3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Size

73KB
MD5

0e2c2ecc04afe981d200dd76d79111a1
SHA1

ca43d361c7b0d406e4f9e6806f0969ffd5d7e3c1
SHA256

3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb
SHA512

a9f2ad0a511609a09e303165c2ea8e009ecfacc3c175647201887ff0c8bec545a46288c379eb2465fdeed36bc503fe6cc3dffff9390b9b7b0fcbbfcdf564994f
SSDEEP

1536:Lwql7JmQ9g7fM63UQwjMMlt/sNCmxd8lPKzYIC1mfXcp:uBjM633wjM2t/8CmCKxC14sp

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
884	_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Loads dropped DLL 10 IoCs

pid	Process
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ACLControl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ACLControl.exe"	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\DllName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ACLControl.exe"	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Impersonate = "0"	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Asynchronous = "1"	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Logon = "ACLLogon"	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\de-DE\dxdiag.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\expand.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\label.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\DpiScaling.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\autoconv.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\Dism.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\explorer.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\com\es-ES\MigRegDB.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\cleanmgr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\auditpol.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\cmstp.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\dvdplay.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\finger.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\diskperf.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\ktmutil.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\diskpart.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\DfrgUI.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\drvinst.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\Autofmt.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\explorer.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\isoburn.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\dplaysvr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\it-IT\diskpart.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\com\ja-JP\MigRegDB.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\DWWIN.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\DisplaySwitch.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\cttune.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\isoburn.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\compact.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\diskraid.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\doskey.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\dpapimig.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\attrib.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\colorcpl.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\migwiz\es-ES\migwiz.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\dpnsvr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\driverquery.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\find.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\it-IT\cmmon32.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\it-IT\fsutil.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\com\it-IT\MigRegDB.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\it-IT\hostname.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\audiodg.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\cmdl32.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\credwiz.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\powershell.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\autoconv.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\autoconv.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\hostname.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\cacls.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\compact.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\cmd.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\AdapterTroubleshooter.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\expand.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\it-IT\isoburn.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\AdapterTroubleshooter.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\cmdl32.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\en-US\ieunatt.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\es-ES\chkntfs.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\EventCreate.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\fr-FR\hwrreg.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\finger.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\ja-JP\hwrcomp.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\SysWOW64\de-DE\ftp.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Journal\de-DE\Journal.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\it-IT\WMPSideShowGadget.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\Sidebar.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\zh-CN_BitLockerToGo.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ja-JP\regedit.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873\sdbinst.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winresume.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..andprompt.resources_31bf3856ad364e35_6.1.7601.17514_en-us_dda7e3a7a889bd4d\cmd.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe.aux	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..dlinehelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9284e1c52675b97\help.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2ac9e265910c0883\bitsadmin.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\fr-FR\ehmsas.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\en-US\fveupdate.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\servicing\es-ES\TrustedInstaller.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c8e5b1e7f02188d\chkntfs.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ion-telemetry-agent_31bf3856ad364e35_6.1.7601.17514_none_3092574c7d41010b\aitagent.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\en-US\ehrecvr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\it-IT\ehrec.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..e-results.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bd9cb6fcc60786f1\windowsanytimeupgradeResults.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f3499ca669bfbc23\AdapterTroubleshooter.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c32dfb5248079480\AtBroker.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\en-US\WTVConverter.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\en-US\helppane.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\caspol.exe.config	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a639398e05431496\ditrace.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a\winresume.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\he-IL_BitLockerToGo.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\Boot\PCAT\fr-FR\bootmgr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\en-US\ehsched.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913\sdbinst.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\WindowsAnytimeUpgradeui.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe.aux	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498\AxInstUI.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a66ddcaa051c22f1\xlog.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..assistant.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcd3cafd91383411\pcalua.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..e-results.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd6813e0c62e7896\windowsanytimeupgradeResults.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_it-it_322dc26fd56aa9d4\autochk.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..gine-main.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7d0b430f54c619cc\wbengine.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82\winresume.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_de-de_73d228418ffd1b23\chkntfs.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..erecovery.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b2ba432ede21e772\cofire.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\CasPol.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7f899f7c67d0364b\wbadmin.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..c-runtime.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8499a5b924de0152\msdtc.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\ja-JP_BitLockerToGo.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\de-DE\notepad.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ja-JP\hh.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34345a337e310068\cacls.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..andprompt.resources_31bf3856ad364e35_6.1.7601.17514_es-es_dd73408ba8b0aef2\cmd.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\servicing\GC64\tzupd.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1cc2fe3a7edb26e8\chkntfs.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d3bab85e7fea1448\bitsadmin.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a\winresume.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_bf7bea0454c3f0cf\bcdboot.exe	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\ehome\fr-FR\ehrec.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2af6879929e9727\bthudtask.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_48f0af8cf8152af8\ditrace.exe.mui	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 884	1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe	27
PID 1020 wrote to memory of 884	1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe	27
PID 1020 wrote to memory of 884	1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe	27
PID 1020 wrote to memory of 884	1020	3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe	27

C:\Users\Admin\AppData\Local\Temp\3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
"C:\Users\Admin\AppData\Local\Temp\3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe
  C:\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe "C:\Users\Admin\AppData\Local\Temp\3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe"
  2⤵
  - Executes dropped EXE
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Filesize
54KB

MD5
802e4bb4945d8e923481e90b8cf8d62c

SHA1
83f961c6d9ae382c656ed363578e45b2810529b0

SHA256
1477f10b90196acfe3bf6f64616e89b294d9869c0a44cb6c4c54f6f12d38c26e

SHA512
4a7966d01f2e90beafe09e00cd12999ab2ef15be5f41fd7b504b7379cf14bedf87262515ac3129c13a4b34656f156cb5d65329daa736b998d589bc3b99607aa0

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
464KB

MD5
0878fe32461ac5652a0e08b7e5ae90b4

SHA1
c2c45429028d76610aa188220650f1e19a712cd8

SHA256
e6566ca602e772f002d0c97b3243042a11b45b54f115d43e31fdc7ba0f7fea93

SHA512
ee0f4eacc59bcf4c3c1a4516baf0404fc76de075f0cb828931b6b5ecbb8ae93793ec09938186f112f3371c11b15f0f402d6239d0d5447cc5d81c3fa1204f60dc

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
653KB

MD5
ccbcb724db0a95a9126b63382dc5c745

SHA1
e517f87f61c05474c3d2820b1b83f03cb5299509

SHA256
e7e0472a223f6470df96dba5ca836e14e3d292c7b793bd18e1e5113be2f65e4f

SHA512
7d92b6812b92b18a177eac29d49eb1c63354d187a4f04c70e7d69a5b220d908554bcbb44eff045d4d694da44fffee69150a1e7a6f315128d27fe70b9013ef7e4

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
653KB

MD5
bb66f7c8e3149e305d0a281f5070afaf

SHA1
77920a94cf83dc4e722e853cea1346b331173e21

SHA256
ffb40cdcbb4bb0c9cf53fbc021cd2cac5120e80cddece0b9aa5cd111c893b58a

SHA512
5213f9e78acfe4a8ccfb8f5e0ba59e038dbaea58a46afa43239d1743a14754f2b68a866288d6c9bfcc6d079e78021a6326ce63287c467b45bc3a5956b221160f

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
474KB

MD5
5f5692c92e7431670671d287673904df

SHA1
7452306ab15fffe3ba333d160da944c9a0bf6288

SHA256
c7ed0ccd46fcb93421bfad03f7f4ee9ec87a97cdaecd868627549fdd60bdd9ef

SHA512
51e7e16df744defd0794281dc695723ed4753791b24f379e90c165cb8d5b2c298d5d9f394611238a214e2cf7422411b6bb283b4d7fd8141d9ad3251cfd9276a2

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
464KB

MD5
3e120b2e21bf5d21e2b5c0c3f02650b3

SHA1
3f977bef15b1b7e1e95fa642dcd35e0b0a7505cd

SHA256
4547cfcd15a09479e0625e43d6a2a48ee29b98d7dffba15d72f54658dd5ef7b0

SHA512
a7a1571e206eef15b7e3de68436250a6adf7cd2bc022ae8c06272e02e05745399f9a4bfb8973349110fbfb0878683de82c4ecf73487ac0d91501e5d599de844d

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
474KB

MD5
350dcc1176f69aa4659f59a7f50db401

SHA1
adb11b9c530e6638dd107627beb894b57abee448

SHA256
70c62060a180bc92ff4fd82b82154b594593efdee7b13722fb5d3a09917c3336

SHA512
b2489e105352f96f20a0282364118a62250548f4048074bd3ef5a9b3789350afe3afeba08c4b6a0190f082f51731e06508f2e55471d81ab43bf54615b2cd86bf

Download Submit
\Users\Admin\AppData\Local\Temp\ACLControl.exe

Filesize
73KB

MD5
0e2c2ecc04afe981d200dd76d79111a1

SHA1
ca43d361c7b0d406e4f9e6806f0969ffd5d7e3c1

SHA256
3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb

SHA512
a9f2ad0a511609a09e303165c2ea8e009ecfacc3c175647201887ff0c8bec545a46288c379eb2465fdeed36bc503fe6cc3dffff9390b9b7b0fcbbfcdf564994f

Download Submit
\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Filesize
54KB

MD5
802e4bb4945d8e923481e90b8cf8d62c

SHA1
83f961c6d9ae382c656ed363578e45b2810529b0

SHA256
1477f10b90196acfe3bf6f64616e89b294d9869c0a44cb6c4c54f6f12d38c26e

SHA512
4a7966d01f2e90beafe09e00cd12999ab2ef15be5f41fd7b504b7379cf14bedf87262515ac3129c13a4b34656f156cb5d65329daa736b998d589bc3b99607aa0

Download Submit
\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Filesize
54KB

MD5
802e4bb4945d8e923481e90b8cf8d62c

SHA1
83f961c6d9ae382c656ed363578e45b2810529b0

SHA256
1477f10b90196acfe3bf6f64616e89b294d9869c0a44cb6c4c54f6f12d38c26e

SHA512
4a7966d01f2e90beafe09e00cd12999ab2ef15be5f41fd7b504b7379cf14bedf87262515ac3129c13a4b34656f156cb5d65329daa736b998d589bc3b99607aa0

Download Submit
\Users\Admin\AppData\Local\Temp\_3f7b2ee83bf23996feb13de66959927ec6fc7fabc2ae2fa82abeef0ed26b48fb.exe

Filesize
54KB

MD5
802e4bb4945d8e923481e90b8cf8d62c

SHA1
83f961c6d9ae382c656ed363578e45b2810529b0

SHA256
1477f10b90196acfe3bf6f64616e89b294d9869c0a44cb6c4c54f6f12d38c26e

SHA512
4a7966d01f2e90beafe09e00cd12999ab2ef15be5f41fd7b504b7379cf14bedf87262515ac3129c13a4b34656f156cb5d65329daa736b998d589bc3b99607aa0

Download Submit
memory/884-57-0x0000000000000000-mapping.dmp

Download
memory/1020-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads