Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 04:22
Static task
static1
Behavioral task
behavioral1
Sample
5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe
-
Size
122KB
-
MD5
64dc6ef2c592a1381db98abc28794540
-
SHA1
372a685f8d1ecf9cfd15ab60e093345ca9dbba4f
-
SHA256
5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b
-
SHA512
7675834f6624f75116661098a4a5d35e1fb9f669f74521095fd8a152bce0d66fb9f33c49197ca6fcec1cab484c41ecac1b30d9f339aef2b3abdfb7a7891c8047
-
SSDEEP
1536:wmAunwi6bNSiWrtpz0m3B+XoU+kOjxHWABdhmgSgxiiuISAY6oJK:wzunwoiezDR+Xp+kONbmgStN/yoo
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\F: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\S: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\U: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\V: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\X: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\Z: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\A: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\M: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\O: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\P: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\Q: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\R: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\T: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\G: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\H: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\J: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\K: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\N: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\E: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\I: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\L: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\W: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened (read-only) \??\Y: 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\takeown.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\reg.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\setupSNK.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\where.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\migwiz\migwiz.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\hh.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\icacls.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\waitfor.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\winver.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMig.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\dvdupgrd.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\regini.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\write.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\vssadmin.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\wininit.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\cipher.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\DisplaySwitch.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\instnm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\print.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\runonce.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\charmap.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\logagent.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\odbcad32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\OptionalFeatures.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\doskey.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\findstr.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\net.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\relog.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\runas.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\dialer.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\Dism.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\newdev.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tsdiscon.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\aspnetca.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-eventcreate_31bf3856ad364e35_6.1.7600.16385_none_d53926c7a0e7716d\eventcreate.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805_rasautou.exe_477abe34 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\chgusr.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_64c7a8e4d35d675c\sethc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_1c92c4d88ce86757\wmprph.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_6.1.7600.16385_none_96421d40c0e2903e\aspnet_regbrowsers.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_6.1.7600.16385_none_2370c162e00680c3\Defrag.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\setup16.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_cf7705f47fa8cd65\AtBroker.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_9fb106cecd28b3f9\credwiz.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\twunk_16.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_046c078df2caf5d8\ngen.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_5f774c61592c67c3\netsh.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-restartmanager_31bf3856ad364e35_6.1.7600.16385_none_800bbdee85723191\RmClient.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_994532c948ec8e69\aspnet_wp.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqsvc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sort_31bf3856ad364e35_6.1.7600.16385_none_07b314fa3333f10d\sort.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss.exe_06529458 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.1.7601.17514_none_ebc99983d3d18578_dwm.exe_04cf416e 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_11.2.9600.16428_none_b436382b203656be\ExtExport.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehtray_31bf3856ad364e35_6.1.7601.17514_none_88ff132e83a8a275\ehtray.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_mcupdate_31bf3856ad364e35_6.1.7601.17514_none_26c2d72ec26de8d9\mcupdate.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gettingstarted_31bf3856ad364e35_6.1.7600.16385_none_dc7256ed0ded6c12\GettingStarted.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\appcmd.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedt32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7601.17514_none_7d0125c85cc31d2a\rdpshell.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_64ed8ea5d0ffd85e\gpscript.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\ehome\ehexthost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_d76c81de4a71c338\ilasm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\TSTheme.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_9f01d3f4c9ca5275\aspnet_regiis.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_a69c6a8f23f521f3\diantz.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_ce52d479e329be32\whoami.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_6.1.7601.17514_none_0b0882245933a065\nfsclnt.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-winhstb_31bf3856ad364e35_6.1.7600.16385_none_28dc647c6aba6742\winhlp32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_6.1.7601.17514_none_843a86a1bc33fcd1\bfsvc.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_6.1.7600.16385_none_a0d95afc49c833b6\dispdiag.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFaultSecure.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-time-tool_31bf3856ad364e35_6.1.7600.16385_none_48fe0cfd559f80ad\w32tm.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.2.9600.16428_none_828666943772c435\msfeedssync.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_e292664733bd5af6\ie4uinit.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_44263d819f0aa19e\odbcad32.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\ehome\mcGlidHost.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_6.1.7600.16385_none_8945930a7d61b9f0\MigRegDB.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-magnify_31bf3856ad364e35_6.1.7600.16385_none_ca22c913b260e66a\Magnify.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\oobeldr.exe 5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe"C:\Users\Admin\AppData\Local\Temp\5243af4c5264a1827f7cc4a3e6d9cd22dced772158e3c27b0b9a2047a3c1028b.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1252