Analysis
-
max time kernel
151s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 04:32
Behavioral task
behavioral1
Sample
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Resource
win10v2004-20220812-en
General
-
Target
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
-
Size
137KB
-
MD5
0db31955e3dc63769545a494d23cb356
-
SHA1
53799e1ba3cd3b2d24f225e7785864b54f7581aa
-
SHA256
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5
-
SHA512
3efb45ea260e30815f28d8504b5c8cf6594e0df7f918d8ae849fb87b1f1fb9b9353ac2370e629cd854b0a5e1155f618e947c663c97670182a264f33631a34fd3
-
SSDEEP
3072:bUQvMazs2YGHHAhVd1nut+uV2mTVDjFwkWl176jZ1hCagdjvBl:XQ2rH6VdRQ/vqkg1gEagdjZ
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-55-0x0000000000400000-0x00000000004DB000-memory.dmp family_xorist behavioral1/memory/2036-56-0x0000000000400000-0x00000000004DB000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Processes:
resource yara_rule behavioral1/memory/2036-55-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral1/memory/2036-56-0x0000000000400000-0x00000000004DB000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Drops file in System32 directory 64 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_neutral_f9c441ed24f00358\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_neutral_6184912bd8e5b438\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\Dism\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\Dism\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\com\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_neutral_ab710894455d7b9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_neutral_16d100fb6ba2e40f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\cs-CZ\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_neutral_bbcfca39fdc02275\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis5t.inf_amd64_neutral_6c50ee5cb1ea2780\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc10.inf_amd64_neutral_2c5d0c618dbfaf2a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows NT\TableTextService\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Mail\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Media Player\Network Sharing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\FormatApprove.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\OpenStep.3gp c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\DVD Maker\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Portable Devices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Drops file in Windows directory 64 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp6.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\IME\IMEJP10\DICTS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.FormControl\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\0cb1830849e0ce11c8985339523d5b63\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Panther\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\9a3936273fb6a2e93b67f53c605d69df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\diagnostics\system\DeviceCenter\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Principal\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\mcepg\13b4ad00d1167ff3ed7d2a8e4994f1ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Help\mui\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\inf\.NET CLR Networking\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net\5d99e71477e553552914ea6eadf6bdc0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\0e4b3c951459254c78b0c1f9c52d8c9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.AddIn\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.resources\3.5.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9a3ab1594cf5cd52f0794b0a93a14b57\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\inf\BITS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\06d363f8e85281d0f70f2c88d1a0e667\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\e66285eb011e4864314f3e4e4d6d8e40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\diagnostics\system\Networking\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\29c55874e34f9d5cd3ea739262f48adc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\02d5be8209f0eac6f7725f8d83b87df6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Speech\Engines\Lexicon\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Boot\EFI\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\dcc11202188c9fa2ba06359a04d4b43a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\diagnostics\system\Search\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\inf\BITS\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Modifies registry class 10 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypto\ = "WLBBZNKOEAWJDDA" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\ = "CRYPTED!" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe,0" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypto c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe"C:\Users\Admin\AppData\Local\Temp\c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2036