Analysis
-
max time kernel
146s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 04:32
Behavioral task
behavioral1
Sample
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe
Resource
win10v2004-20220812-en
General
-
Target
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe
-
Size
7KB
-
MD5
06ef31e62e5b10e2bacae0493e98e836
-
SHA1
0d8bb8222f1a324e048fb293011db5621ea8299c
-
SHA256
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923
-
SHA512
5fecd97757798110269f68db72882e62ec8266f2c7f68e1828b836f8e390fb630636942b7e967d22259377d57e122bf2d6102ec5f86be3804ff8f2271c4c25de
-
SSDEEP
96:lUZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExXWVLIgKc2qerbBZxuPP:Kzdrr1FG1WDCgmjPZXWV0ckrbBaGMUA
Malware Config
Signatures
-
Detected Xorist Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1380-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1380-57-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Processes:
resource yara_rule behavioral1/memory/1380-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1380-56-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1380-57-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14Fc59lHJ6Lr98g.exe" e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Drops file in System32 directory 64 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssessions.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_prompts.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-DRM-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Return.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_neutral_4c228493af8567bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\001e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_trap.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_methods.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_troubleshooting.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_hash_tables.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_modules.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_neutral_f9c441ed24f00358\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_2.0.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Parsing.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\fi-FI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\LogFiles\SQM\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_requires.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_blocks.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_neutral_e561157e16aa2357\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_job_details.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmkortx.inf_amd64_neutral_1975687236603184\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_neutral_68988e550e69a417\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows Sidebar\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Microsoft Games\Minesweeper\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00154_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Windows Media Player\Media Renderer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01298_.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Drops file in Windows directory 64 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_6.1.7600.16385_none_fa057619380ff901\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-diskpart.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d06df1659f1aca50\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\3.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msdt-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_54074f5186c1f989\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_left_mouseout.png e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_26d5c7e7f734a179\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\msil_presentationbuildtasks.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d4ae94ba7e5fb2fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-tzutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04361f65b5251181\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\Boot\EFI\ko-KR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..rendering.resources_31bf3856ad364e35_8.0.7600.16385_de-de_daa6ce6ca5421954\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-netsh.resources_31bf3856ad364e35_6.1.7600.16385_en-us_87b85156e6e234f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..interface.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c2301b7ddfc2b852\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..ultdocumentbinaries_31bf3856ad364e35_6.1.7600.16385_none_e037946c127eb3a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_system.printing_31bf3856ad364e35_6.1.7601.17514_none_7547cca8d45e66b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\Media\Savanna\Windows Print complete.wav e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_xnacc.inf_31bf3856ad364e35_6.1.7600.16385_none_0fa07b658d37eedf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..vdsupport.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e90d63b64b72be5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\msil_system.directoryser..protocols.resources_b03f5f7f11d50a3a_6.1.7600.16385_de-de_aedb84e53359dc37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-h..datalayer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fbaf381bd7335187\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0014\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows User Account Control.wav e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_039dabd843ca1151\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3c08c58c1a7a6fa5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_477cb893f4cdb3d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_netfx35wpf-sentinel.v3.5client_31bf3856ad364e35_6.1.7600.16385_none_67ce5e483a0c0216\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..vdsupport.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f9b8565e21f91bc5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-alloc_1_31bf3856ad364e35_6.1.7600.16385_none_aa654482430e0e71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_32ab4f66e5a9ff67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_it-it_27f9841cf9a31eb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00030402_31bf3856ad364e35_6.1.7601.17514_none_2f347d0352419ffd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_netmyk00.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ffe3cef97b18e5ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..-agilevpn.resources_31bf3856ad364e35_6.1.7600.16385_it-it_07ead7a4c53ec2fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\msil_system.data.services.client.resources_b77a5c561934e089_6.1.7601.17514_es-es_62a9036662f5567f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..ionplugin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c9dd2ee0b157945\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ribbons.resources_31bf3856ad364e35_6.1.7600.16385_en-us_575f5a6ba0e6e5d7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cded2178c99fa9d7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_6.1.7600.16385_none_90cd9ae919559d36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_167a7fa34db11fe9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp2.jpg e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed42962fe814bd53\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8ac1d1e3eb9abfdc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-e..orenderer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4c53258288780299\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-10.htm e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ntshrui_31bf3856ad364e35_6.1.7601.17514_none_ba35b3e012fe4f4e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile39.bmp e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions_advanced.help.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-netlogon-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fb96bf93dc604492\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.resources\2.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\Media\Garden\Windows Default.wav e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\Media\Windows Information Bar.wav e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_mdmbr008.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5c2359d90006424a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Debug\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Print complete.wav e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\msil_mscorlib.resources_b77a5c561934e089_6.1.7600.16385_de-de_39d375d4571acb87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_58c37611c5704035\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\BabyBoyMainBackground_PAL.wmv e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4fcda74a85457284\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..rformancemonitoring_31bf3856ad364e35_6.1.7600.16385_none_0d7e44ffcdcf5676\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..demanager.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f1f7e80b55f51b8d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe -
Modifies registry class 10 IoCs
Processes:
e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\ = "CRYPTED!" e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\shell e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "CWAFIPTICWNLKOE" e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\DefaultIcon e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14Fc59lHJ6Lr98g.exe,0" e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\shell\open\command e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\shell\open e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CWAFIPTICWNLKOE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14Fc59lHJ6Lr98g.exe" e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe"C:\Users\Admin\AppData\Local\Temp\e5f67a8f1c6042110fe98d4943c04c5a2eabca922719354cf68b9e9cb849b923.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1380