65d3591d7b9e812861bfc619c867b60793f704cd99a4681d1c2a8c1ca2c11e3a

General

Target

d39ad5a55253710f0869adc9e33b604e.exe
Size

7.6MB
MD5

d39ad5a55253710f0869adc9e33b604e
SHA1

958068a419f4f7a936fee8cb74f8573822600e7d
SHA256

65d3591d7b9e812861bfc619c867b60793f704cd99a4681d1c2a8c1ca2c11e3a
SHA512

e4d9a18e23306978a3f329b2ac1e7bf574a60f6ba85f588a589969a64111cc53360f015dc33b5436311b70633b683ee0ee981b47de54080b04fe672b997ab228

Score

7^/10

persistence spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d39ad5a55253710f0869adc9e33b604e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d39ad5a55253710f0869adc9e33b604e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	d39ad5a55253710f0869adc9e33b604e.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 647 IoCs

Processes:

d39ad5a55253710f0869adc9e33b604e.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\setup.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ED12A50C-ADCB-4FB6-B0B7-713544A9D99B}\CR_EB8C7.tmp\setup.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\elevation_service.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\7-Zip\7z.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe$	d39ad5a55253710f0869adc9e33b604e.exe

Drops file in Windows directory 158 IoCs

Processes:

d39ad5a55253710f0869adc9e33b604e.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\ehome\ehrecvr.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\ehome\mcspad.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\Boot\PCAT\memtest.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe$	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\ehome\McrMgr.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe	d39ad5a55253710f0869adc9e33b604e.exe
File created	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	d39ad5a55253710f0869adc9e33b604e.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	d39ad5a55253710f0869adc9e33b604e.exe

NTFS ADS 1 IoCs

Processes:

d39ad5a55253710f0869adc9e33b604e.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf d39ad5a55253710f0869adc9e33b604e.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d39ad5a55253710f0869adc9e33b604e.exe

pid process

1876 d39ad5a55253710f0869adc9e33b604e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	d39ad5a55253710f0869adc9e33b604e.exe

pid	process
1876	d39ad5a55253710f0869adc9e33b604e.exe

C:\Users\Admin\AppData\Local\Temp\d39ad5a55253710f0869adc9e33b604e.exe
"C:\Users\Admin\AppData\Local\Temp\d39ad5a55253710f0869adc9e33b604e.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1876