Analysis
-
max time kernel
96s -
max time network
30s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
17-09-2020 23:56
Static task
static1
Behavioral task
behavioral1
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win10v200722
General
-
Target
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
-
Size
2.4MB
-
MD5
a239735cddd49236ae3562d43d83a8e4
-
SHA1
35bad8d66c79af9dabdcdd8dcebfc0440efc42a1
-
SHA256
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c
-
SHA512
34bbfc20d82c4227f9e745f0f7cdb5ce68c684a4a84cde0340fa82601f9340fcb7d21c6060564be8580dcba8c3d1b5a16b28ab6964508e0d1ab994b59a818fef
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\HACKED.txt
smaug
http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion
https://paxful.com/
https://changelly.com/
https://www.bitcoindepot.com/
Signatures
-
Smaug
Ransomware-as-a-service first seen marketed on forums etc. in early 2020.
-
Drops file in Drivers directory 2 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 407 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4200t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4100t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\HomePremium\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Ultimate\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1B83L.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7700t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\ProfessionalE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\Ultimate\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa520t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\Ultimate\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3200T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2360t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7500t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\NdfEventView.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\ScavengeSpace.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7300T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpcp6.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5500t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\_Default\HomePremium\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\_Default\ProfessionalE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\UltimateE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4300t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\lpeula.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\EP0SBW00.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\_Default\EnterpriseN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpdp6.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\Amd64\KYW7QUR3.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7200T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8700T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC9500S.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\erofflps.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\oobe\en-US\vofflps.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1000T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW9800T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Documents.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPMCPDP5.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Program Files directory 4746 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MEDIA\BREEZE.WAV.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MEDIA\CASHREG.WAV.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN001.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\BlackTieLetter.dotx.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47F.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\CERT.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.FR.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Windows directory 3469 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_box_top.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\drag.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img25.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp5.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Logon Sound.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile20.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_netfx35cdf-cdf_sql_files_31bf3856ad364e35_6.1.7600.16385_none_fe222fceeb381997\DropSqlPersistenceProviderLogic.sql.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationRight_SelectionSubpicture.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\system_dot.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\logo.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_80e67168127a4a15\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Quirky\Windows Pop-up Blocked.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\Report.System.Wired.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prnmngr.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO3200T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Reserved_Words.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Wireless.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_hail.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\square_settings.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Exclamation.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\img17.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\reveal_rest.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Battery Critical.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Hardware Remove.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions_advanced.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)notConnectedStateIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\img18.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.1.7600.16385_none_f72b6337a9731440\_ServiceModelServicePerfCounters.h.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Balloon.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Tasks\SCHEDLGU.TXT.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\rscaext.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_3e97183353e4fb3b\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\glow.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waxing-crescent.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\novelty_settings.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Quirky\Windows Hardware Fail.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Sonata\Windows Default.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-dmrxml_31bf3856ad364e35_6.1.7600.16385_none_9d23d74d960a8256\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\inf\ASP.NET\aspnet_perf.h.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..riventextservice-yi_31bf3856ad364e35_6.1.7600.16385_none_4153c9e11ffae30c\TableTextServiceYi.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..style-layeredtitles_31bf3856ad364e35_6.1.7600.16385_none_4ad2978b8b3ac8b2\NavigationUp_SelectionSubpicture.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Error.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Exclamation.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_requires.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Battery Low.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-other_31bf3856ad364e35_6.1.7600.16385_none_8cd41e2771e37717\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-full.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_debuggers.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Critical Stop.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_color32.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Battery Critical.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Ding.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\icon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Battery Low.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows User Account Control.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Battery Low.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Balloon.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_WS-Management_Cmdlets.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Festival\Windows Feed Discovered.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:108