Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 07:31
Behavioral task
behavioral1
Sample
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe
Resource
win10v2004-20220812-en
General
-
Target
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe
-
Size
7KB
-
MD5
a285e1529b2c97577e6f8b4507e745c8
-
SHA1
d4291f7ecb371beb3ac0c35876b68156aac392f8
-
SHA256
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143
-
SHA512
164c1529b3c9fb973013c37de9581c4d1aeacfa93314bffaf4d9de1341b187717da248e1e68b5907ed98c9f8c7fb84062610451e3c1d7d7930c6f746c5d96cdf
-
SSDEEP
192:Ozdrr1FG1WDCgmjPZY/mPaT7EWf7lK8hU0MUA:Oprr1gkDCgSeuyvdlK8hPMB
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/952-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/952-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 1 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetApprove.png => C:\Users\Admin\Pictures\GetApprove.png.EnCiPhErEd 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Processes:
resource yara_rule behavioral1/memory/952-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/952-56-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3esHJguC1b6taym.exe" 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Drops file in System32 directory 64 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_cmdletbindingattribute.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Line_Editing.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\about_BITS_Cmdlets.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_locations.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Line_Editing.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_join.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\AppInstalled.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_aliases.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssession_details.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Ref.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_While.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Switch.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Reserved_Words.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_2.0.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_methods.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssessions.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_objects.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scripts.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssessions.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\oobe\background.bmp 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_format.ps1xml.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\System.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WS-Management_Cmdlets.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_parameters.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\about_BITS_Cmdlets.help.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Drops file in Program Files directory 64 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR16F.GIF 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Drops file in Windows directory 64 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp2.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp4.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Pop-up Blocked.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Windows Shutdown.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp2.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\chimes.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp6.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Heritage\Windows Hardware Fail.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Quirky\Windows Critical Stop.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Sonata\Windows Pop-up Blocked.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Cityscape\Windows Battery Low.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Quirky\Windows Logoff Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Cityscape\Windows Pop-up Blocked.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Delta\Windows Balloon.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Savanna\Windows Balloon.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Speech Sleep.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Afternoon\Windows Exclamation.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Notify.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Characters\Windows Hardware Insert.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Cityscape\Windows Critical Stop.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Cityscape\Windows Default.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Hardware Remove.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Windows User Account Control.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp4.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Afternoon\Windows Navigation Start.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Characters\Windows Default.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Afternoon\Windows Battery Low.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Hardware Fail.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Quirky\Windows Navigation Start.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Afternoon\Windows Battery Critical.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Error.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Performance\WinSAT\Clip_480i_5sec_6mbps_new.mpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Logoff Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Raga\Windows Battery Critical.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\ehome\ja-JP\playready_eula.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Savanna\Windows User Account Control.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Critical Stop.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Quirky\Windows Balloon.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Logon Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Delta\Windows Notify.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Festival\Windows Exclamation.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Delta\Windows Battery Low.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Landscape\Windows Pop-up Blocked.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Windows Exclamation.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\ehome\es-ES\playready_eula.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\ehome\ja-JP\epgtos.txt 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Afternoon\Windows Hardware Remove.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Garden\Windows Logon Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Savanna\Windows Logoff Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Raga\Windows Default.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Characters\Windows Logon Sound.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Characters\Windows Notify.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Garden\Windows Ding.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Media\Raga\Windows Pop-up Blocked.wav 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe -
Modifies registry class 10 IoCs
Processes:
8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\ = "CRYPTED!" 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\shell\open 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "FJEEQNHUJJIAAHT" 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\DefaultIcon 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3esHJguC1b6taym.exe,0" 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\shell\open\command 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\shell 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FJEEQNHUJJIAAHT\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3esHJguC1b6taym.exe" 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd 8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe"C:\Users\Admin\AppData\Local\Temp\8562e60178ec470e8147d73130a93f2f568264048685dfc8a6258ac79f96d143.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:952