Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 04:32
Behavioral task
behavioral1
Sample
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Resource
win10v2004-20220812-en
General
-
Target
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
-
Size
137KB
-
MD5
0db31955e3dc63769545a494d23cb356
-
SHA1
53799e1ba3cd3b2d24f225e7785864b54f7581aa
-
SHA256
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5
-
SHA512
3efb45ea260e30815f28d8504b5c8cf6594e0df7f918d8ae849fb87b1f1fb9b9353ac2370e629cd854b0a5e1155f618e947c663c97670182a264f33631a34fd3
-
SSDEEP
3072:bUQvMazs2YGHHAhVd1nut+uV2mTVDjFwkWl176jZ1hCagdjvBl:XQ2rH6VdRQ/vqkg1gEagdjZ
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3204-133-0x0000000000400000-0x00000000004DB000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Processes:
resource yara_rule behavioral2/memory/3204-132-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral2/memory/3204-133-0x0000000000400000-0x00000000004DB000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\0.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\index.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\System\ado\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\System\msadc\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\capture\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Common Files\microsoft shared\VGX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\VisualElements\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Drops file in Windows directory 64 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\addins\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.Resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_fr_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations.Resources\3.5.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations.Resources\3.5.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Sentinel.v3.5Client\3.5.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Configuration.Resources\2.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.Resources\2.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Core.Resources\3.5.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\apppatch\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Resources\3.5.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\mscorlib.Resources\2.0.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationFramework.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\sysglobl.Resources\2.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design.Resources\3.5.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\PresentationCore.Resources\3.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.Resources\3.5.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\ReachFramework.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe File created C:\Windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe -
Modifies registry class 10 IoCs
Processes:
c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypto\ = "WLBBZNKOEAWJDDA" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\ = "CRYPTED!" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypto c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe,0" c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe"C:\Users\Admin\AppData\Local\Temp\c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3204