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-useractivitybroker_31bf3856ad364e35_10.0.19041.264_none_9deba7076bdd5b23.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx-aspnet_filter_dll_b03f5f7f11d50a3a_10.0.19041.1_none_4e8b91d5d4668c32.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_microsoft.virtualiz..vmbrowser.resources_31bf3856ad364e35_10.0.19041.1_es-es_139024f900d6b85a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Multimedia-RestrictedCodecs-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-soundrec-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_2032b6420f5c4271.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..rlauncher.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9c4d0bde6f1373eb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5bf696b624a6fdfe\GlobalResources.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.dynamic_b03f5f7f11d50a3a_4.0.15805.0_none_2fae85b8f3eea1eb\System.Dynamic.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_10.0.19041.1_de-de_ca7e29a9f0cc2411.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-HypervisorPlatform-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_tsusbhub.inf_31bf3856ad364e35_10.0.19041.1023_none_ff9fd02b1f531a98	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-i..o5-codecs.resources_31bf3856ad364e35_10.0.19041.1_de-de_b034f6351a604f0d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_lt-lt_aace534d2a2906fd.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v2.0.50727_fr_9d42e4553d1bb694.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile150x150.scale-100.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmgl001.inf_31bf3856ad364e35_10.0.19041.1_none_e02d7a82b406bc4d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..platform-input-core_31bf3856ad364e35_10.0.19041.906_none_af34dac13b7cb54d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_af4e722a446a8f4b\pvhdparser.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1_none_3640cf5b039ce2f0\DiskSnapshot.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_de-de_93a80bdc471ad1dd.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-63-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-netplwiz_31bf3856ad364e35_10.0.19041.610_none_33c1bfdd48a2f243	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_miradisp.inf_31bf3856ad364e35_10.0.19041.1202_none_5724db6927ab595a\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_modemcsa.inf_31bf3856ad364e35_10.0.19041.1_none_cdbcaac35451e458\modemcsa.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bits-adm_31bf3856ad364e35_10.0.19041.1_none_25ff71afe91f6f60\Bits.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cpfilters_31bf3856ad364e35_10.0.19041.1266_none_ac30c50e935fa5b3\f\CPFilters.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iis-bpa_31bf3856ad364e35_10.0.19041.906_none_313eac52c3bd5b22\Manifest.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_93b4a0a1641d085c\svchost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_wpf-presentationframework.classic_31bf3856ad364e35_10.0.19041.1_none_aa5a52bdc9233234.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userenvext_31bf3856ad364e35_10.0.19041.1165_none_de0edd509978276c\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_it-it_08f04356b9d55a92\iexplore.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.1_none_7d4b234e44bee9a6\msasn1.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-f..ype-myanmartextbold_31bf3856ad364e35_10.0.19041.1_none_425c516c686c438d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..lers-maps.resources_31bf3856ad364e35_10.0.19041.1_en-us_07bfca500cebcbcb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_msbuild_b03f5f7f11d50a3a_10.0.19041.1_none_fa6e7f402dbc0227.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.746_none_284758abe10778d6\r\Amd64\PDFRenderFilter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.19041.1266_none_b7a58d8ba78355f3\f\wlansec.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netelx.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_196b5dadc5c810b6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netrndis.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_676c63113cb83f14.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..xecutable.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c1ae8635f6861d2a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-quickds-binaries_31bf3856ad364e35_10.0.19041.1_none_b62dc2b59a25df9f\ChtQuickDS.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\f\ProgressRing.xbf	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bd035b1dbd7192500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bd035b1d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bd035b1d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbd035b1d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bd035b1d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3292	msiexec.exe
3292	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	560	msiexec.exe
Token: SeSecurityPrivilege	3292	msiexec.exe
Token: SeCreateTokenPrivilege	560	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	560	msiexec.exe
Token: SeLockMemoryPrivilege	560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	560	msiexec.exe
Token: SeMachineAccountPrivilege	560	msiexec.exe
Token: SeTcbPrivilege	560	msiexec.exe
Token: SeSecurityPrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeLoadDriverPrivilege	560	msiexec.exe
Token: SeSystemProfilePrivilege	560	msiexec.exe
Token: SeSystemtimePrivilege	560	msiexec.exe
Token: SeProfSingleProcessPrivilege	560	msiexec.exe
Token: SeIncBasePriorityPrivilege	560	msiexec.exe
Token: SeCreatePagefilePrivilege	560	msiexec.exe
Token: SeCreatePermanentPrivilege	560	msiexec.exe
Token: SeBackupPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeShutdownPrivilege	560	msiexec.exe
Token: SeDebugPrivilege	560	msiexec.exe
Token: SeAuditPrivilege	560	msiexec.exe
Token: SeSystemEnvironmentPrivilege	560	msiexec.exe
Token: SeChangeNotifyPrivilege	560	msiexec.exe
Token: SeRemoteShutdownPrivilege	560	msiexec.exe
Token: SeUndockPrivilege	560	msiexec.exe
Token: SeSyncAgentPrivilege	560	msiexec.exe
Token: SeEnableDelegationPrivilege	560	msiexec.exe
Token: SeManageVolumePrivilege	560	msiexec.exe
Token: SeImpersonatePrivilege	560	msiexec.exe
Token: SeCreateGlobalPrivilege	560	msiexec.exe
Token: SeBackupPrivilege	4848	vssvc.exe
Token: SeRestorePrivilege	4848	vssvc.exe
Token: SeAuditPrivilege	4848	vssvc.exe
Token: SeBackupPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeBackupPrivilege	4100	srtasks.exe
Token: SeRestorePrivilege	4100	srtasks.exe
Token: SeSecurityPrivilege	4100	srtasks.exe
Token: SeTakeOwnershipPrivilege	4100	srtasks.exe
Token: SeBackupPrivilege	4100	srtasks.exe
Token: SeRestorePrivilege	4100	srtasks.exe
Token: SeSecurityPrivilege	4100	srtasks.exe
Token: SeTakeOwnershipPrivilege	4100	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
1184	winlogon.exe
1528	AE 0124 BE.exe
3640	winlogon.exe
2292	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 560	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	84
PID 4196 wrote to memory of 560	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	84
PID 4196 wrote to memory of 560	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	84
PID 4196 wrote to memory of 1184	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	85
PID 4196 wrote to memory of 1184	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	85
PID 4196 wrote to memory of 1184	4196	07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe	85
PID 1184 wrote to memory of 1528	1184	winlogon.exe	87
PID 1184 wrote to memory of 1528	1184	winlogon.exe	87
PID 1184 wrote to memory of 1528	1184	winlogon.exe	87
PID 1184 wrote to memory of 3640	1184	winlogon.exe	90
PID 1184 wrote to memory of 3640	1184	winlogon.exe	90
PID 1184 wrote to memory of 3640	1184	winlogon.exe	90
PID 1528 wrote to memory of 2292	1528	AE 0124 BE.exe	91
PID 1528 wrote to memory of 2292	1528	AE 0124 BE.exe	91
PID 1528 wrote to memory of 2292	1528	AE 0124 BE.exe	91
PID 3292 wrote to memory of 4100	3292	msiexec.exe	96
PID 3292 wrote to memory of 4100	3292	msiexec.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe
"C:\Users\Admin\AppData\Local\Temp\07e136f4bca60e908341612b116bacca9a7f685d45502bb78b50d5a546a2f37d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:560
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2292
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.msi

Filesize
476KB

MD5
39f5a9dcf402a26d476c8464d8d3cd20

SHA1
d65cf1169440e06e79ea9e2b0ecdd1e8062038a5

SHA256
279a967970b7e4903b9185ef094824b45d10a1e15f61c3af870878d0cbc55bb9

SHA512
ed346b86086bb3aff692d68c09f6e9f089a0deb0fa72fa9454968506da893f1d109f85630914d2783c26cc8e0b512b7237ace80da979c5130eb6dfb482f617fc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
b9eeaa886e7b1fb69f0a15c0d57d688a

SHA1
007573a5008fdab17426ee0903f9fbdd0688e92d

SHA256
501fc1fe546e5192f2e688c50b818ea61ca050a49ff3472bfd06511cfc1fb49a

SHA512
0ee878b4a1971fa6b2d2c65cdf71baab8ccaacd7e8a8285342bd3cf8bcee5c6ba39fc66e8d5ec1e27534b1566d75598969f0369d3f683f6f67c61605c02e26d0

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
e1271d9e67531bb379df685e82dd1948

SHA1
835c26e71a12d943aefeeb6f23c7d0f19a78fe1a

SHA256
05cbdeeac92c5e8950f89c12b2b389d461ee038a2f2b24112dba694ca9655675

SHA512
9da8b016ab4f5a0e4a9432f9adc1a79bb443cd6f578d97bfd6b87c7a22cfb0b5cfdcf79d02454949d2aa9267305511ae1400b918cca37e3c3907c3b134926986

Download Submit
C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.002

Filesize
256KB

MD5
a873b738954934f48769c19d0c9eb301

SHA1
4ebb7ce8cca945d5c9a607f5642e3f30e60249d4

SHA256
ff2c364859fab2fb7fbd4e8c6254d7ea0099280284b88833cbd5285dd7c7b434

SHA512
fd384b4bc2d51230e151c1f85b4755748857272301bc8da0a8a9d281f9e8aa49e4e35696361780d2f8b35e0c0c5cda6e98dbf2f591b4b1baf31cfeac48ac0d67

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
0078c59703eb98003d6d179a55ad5abf

SHA1
34df8608e21029507caf40ed228a9d4fa90e3bc7

SHA256
a48bece000e694f1b3e36402c87df691b5b87ec29af6723b08b41f6bbb6e1650

SHA512
30a5ee629f0829872714dd5c5d1f0ae4e5ec2583016ac84695669b92d313b0b717367250039a0eb21c9ef6886496d0be386acecfa3f3bc618eb321be35f9ad86

Download Submit
\??\Volume{1d5b03bd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{647c6da8-e848-467e-b8ab-28eab71ef708}_OnDiskSnapshotProp

Filesize
6KB

MD5
e37d8b526a5fa2430c4bb5f41235f12a

SHA1
74a65d7d76b19eed70f4eaf30a291c5511490d0e

SHA256
b80d73fb4d9c157741d385718caf43f60dcee92a6223aa6c67be4fb498a4492d

SHA512
5e14f227ba75b56e867ff2978909cba222d26235cc8ccb90a0fbd9e48399576ca71e4bbf1010159a1c40cb2a3c9b7344caf8d6821fd343525b5a07772d7607fd

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/1184-261-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1528-360-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2292-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2292-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3640-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3640-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4196-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4196-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download