Analysis
-
max time kernel
130s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-11-2022 17:20
Behavioral task
behavioral1
Sample
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe
Resource
win10v2004-20220812-en
General
-
Target
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe
-
Size
7KB
-
MD5
e598e5ae61f73fb6b3883f6e79f05916
-
SHA1
84063d5808f58c73871f8acea020f6a3e2382a30
-
SHA256
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63
-
SHA512
95504ea38a2aac269fc2577d5c7e607010f10005adf52316f9e894edae8e2b043355ec7645de4a1abeb3268f68cb36734a74b0edd827ed67ec72e9e09463753f
-
SSDEEP
96:sgjZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExTC+YbT9bOvuKN+gLJB:1jzdrr1FG1WDCgmjPZTCxv97HDMUA
Malware Config
Signatures
-
Detected Xorist Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1600-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1600-140-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Executes dropped EXE 1 IoCs
Processes:
OSPPSVC.EXEpid process 1004 OSPPSVC.EXE -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File renamed C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.CrySpheRe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File renamed C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.CrySpheRe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File renamed C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.CrySpheRe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.CrySpheRe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.CrySpheRe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\INLAUNCH.DLL" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\MSOHEVI.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F045-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\OLKFSTUB.DLL" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\URLREDIR.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8D12492-CE0F-40AD-83EA-099A03D493F1}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CB3F7806-3CB4-409C-BA3B-12D642BE371A}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b00580044004f0043005300460069006c0065007300360034003e00390026006000570060003600720038004e003900410032006900240027006c0062007a006100480000000000 msiexec.exe -
Sets file execution options in registry 2 TTPs 5 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options msiexec.exe -
Processes:
resource yara_rule behavioral1/memory/1600-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1600-56-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1600-140-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Loads dropped DLL 21 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeOSPPSVC.EXEMsiExec.exepid process 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1572 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1004 OSPPSVC.EXE 1816 MsiExec.exe 1000 MsiExec.exe 304 MsiExec.exe 304 MsiExec.exe 1816 MsiExec.exe 1000 MsiExec.exe 1208 1208 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe" 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO" msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File opened for modification C:\Windows\SysWOW64\COLORCNV.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\CNHL140.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\001d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\cmstplua.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXLRES.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\RstrtMgr.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\Speech\SpeechUX\SpeechUXPS.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\termmou.inf_amd64_neutral_207a02df8e9e6552\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR12.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0341.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1P.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\httpapi.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\hpowiav1.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\mprmsg.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_providers.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\bitsprx4.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\imagehlp.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\dpnathlp.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\cscobj.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\migisol.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\NlsData002a.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\sbeio.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\catsrvps.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBP_280.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64\CNB_0302.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\dinput8.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\mfcm100.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\KBDTH1.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\UIAnimation.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\logoncli.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\apds.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzurw71.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\SysWOW64\slmgr\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\activeds.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\dmstyle.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\KBDSORS1.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\mscorier.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\provsvc.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\SysWOW64\sppinst.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Java\jre7\bin\fxplugins.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoDev.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Windows NT\Accessories\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Common Files\System\ado\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Common Files\DESIGNER\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Drops file in Windows directory 64 IoCs
Processes:
9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process File created C:\Windows\winsxs\x86_microsoft-windows-docprop.resources_31bf3856ad364e35_6.1.7600.16385_de-de_be3fbfa99c9fb6c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-osk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b06b1df8d88baa8f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1f63cd5d3ae047e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Sleep Away.mp3 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_6.1.7600.16385_none_39ea34b42d8bab89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_preference_variables.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-vssadmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1986a2a9f4251b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-wsd-challengecomponent_31bf3856ad364e35_6.1.7601.17514_none_267f132f01972084\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..ng-base-homepremium_31bf3856ad364e35_6.1.7600.16385_none_7de3f055667d5adf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.jpg 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\x86_netfx35linq-system.core_31bf3856ad364e35_6.1.7601.17514_none_6161fc35ed136622\System.Core.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_wiaca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_9b51e5b3b1f90953\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelEvents.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bfcd338840ee79ef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\1.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_it-it_58c0b0f0f0041d9d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\LogProvider.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_719df0580731deba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_d61b29a61a7467d6\msaddsr.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..ment-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c3debc2d5eb92b3c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_be8bab32249b2a4e\RegSvcs.exe 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\sysglobl\8abe9d895b3e9efe741b9162cb9206fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\inf\SMSvcHost 4.0.0.0\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.Extensions.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fb8a5e47801bdd37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-setup_31bf3856ad364e35_8.0.7601.17514_none_121fa84cd569cffc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Ref.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-msctfp_31bf3856ad364e35_6.1.7600.16385_none_cab3b5905044da08\msctfp.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..core-fonts-chs-boot_31bf3856ad364e35_6.1.7600.16385_none_30d8afa629263809\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a33e988d033651ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-display_31bf3856ad364e35_6.1.7601.17514_none_b66e6297f95421b9\Display.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-windowsmediaplayer-adm_31bf3856ad364e35_6.1.7600.16385_none_cc71ea8336ec7782\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\msil_system.servicemodel.web.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d2ca4b8d52c0aa3\System.ServiceModel.Web.resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_amd64.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-base_31bf3856ad364e35_6.1.7600.16385_none_69e3281e403684ea\oleres.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..vault-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4bdcac3537e3a78e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rss_headline_glow_floating.png 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-linkinfo_31bf3856ad364e35_6.1.7600.16385_none_945a23c3bf051859\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_prnep002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5d20bc044275096a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_en-us_018102d196ec4984\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wordpad.resources_31bf3856ad364e35_6.1.7600.16385_it-it_95a964e94322127e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\msil_system.windows.forms.resources_b77a5c561934e089_6.1.7600.16385_de-de_8a9d73b390fd5af5\System.Windows.Forms.Resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_26e76f2ac1492952\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Media\Windows Startup.wav 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Management.Resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Numerics.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f718a5b90ca5f2a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasdlg.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b485f6a854acdc6c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_join.help.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_7d8445a5fca61fed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\x86_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_8911d4b604a223a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja\infocard.resources.dll 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f52607304e593d93\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..mediadeliveryengine_31bf3856ad364e35_6.1.7601.17514_none_7b96264774336146\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a16dd65d2bfab6a019ac8a05337a5c24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe File created C:\Windows\winsxs\amd64_prnep005.inf_31bf3856ad364e35_6.1.7600.16385_none_951535885e4cab60\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText = "OneNote Lin&ked Notes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "OneNote Linked Notes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible = "Yes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText = "Send to OneNote" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText = "Se&nd to OneNote" msiexec.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F msiexec.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\PayloadOverride\ MsiExec.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663 MsiExec.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\PayloadOverride MsiExec.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies MsiExec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exe9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\.dotm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\Programmable msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin\ = "Send to OneNote from Internet Explorer button" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe,0" 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\Control msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD6FD-0786-11D1-95FA-0080C78EE3BB}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{71DC7F9D-50F3-44AD-A58D-DD192A6C243A} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.CVisioFileFilter.1\CLSID\ = "{A394DCA9-3727-11D4-BD85-00C04F6B93A4}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pptx\ShellEx\PropertyHandler\ = "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLRedirection.URLRedirectionBHO\ = "Office Document Cache Handler" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\odctable.1\HTML Handler msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49c1-8EDE-F889CD0F4429}\1.0\0\win32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\AUTHZAX.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\TypeLib\ = "{053392D0-BE6A-47CF-A7A4-AD17EEDF5680}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{200C17D6-6854-439D-AFFA-0BB35D09B8F0}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-compressed msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\ = "Microsoft Office Project Task Launch Control" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.vtx\shellex\{00021500-0000-0000-C000-000000000046} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "Office Document Cache Handler" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes\CurVer\ = "OneNote.IEAddin.LinkedNotes.14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\ = "VSTO Assembly100" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vtx\PersistentHandler\ = "{FAEA5B46-761B-400E-B53E-E805A97A543E}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\Visio64Files msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0} msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\XEV.FailSafeApp\EditFlags = 01000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiProvider.1\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odccube.1\HTML Handler\ = "\"C:\\PROGRA~1\\MICROS~2\\Office14\\MSOHTMED.EXE\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49c1-8EDE-F889CD0F4429}\1.0\ = "Microsoft Office 14 Authorization Control 1.0 Type Library" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2\CLSID\ = "{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.12\CLSID\ = "{48E73304-E1D6-4330-914C-F5F514E3486C}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OneNote.NoteAnchorCollection.14\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OneNote.IEAddin.LinkedNotes msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\ = "Office SPP WMI Provider" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F3685D71-1FC6-4CBD-B244-E60D8C89990B}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\ = "IconHandlerShellExt Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odctable.1\HTML Handler\Icon\.odc = ".odctablefile" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OneNote.NoteLinkStoreService.14\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{200C17D6-6854-439D-AFFA-0BB35D09B8F0}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 584 msiexec.exe 584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exedescription pid process Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
msiexec.exedescription pid process target process PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1000 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1572 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1572 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1572 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1572 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1572 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1816 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1816 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1816 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1816 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1816 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 304 584 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1600
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEDBA5AD86F44ED95C5E1746D47EE1B62⤵
- Loads dropped DLL
PID:1000 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 6385BB05E9DCAAA4314D5E27D9D029A32⤵
- Loads dropped DLL
PID:1572 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 03711749E712CEBAA14496C1E9717603 M Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1816 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 223D15F8382E76205F5131F985DB3257 M Global\MSI00002⤵
- Loads dropped DLL
PID:304
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f62175f3b0cf55742a2085516f1b9bec
SHA1a2c81a9c02f91250f2413121cdc3b1592e015e6a
SHA2562a544298abd8a9c386e902d85f4827aa03cc9514cab23e79f8531cf65e368bbf
SHA512a556b58392fedb3826c5284b4cd322f8fa83f45e4621ac3a2a9871a63c7fcb45a65e1c5397395020229ade651285ccb115d834287b96e5ba9e6f5ac03fe63a16
-
Filesize
4.7MB
MD561bffb5f57ad12f83ab64b7181829b34
SHA1945d94fef51e0db76c2fd95ee22ed2767be0fe0b
SHA2561dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846
SHA512e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521
-
Filesize
145KB
MD58c362bc4687838891922dbd00d622acd
SHA1baa7b4fba6519d3f3d3da305e7fcab31f1ec8051
SHA256383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede
SHA5123504c0097400fc05591e275e64aeba899a2a9def68e2313b6b73d9185bf8683d991bdafc79c1d9e74ac897d11c907c254d44817e100ac9e17c3ab55d0d5e90f4
-
Filesize
1.7MB
MD50ef845af06ae5f34ba8f9b397a98be3a
SHA1585837231487c537648f75a9282daf8bd6fcb76e
SHA25694b1bfeea829bd99768126e2f6cbbcbe13b46fc67b1ea0b6f01edd817d779d51
SHA512a6cc8041a0c785afd521b38558076f98ba5b8652110e7f28a228182f5e2156ac99d0b9e5976500ad0fc63cb4d04b309a44827c30da91680ac442a5d626e1920e
-
Filesize
419B
MD5c807c19f3110799cf34966c8aa0f3bd0
SHA1d8994e4ce71a47b3acaca234bf5181ec7b391ebe
SHA2568fad55e68d3ebc61fbe44c805f438f37ce20b02fbd43b10511a0315b89598124
SHA5121ae4c4a45e7d4ce3e7ddf137c6e574bd8b3414112d34e5384944190a0c894bc5608f245954ee4d69474116ec71aafa471e135e3e13bce480aa11ea998f3f333d
-
Filesize
419B
MD5c807c19f3110799cf34966c8aa0f3bd0
SHA1d8994e4ce71a47b3acaca234bf5181ec7b391ebe
SHA2568fad55e68d3ebc61fbe44c805f438f37ce20b02fbd43b10511a0315b89598124
SHA5121ae4c4a45e7d4ce3e7ddf137c6e574bd8b3414112d34e5384944190a0c894bc5608f245954ee4d69474116ec71aafa471e135e3e13bce480aa11ea998f3f333d
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
148KB
MD533908aa43ac0aaabc06a58d51b1c2cca
SHA10a0d1ce3435abe2eed635481bac69e1999031291
SHA2564447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
556KB
MD513810e6e8bf54ff502728fcb577ad4d3
SHA130c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b
-
Filesize
556KB
MD513810e6e8bf54ff502728fcb577ad4d3
SHA130c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
64KB
MD52af7ac092d41bae372787c21a4c81242
SHA129f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793
-
Filesize
64KB
MD52af7ac092d41bae372787c21a4c81242
SHA129f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793
-
Filesize
68KB
MD5954c7720c5e88fa690fd1d38dec47347
SHA12f5b87593066dac3f5a58272358b1e8e27a9dfe8
SHA256532343ebbf4572f69673a0adc5d5737fee88aa73c1acb3b15554338c3033cc0f
SHA5120425dc825eb9389309e73bd545a5904ff9aca9b29605ac70294859bf38abc0f1366fd119d84458f766b81cf7c9fc212d64a2c8faa1d3a84993902d6196f5d51f
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
1.2MB
MD5ffeccd3cb8bc0821a43a372d85e4b63c
SHA1a708eb6453a8be653d2a9f673881b23d116eeacb
SHA2567598f4a28131e0eeb1f1d09660da8772002b27d969e92b3e377771a1d5534239
SHA5128128f4f201aff580d5a0eadeb5978f319473eb2daf2a58032c84630809554be32e1fc7fce46b850481956eebb6ef241ac65c39ca9c6ef2ed3eaa3d4e534a7290
-
Filesize
145KB
MD58c362bc4687838891922dbd00d622acd
SHA1baa7b4fba6519d3f3d3da305e7fcab31f1ec8051
SHA256383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede
SHA5123504c0097400fc05591e275e64aeba899a2a9def68e2313b6b73d9185bf8683d991bdafc79c1d9e74ac897d11c907c254d44817e100ac9e17c3ab55d0d5e90f4
-
Filesize
1.7MB
MD50ef845af06ae5f34ba8f9b397a98be3a
SHA1585837231487c537648f75a9282daf8bd6fcb76e
SHA25694b1bfeea829bd99768126e2f6cbbcbe13b46fc67b1ea0b6f01edd817d779d51
SHA512a6cc8041a0c785afd521b38558076f98ba5b8652110e7f28a228182f5e2156ac99d0b9e5976500ad0fc63cb4d04b309a44827c30da91680ac442a5d626e1920e
-
Filesize
2.1MB
MD5f62175f3b0cf55742a2085516f1b9bec
SHA1a2c81a9c02f91250f2413121cdc3b1592e015e6a
SHA2562a544298abd8a9c386e902d85f4827aa03cc9514cab23e79f8531cf65e368bbf
SHA512a556b58392fedb3826c5284b4cd322f8fa83f45e4621ac3a2a9871a63c7fcb45a65e1c5397395020229ade651285ccb115d834287b96e5ba9e6f5ac03fe63a16
-
Filesize
953KB
MD52f4759c23abcd639ac3ca7f8fa9480ac
SHA19a3fece585fa01b7b941e124ead0c39c8ce9bc7c
SHA2566d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6
SHA5126ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
148KB
MD533908aa43ac0aaabc06a58d51b1c2cca
SHA10a0d1ce3435abe2eed635481bac69e1999031291
SHA2564447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
556KB
MD513810e6e8bf54ff502728fcb577ad4d3
SHA130c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b
-
Filesize
556KB
MD513810e6e8bf54ff502728fcb577ad4d3
SHA130c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
64KB
MD52af7ac092d41bae372787c21a4c81242
SHA129f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793
-
Filesize
64KB
MD52af7ac092d41bae372787c21a4c81242
SHA129f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793
-
Filesize
68KB
MD5954c7720c5e88fa690fd1d38dec47347
SHA12f5b87593066dac3f5a58272358b1e8e27a9dfe8
SHA256532343ebbf4572f69673a0adc5d5737fee88aa73c1acb3b15554338c3033cc0f
SHA5120425dc825eb9389309e73bd545a5904ff9aca9b29605ac70294859bf38abc0f1366fd119d84458f766b81cf7c9fc212d64a2c8faa1d3a84993902d6196f5d51f
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba