Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
17-09-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win7
Behavioral task
behavioral2
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win10v200722
General
-
Target
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
-
Size
2.4MB
-
MD5
a239735cddd49236ae3562d43d83a8e4
-
SHA1
35bad8d66c79af9dabdcdd8dcebfc0440efc42a1
-
SHA256
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c
-
SHA512
34bbfc20d82c4227f9e745f0f7cdb5ce68c684a4a84cde0340fa82601f9340fcb7d21c6060564be8580dcba8c3d1b5a16b28ab6964508e0d1ab994b59a818fef
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\HACKED.txt
smaug
http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion
https://paxful.com/
https://changelly.com/
https://www.bitcoindepot.com/
Signatures
-
Smaug
Ransomware-as-a-service first seen marketed on forums etc. in early 2020.
-
Drops file in Drivers directory 2 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\System32\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 406 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4660t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\IME\IMEJP10\APPLETS\IMJPCLST.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1600T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\fus3base.frm.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpb8300t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc451X.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660u.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO4300T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\winrm.cmd.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO4PG3L.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7200T.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa320t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\KYW7QUR6.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc770u.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\UltimateE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\UltimateN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4300t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa310t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa820t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\Starter\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\oobe\en-US\OOBE_HELP_What_is_User_Account.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\restore\MachineGuid.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3050F.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpn5150t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Printing_Admin_Scripts\en-US\prnjobs.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Recovery\ReAgent.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\eval\HomePremiumN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMovieMaker.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\_Default\HomePremiumN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\slmgr.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\ProfessionalN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp910t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\en-US\default.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop5650X.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\_Default\StarterN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\migwiz\MigApp.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\winrm.cmd.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Program Files directory 4749 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\ext\sunec.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\OriginReport.Dotx.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21325_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN011.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Windows directory 3469 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallMembership.sql.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_blue_partly-cloudy.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\19.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Hardware Fail.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Battery Low.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\BabyBoyNotesBackground_PAL.wmv.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..characterlistapplet_31bf3856ad364e35_6.1.7600.16385_none_dd67cfae8586b8c8\IMJPCLST.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Balloon.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6d7d60ea24be809c\settings.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\Windows Pop-up Blocked.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\PLA\Reports\Report.System.CPU.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_en-us_8e57778214225c92\vofflps.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Speech On.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Windows Startup.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Navigation Start.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Variables.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-new.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_en-us_bd044824b607cb4d\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\PassportMask_PAL.wmv.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasctrs_31bf3856ad364e35_6.1.7600.16385_none_70130a6690196ee7\rasctrnm.h.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\img11.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\19.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Sonata\Windows Logon Sound.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\osinfo.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Balloon.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx45_IIS_schema_update.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Return.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prnport.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Arithmetic_Operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Delta\Windows Navigation Start.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_wpf-winfxlist_31bf3856ad364e35_6.1.7600.16385_none_40b32988515caa44\WinFXList.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp5.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Pop-up Blocked.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\LocalizedData.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\3.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Ding.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\numbers.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_perf.h.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\winsatencode.wmv.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_requires.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\SoftBlue.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\servicing\Editions\ProfessionalEdition.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\8.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Exclamation.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base_rtl.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_box_top.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Speech Sleep.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(120DPI)grayStateIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4d6aa30008b38d10\gadget.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Savanna\Windows Logoff Sound.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Error.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\reveal_down.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\6.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_plain_Thumbnail.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\NavigationUp_SelectionSubpicture.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b4e211957dcdb16b\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\Cityscape\Windows Battery Low.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1496