ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a

Analysis

max time kernel
119s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 10:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de2858ef35c83552b8dbd001944a4110N.exe
Size

717KB
MD5

de2858ef35c83552b8dbd001944a4110
SHA1

dee07648c9bcecab3c13fe06f288226b30c575ec
SHA256

ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a
SHA512

40919c8b638bcb395412d4b18dd3e765ad4b2c8150a6d2e5b46dcde0d8d76b8f1cd55fe335a42d929bf4daa374584bd52797d19456c80775cff80f96cd3ce5f1
SSDEEP

12288:/MHL/AmVt07kw3jl2tBds5IBjxMbJxuz+N1qqQD:EdVql3CBdxqTm+fgD

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	de2858ef35c83552b8dbd001944a4110N.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	de2858ef35c83552b8dbd001944a4110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2672	winlogon.exe
1156	AE 0124 BE.exe
3900	winlogon.exe
3192	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1156	AE 0124 BE.exe
3720	MsiExec.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wdmvsc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\MsDtcWmi.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_L_LE_1.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMESEARCHDLL.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\c_securitydevices.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_9839c838c72c0594\nulhpopr.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wecutil.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnms007.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\objsel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\F12\uk-UA\IEChooser.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Common\en-US\sapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-mmc-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Get-DscConfiguration.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\displayoverride.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4sx64.inf_amd64_3a69b9b79f49eb50\cht4sx64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\PeerDist.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ChatApis.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sqmapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bcmfn2.inf_amd64_5ebadf201c5b5845	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netloop.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDCR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\rdvgwddmdx11.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\AMDSBS.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\pwrshplugin.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-EKB-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\hidirkbd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dpapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_95e01117eb9c1bd2	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0416\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetTeredoConfiguration.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Containers-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\nete1e3e.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\hidbatt.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msdtcspoffln.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_extension.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\prnms007.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WinMetadata\Windows.ApplicationModel.winmd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mscms.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\azman.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netvg63a.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\3ware.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\cht4vx64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wiadss.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1110_none_6a7867af5278fb92\httpapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.0.19041.1165_none_cbcbe0c900c7339c\webplatstorageserver.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-svsvc_31bf3856ad364e35_10.0.19041.1_none_17a6e31f15350b24\svsvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..nagement-dmcmnutils_31bf3856ad364e35_10.0.19041.1266_none_1638e81fc8fb6e7a\f	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\clretwrc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_linedisplay.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d1871ea3b7588f6c\c_linedisplay.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-display_31bf3856ad364e35_10.0.19041.1_none_188e14feb672dfee\Display.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\DiagPackage.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-o...appxmain.resources_31bf3856ad364e35_10.0.19041.1_en-us_33ed9bfd6d067909.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_windows-id-connecte..guration-production_31bf3856ad364e35_10.0.19041.1_none_cf32ea117c8724fc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_920963acedc8777d\dciman32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\Microsoft.Build.Tasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\Amd64\UNIRES.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_it-it_d5c776ffef77baa1\netdacim.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSplashScreen.scale-125_contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..os-snapin.resources_31bf3856ad364e35_10.0.19041.1_it-it_316391b2b867a9b8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\ba094d32157d7acfed89b01413f8effb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrormfnotfound.html	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lockscreendata_31bf3856ad364e35_10.0.19041.746_none_0d7f0c77720a0c7c\f\LockScreenData.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..h-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_a830b51e46b669bd\Windows.Storage.Search.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_083b968024dbd8f1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..redential.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2ff7c235bf2cc359\fingerprintcredential.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\r\bdesvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_system.web.dynamicdata.design_31bf3856ad364e35_4.0.15805.0_none_eae1b63c4505fd13.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\88c11a4536e5d7015d9a00001815341f.XPath.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.1_none_63b88d65d3c4709d\Timeline_is.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..olocation.resources_31bf3856ad364e35_10.0.19041.1_es-es_7a569f1bfb20f557\SettingsHandlers_Geolocation.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_12b5bfea7bc3df8a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-m..ion-mfcaptureengine_31bf3856ad364e35_10.0.19041.906_none_d4f48bdf30d21e3d\f	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package-shell-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_85962dc4bac043a9	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.746_none_a5751a882524bee1\Defrag.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0873b2d1c9ce63b6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft.powershell.psget.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_792a3c9b7fc0e8ea.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Print.Management.Console~~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nlevelmanifests-com_31bf3856ad364e35_10.0.19041.746_none_64c0ff19143d9b14\commig.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..mprovider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8d14ae891bfb18b6\nfscimprov.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6_lagcounterdef.h_3e12399d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_dual_c_image.inf_31bf3856ad364e35_10.0.19041.1_none_544b1663c032846e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netrtl64.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_d8bc8131320bf15e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..putprocessor-gipdll_31bf3856ad364e35_10.0.19041.153_none_36748f895fe91bee\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_netsecurity_de_2bf40c1359a54edc.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 3.0.0.0\040C\PerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_10.0.19041.1_none_4abb348747cf9a2c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.19041.1_none_407b1fa0f7dce496.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.19041.264_none_4be3170c86d4fa37\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_e3c17afbb5603422\wmplayer.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.19041.746_none_42b611bc30df49f4\f\xwtpdui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..services-adam-setup_31bf3856ad364e35_10.0.19041.746_none_1a1e8292dcf10728\MS-UserProxy.LDF	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_it-it_659c563fd3dde65d\Cpls.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-utilman.resources_31bf3856ad364e35_10.0.19041.1_de-de_6cb9595a33661421\Utilman.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_sensorsservicedriver.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_17dac1c31f98e441	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\System.Windows.Input.Manipulations.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\1036\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mdm-wmiv2-dmwmibridge_31bf3856ad364e35_10.0.19041.1202_none_7f60e559b9e25c1f\DMWmiBridgeProv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fixr.fon_f67069da	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.153_none_d123ff5fb624ee15.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_bafbd92e6e868958.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.net.websockets_b03f5f7f11d50a3a_4.0.15805.0_none_d53ac54f87ada30d\System.Net.WebSockets.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..ty-assistant-client_31bf3856ad364e35_10.0.19041.1_none_c63b1f7ef04d3694.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-unimodem-core_31bf3856ad364e35_10.0.19041.1_none_54ddeaa1a84c37e0	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..nistrator.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a13603e96aa7e55.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de2858ef35c83552b8dbd001944a4110N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE 0124 BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	de2858ef35c83552b8dbd001944a4110N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	de2858ef35c83552b8dbd001944a4110N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4976	msiexec.exe
Token: SeSecurityPrivilege	3564	msiexec.exe
Token: SeCreateTokenPrivilege	4976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4976	msiexec.exe
Token: SeLockMemoryPrivilege	4976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4976	msiexec.exe
Token: SeMachineAccountPrivilege	4976	msiexec.exe
Token: SeTcbPrivilege	4976	msiexec.exe
Token: SeSecurityPrivilege	4976	msiexec.exe
Token: SeTakeOwnershipPrivilege	4976	msiexec.exe
Token: SeLoadDriverPrivilege	4976	msiexec.exe
Token: SeSystemProfilePrivilege	4976	msiexec.exe
Token: SeSystemtimePrivilege	4976	msiexec.exe
Token: SeProfSingleProcessPrivilege	4976	msiexec.exe
Token: SeIncBasePriorityPrivilege	4976	msiexec.exe
Token: SeCreatePagefilePrivilege	4976	msiexec.exe
Token: SeCreatePermanentPrivilege	4976	msiexec.exe
Token: SeBackupPrivilege	4976	msiexec.exe
Token: SeRestorePrivilege	4976	msiexec.exe
Token: SeShutdownPrivilege	4976	msiexec.exe
Token: SeDebugPrivilege	4976	msiexec.exe
Token: SeAuditPrivilege	4976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4976	msiexec.exe
Token: SeChangeNotifyPrivilege	4976	msiexec.exe
Token: SeRemoteShutdownPrivilege	4976	msiexec.exe
Token: SeUndockPrivilege	4976	msiexec.exe
Token: SeSyncAgentPrivilege	4976	msiexec.exe
Token: SeEnableDelegationPrivilege	4976	msiexec.exe
Token: SeManageVolumePrivilege	4976	msiexec.exe
Token: SeImpersonatePrivilege	4976	msiexec.exe
Token: SeCreateGlobalPrivilege	4976	msiexec.exe
Token: SeCreateTokenPrivilege	4976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4976	msiexec.exe
Token: SeLockMemoryPrivilege	4976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4976	msiexec.exe
Token: SeMachineAccountPrivilege	4976	msiexec.exe
Token: SeTcbPrivilege	4976	msiexec.exe
Token: SeSecurityPrivilege	4976	msiexec.exe
Token: SeTakeOwnershipPrivilege	4976	msiexec.exe
Token: SeLoadDriverPrivilege	4976	msiexec.exe
Token: SeSystemProfilePrivilege	4976	msiexec.exe
Token: SeSystemtimePrivilege	4976	msiexec.exe
Token: SeProfSingleProcessPrivilege	4976	msiexec.exe
Token: SeIncBasePriorityPrivilege	4976	msiexec.exe
Token: SeCreatePagefilePrivilege	4976	msiexec.exe
Token: SeCreatePermanentPrivilege	4976	msiexec.exe
Token: SeBackupPrivilege	4976	msiexec.exe
Token: SeRestorePrivilege	4976	msiexec.exe
Token: SeShutdownPrivilege	4976	msiexec.exe
Token: SeDebugPrivilege	4976	msiexec.exe
Token: SeAuditPrivilege	4976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4976	msiexec.exe
Token: SeChangeNotifyPrivilege	4976	msiexec.exe
Token: SeRemoteShutdownPrivilege	4976	msiexec.exe
Token: SeUndockPrivilege	4976	msiexec.exe
Token: SeSyncAgentPrivilege	4976	msiexec.exe
Token: SeEnableDelegationPrivilege	4976	msiexec.exe
Token: SeManageVolumePrivilege	4976	msiexec.exe
Token: SeImpersonatePrivilege	4976	msiexec.exe
Token: SeCreateGlobalPrivilege	4976	msiexec.exe
Token: SeCreateTokenPrivilege	4976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4976	msiexec.exe
Token: SeLockMemoryPrivilege	4976	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4976	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2596	de2858ef35c83552b8dbd001944a4110N.exe
2672	winlogon.exe
1156	AE 0124 BE.exe
3900	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4976	2596	de2858ef35c83552b8dbd001944a4110N.exe	86
PID 2596 wrote to memory of 4976	2596	de2858ef35c83552b8dbd001944a4110N.exe	86
PID 2596 wrote to memory of 4976	2596	de2858ef35c83552b8dbd001944a4110N.exe	86
PID 2596 wrote to memory of 2672	2596	de2858ef35c83552b8dbd001944a4110N.exe	89
PID 2596 wrote to memory of 2672	2596	de2858ef35c83552b8dbd001944a4110N.exe	89
PID 2596 wrote to memory of 2672	2596	de2858ef35c83552b8dbd001944a4110N.exe	89
PID 2672 wrote to memory of 1156	2672	winlogon.exe	90
PID 2672 wrote to memory of 1156	2672	winlogon.exe	90
PID 2672 wrote to memory of 1156	2672	winlogon.exe	90
PID 3564 wrote to memory of 3720	3564	msiexec.exe	92
PID 3564 wrote to memory of 3720	3564	msiexec.exe	92
PID 3564 wrote to memory of 3720	3564	msiexec.exe	92
PID 1156 wrote to memory of 3900	1156	AE 0124 BE.exe	93
PID 1156 wrote to memory of 3900	1156	AE 0124 BE.exe	93
PID 1156 wrote to memory of 3900	1156	AE 0124 BE.exe	93
PID 2672 wrote to memory of 3192	2672	winlogon.exe	94
PID 2672 wrote to memory of 3192	2672	winlogon.exe	94
PID 2672 wrote to memory of 3192	2672	winlogon.exe	94

C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe
"C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4976
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3900
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:3192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F974E26C10B80C216EF947A05624570D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC767.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
717KB

MD5
8c6fd0a6356482d4dc1cf1626fb4cc43

SHA1
be14941d6f31819364945356c5040fcc9a77853e

SHA256
8faa33bc99d73199a08a9ee7f08ea6cffc3e720066056e46656481322ed728b6

SHA512
d8dbfc2b6cfabea4a15c0b5ec3103a00ca1ded0d0bfab82f60d436b791e870259aef8baca0d45a292764404e90d006958454774e7a72e7f24d8b6c02cbe9fabf

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
a1f4f4e347219a8a6aa41290d11dab29

SHA1
97ae21420cfb4e2171416c77ada55117e175f894

SHA256
46bca533820fecc770e44ab426451cd70a3868f063a5ff4e6512bacda5aabb31

SHA512
967110a03247ae35b30ffbbf10fc77de8f0c149db8b2f0b14c3c636ff8aa7564ff21eef0490dc2bde4dc5fd1f7dc06cb73b56db9115ab3fbdb1a43d597a4e76b

Download Submit
C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.002

Filesize
256KB

MD5
2e8a61cdeabfc5cac0157f5c4f2664fd

SHA1
2a1e7c768e8f1e00a8b65346268ea47477159d8e

SHA256
94110f8f3625fd371d228f0b55e313baeff9c6556ea29be13b6a8c9768381a64

SHA512
24b1fda4c686edce4a36048858563f22c8fa513d765ab3614c29188e6aaa7c4cbb1d8ae22ad61f51129e5c75f20acfd76f1ed03992ee7be65013c740940fe58f

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads