d084dcae942a3b6b27b8b85fc44b9c81334132ba6ea271d58ae45625e8b25f4f

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb5de396611f142f328ef2fa6990400N.exe
Size

232KB
MD5

8bb5de396611f142f328ef2fa6990400
SHA1

4d2f9fe3cba1cab89f522a646a1591a7630186db
SHA256

d084dcae942a3b6b27b8b85fc44b9c81334132ba6ea271d58ae45625e8b25f4f
SHA512

cf7fd9a173914b0458e3c48560d88790e485717c56ff05df3912e6ec5bc1c421e6beef454e7b2f2badaa0297080da77f7ef9363cf4f5a5b4ddffbb1652cc7fd8
SSDEEP

3072:2r+Fu+gOSmvuVQL9KpjbbNC8vM7Mh8nWmEw7/8kuuc+BxWhJ+UV05M1:RSm26UbbZvMgrmEs7eVMM1

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	8bb5de396611f142f328ef2fa6990400N.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	8bb5de396611f142f328ef2fa6990400N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
3224	winlogon.exe
2816	AE 0124 BE.exe
4612	winlogon.exe
1108	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2816	AE 0124 BE.exe
4612	winlogon.exe
1108	winlogon.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000700000002343d-17.dat	upx
behavioral2/memory/2528-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4612-85-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1108-88-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1108-91-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3224-272-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2816-322-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	212	msiexec.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-V2-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\c_securitydevices.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\iastorav.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\tsgqec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Virtio-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Windows-Built-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\netshell.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\TTS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Manager-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-KMCL-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scsidev.inf_amd64_55176c1890d480fe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\virtdisk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\adsnt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\VAN.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\netswitchteamcim.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\netnccim_uninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\netid.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\AdmTmpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SMI\Store	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TLS\tls.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\cht4sx64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\mdmcxpv6.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\F12\de-DE\F12Platform2.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-2-ul-phn-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_swdevice.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\mchgr.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SyncRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\PlaySndSrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-ShellLauncher-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\genericusbfn.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdstor.inf_amd64_0d2a33dd67a36577	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\pots.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sqlwid.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-VirtualDevice-Emulated-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\BaseRegistration\fr-FR\MSFT_DSCMetaConfiguration.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\c_fsencryption.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\register-cimprovider.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUSA.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\pci.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ts_generic.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_947cdd3822225c16	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\windows.ui.xaml.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimization.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\npivwmi.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\uk-UA\storagewmi_passthru_uninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Kits\10\UnionMetadata\Facade\Windows.WinMD	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\TabletPCInputPanel.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.hyperv.powershell.cmdlets_31bf3856ad364e35_10.0.19041.388_none_2f655558eda5822e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-globalsansserifcf_b03f5f7f11d50a3a_4.0.15805.110_none_15cb7b4c9783c801	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nt-server.resources_31bf3856ad364e35_10.0.19041.1055_en-us_f64a8abb805b142b\CustomInstallExec.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\system.data.sqlxml.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.746_none_46f79836a0dc7206	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-networkprovisioning_31bf3856ad364e35_10.0.19041.746_none_ab4b4bf819106234\r\xmlprovi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\TaskScheduler.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\RenderingControl_DMP.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-search-adm_31bf3856ad364e35_7.0.19041.1_none_4c4bda1deb80ebc4	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Xaml.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-pnpmigration_31bf3856ad364e35_10.0.19041.1_none_1ee1bf0adb4eaf7d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-power-adm_31bf3856ad364e35_10.0.19041.1_none_c8cc07340c3e5859	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..hangehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1264b2471f9dae9c\DataExchangeHost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.data.datasetextensions.resources_b77a5c561934e089_4.0.15805.0_de-de_55a14535bba55538\System.Data.DataSetExtensions.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_vstxraid.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_e0e0cff64eb1c477\vstxraid.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.19041.1288_none_6a70c7f973424381\r\Hydrogen.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appx-sysprep_31bf3856ad364e35_10.0.19041.1081_none_ec662288aa278734\AppxSysprep.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\r\mapistub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..y-ntmarta.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6e6f0dbd36f4a42e\ntmarta.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\language\typescript\lib\typescriptServices.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_de-de_6d4b0276726f83ba	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directx-dxdiagndll_31bf3856ad364e35_10.0.19041.84_none_addbc463ecc6f581	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-searchdiagnostic_31bf3856ad364e35_10.0.19041.1_none_e799de0292ba9a6c\TS_IndexingServiceCrashing.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_10.0.19041.1_none_e6a17ab4cd856a14\UninstallMembership.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\NavOverFlow_Start.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.powershel..nprovider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_356cd64c110907da\DscCoreConfProv.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsDolby-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_networking-mpssvc_31bf3856ad364e35_10.0.19041.746_none_e872d1a617f9e73f\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_bth-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1c76e13a187208a0\bthudtask.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_wsdscdrv.inf_31bf3856ad364e35_10.0.19041.1_none_293a77b1ff506787\WSDScDrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6fedf6c9b4172c77\wscript.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.packagema..e.package.resources_31bf3856ad364e35_10.0.19041.1_it-it_891e63f65539a401\MSFT_PackageManagement.schema.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_de-de_6658fa03f9254450.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\system.data.sqlxml.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wininit-mof_31bf3856ad364e35_10.0.19041.1_none_90d1e9fce8e70c10	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netnvma.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package00~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-desktop-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4dacae094eee592f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..rdfiltershim-client_31bf3856ad364e35_10.0.19041.1_none_cae3510e510c1338	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-asyncmac_31bf3856ad364e35_10.0.19041.1_none_da48dc66d436c4ea	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.19041.1_de-de_203ca664578377b7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wpcip.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b48323ab620c793c\wpcip.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fsavailux.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc7dcc4e711e5669\fsavailux.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vpcibus_31bf3856ad364e35_10.0.19041.928_none_69618fc17b5a02e5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.data.oracleclient.resources_b77a5c561934e089_4.0.15805.0_es-es_b9b7826aca2ad8af	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1_none_aed24b42c323f105	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_amdgpio2.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a999fa077044a374\AMDGPIO2.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\ScreenClipping\ScreenClipping\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsLexicons000c.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_acca74947ca73d6c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-e..ckdownwmi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bc040d895034d384	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-hnetcfgclient_31bf3856ad364e35_10.0.19041.1_none_51a14bfa21ff2a38	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_winusb.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_57ed3fe107f08d7f\winusb.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\FeedbackNotifications.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..vel-winrt.resources_31bf3856ad364e35_10.0.19041.1_de-de_a8b5fe36089c9764\Windows.Devices.LowLevel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-help-client.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_61cda4ccab1effac\helppane.exe.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000750203050573ea680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000750203050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090075020305000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d75020305000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007502030500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\331F16082EF4CA241854303F8F66FC96\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Version = "167837696"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\Version = "10.1.0.0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\DisplayName = "Windows SDK AddOn"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\PackageCode = "B85649425361A4C458AA3EA144083AAF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	8bb5de396611f142f328ef2fa6990400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\ProductName = "Windows SDK AddOn"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\331F16082EF4CA241854303F8F66FC96	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\LastUsedSource = "n;1;C:\\Windows\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8bb5de396611f142f328ef2fa6990400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\ = "{E18618EC-D9DB-4BCE-B382-85ADA2CBB340}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\PackageName = "AE 0124 BE.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Net\1 = "C:\\Windows\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	msiexec.exe
2684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeCreateTokenPrivilege	212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	212	msiexec.exe
Token: SeLockMemoryPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeMachineAccountPrivilege	212	msiexec.exe
Token: SeTcbPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	212	msiexec.exe
Token: SeTakeOwnershipPrivilege	212	msiexec.exe
Token: SeLoadDriverPrivilege	212	msiexec.exe
Token: SeSystemProfilePrivilege	212	msiexec.exe
Token: SeSystemtimePrivilege	212	msiexec.exe
Token: SeProfSingleProcessPrivilege	212	msiexec.exe
Token: SeIncBasePriorityPrivilege	212	msiexec.exe
Token: SeCreatePagefilePrivilege	212	msiexec.exe
Token: SeCreatePermanentPrivilege	212	msiexec.exe
Token: SeBackupPrivilege	212	msiexec.exe
Token: SeRestorePrivilege	212	msiexec.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeDebugPrivilege	212	msiexec.exe
Token: SeAuditPrivilege	212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	212	msiexec.exe
Token: SeChangeNotifyPrivilege	212	msiexec.exe
Token: SeRemoteShutdownPrivilege	212	msiexec.exe
Token: SeUndockPrivilege	212	msiexec.exe
Token: SeSyncAgentPrivilege	212	msiexec.exe
Token: SeEnableDelegationPrivilege	212	msiexec.exe
Token: SeManageVolumePrivilege	212	msiexec.exe
Token: SeImpersonatePrivilege	212	msiexec.exe
Token: SeCreateGlobalPrivilege	212	msiexec.exe
Token: SeBackupPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	1448	vssvc.exe
Token: SeAuditPrivilege	1448	vssvc.exe
Token: SeBackupPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
212	msiexec.exe
212	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2528	8bb5de396611f142f328ef2fa6990400N.exe
3224	winlogon.exe
2816	AE 0124 BE.exe
4612	winlogon.exe
1108	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 212	2528	8bb5de396611f142f328ef2fa6990400N.exe	87
PID 2528 wrote to memory of 212	2528	8bb5de396611f142f328ef2fa6990400N.exe	87
PID 2528 wrote to memory of 212	2528	8bb5de396611f142f328ef2fa6990400N.exe	87
PID 2528 wrote to memory of 3224	2528	8bb5de396611f142f328ef2fa6990400N.exe	88
PID 2528 wrote to memory of 3224	2528	8bb5de396611f142f328ef2fa6990400N.exe	88
PID 2528 wrote to memory of 3224	2528	8bb5de396611f142f328ef2fa6990400N.exe	88
PID 3224 wrote to memory of 2816	3224	winlogon.exe	89
PID 3224 wrote to memory of 2816	3224	winlogon.exe	89
PID 3224 wrote to memory of 2816	3224	winlogon.exe	89
PID 3224 wrote to memory of 4612	3224	winlogon.exe	91
PID 3224 wrote to memory of 4612	3224	winlogon.exe	91
PID 3224 wrote to memory of 4612	3224	winlogon.exe	91
PID 2816 wrote to memory of 1108	2816	AE 0124 BE.exe	92
PID 2816 wrote to memory of 1108	2816	AE 0124 BE.exe	92
PID 2816 wrote to memory of 1108	2816	AE 0124 BE.exe	92
PID 2684 wrote to memory of 2432	2684	msiexec.exe	103
PID 2684 wrote to memory of 2432	2684	msiexec.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8bb5de396611f142f328ef2fa6990400N.exe
"C:\Users\Admin\AppData\Local\Temp\8bb5de396611f142f328ef2fa6990400N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:212
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1108
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e62a39e.rbs

Filesize
8KB

MD5
20c50a3500e5949c0d3904498d12ff2e

SHA1
c9c54e6db97b0073aee86326d6e3f482035408f4

SHA256
46b10702793d0cd2b04fbc6cb8efe8c5c8daaea6ddfb61fbd00675cc77e3e8aa

SHA512
dd2603a0955b082f4d6424ebf0207653dad92a4ddfbe142a74e5fa2652aaf14508cb5ac293f1cd83ee10821089ed032dccb47dcffc9a11a3b86b1a1021771928

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
232KB

MD5
81c0a159dea085a06e23a9a915a90cff

SHA1
709146f18808c65ed22585ff75d8403b212a0fef

SHA256
481b9932ef5d4de7e4c1c8b7524e34177f3008e620c5196012e5ed1689201bd9

SHA512
bf6698e6a3d46526e619dd21da3f36e4f1719d9343f7eeb2590888237362a60a16d23cc27c6bb2fd910d99bc2710bc2562d64308e84617334ec0aa972c276d54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
7a077dd91e544d4f0401ee3416a08624

SHA1
e8cb25defdfdc552758fda6d580f62a6e2f966ea

SHA256
8a56b34a933ba4729e99356c36d4294e4be17c286b3fe0eacbf5aca52babf73c

SHA512
f6986f53caac052cc8fea75f710847f1e82e5f8faa2eb1f8ec439812ae6b43b7dbf36152addd9d0229e5d339bf441701114790c2c809ac29d6f3d21537c0840e

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
a2651cf270a4bc62dddb4899b4905c2c

SHA1
9e8224927840274f75fedf18651297e1490ffa63

SHA256
923afcc3a47d6e5728391bfcc7105c1471cb0f2a31de5dd10e61e080e9ea4219

SHA512
255a12a7eb73fab5b9fbd202dcbe0a32494e81b5d0a089d2bc2d7354271fa0c5964b9b49dc3f5f82b1a31069c806b859c16a45654a88d361eddb97f63bbcf8ad

Download Submit
C:\Windows\Temp\{3679A274-5F14-4E1E-BCFA-0172FB172A79}-MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe

Filesize
166KB

MD5
7f5222e6b9f2189b4fa7a39dcd8685e4

SHA1
7b0ab0f31fa4652c0acb22dc689e29bbe6f9d49e

SHA256
29b8cd0b8981fe5d8ef27f051bf07985e0fcb9c9099ecd603ae58a284e793804

SHA512
7c6e5c635f71fcf65e8d239aca6812f06bdf04ce4ac58612b59b08c7c67b743f23240c40fdc6f81fecc65f8eca21a7c3b24e76c5f6fdaadbf3c1f3ce7b16b9d8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
fc7472215cf7e8bb52f3cc9eada69612

SHA1
38f6c7ffb3348815d2cec256a4d09eae61e25335

SHA256
750e93ae6c82e4b93d00d9b5ddc3574834e1b55ab48b65670c425969d7d3d76c

SHA512
475aca12c90ceedc61a5aa2eb0ccefbcd14ce40adc3d7de8c8594f843b26d7fd291f8f26120f4cde499bbd3b121d3ed2fbf7f1f8638c3292587f77b9263f089d

Download Submit
\??\Volume{05030275-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{53711a5a-4de9-4363-802a-9d780ed58888}_OnDiskSnapshotProp

Filesize
6KB

MD5
b55b3a6b8e6ccdf794c762c2ac6ef7e8

SHA1
1ae9ab76b152ec6eb5e5902ce2a362b39d180bd1

SHA256
290a9cdeac608dea5ee0bc3873d6bd921e0c04f3d646316cc8d609d7bd6b0b2d

SHA512
04852ba795307664cdad87a9fac354457fa524f1cf833955b4adbb04d85074b10b3f1ba05d47dd96784d14231264b22f8788ef9636ca71d1d9e113793d09e04e

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/1108-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1108-88-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2528-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2528-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-322-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3224-272-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-85-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download